Security Bug: Create a empty record in SugarCRM

I have enough experience on SugarCRM ranging from development to integration solutions. This week I spent some time on the security of SugarCRM, I discovered a security bug that I consider very seriously: You can create blank records for each module. Just run an HTTP request with a URL like this: index.php?action=Save&module=Leads&record=&return_module=Leads&return_action=detailview

With web based applications you can resolve these issues (XSS, SQL injection, etc) without direct action on the application code, adopt a security solution using ModSecurity (http://www.modsecurity.org/).

The version of SugarCRM where I found the problem is the 6.1 (Community, Professional and Enterprise).

SugarCRM’s open the bug on SugarCRM Bug Tracker #43159 (http://www.sugarcrm.com/crm/support/bugs.html?bug_number=43159).

Bye,
Antonio Musarra.

Liferay Portal Security AuditCos'è e come funzione il framework di Security Audit

Vi siete mai chiesti cos'è e come funziona il sistema di Security Audit di Liferay? Ho cercato di rispondere alla domanda non soffermandomi solo al "cosè e come funziona", sono andato ben oltre. Non vi resta che leggere questo EBook per scoprire.

Ottieni il tuo EBook

Antonio Musarra

I began my journey into the world of computing from an Olivetti M24 PC (http://it.wikipedia.org/wiki/Olivetti_M24) bought by my father for his work. Day after day, quickly taking control until … Now doing business consulting for projects in the enterprise application development using web-oriented technologies such as J2EE, Web Services, ESB, TIBCO, PHP.

Potrebbero interessarti anche...

Liferay SSL/TLS SecurityCome configurare il bundle Liferay per abilitare il protocollo SSL/TLS

Sei curioso di scoprire come configurare il bundle Liferay per funzionare in modalità sicura tramite protocollo SSL/TLS? In questo eBook ( #LFRDEPGUIDE ) ti spiego come farlo step-by-step; per il bundle Apache Tomcat e WildFly. Ricorda di lasciare un tuo feedback dopo averlo letto.