Security Bug: Create a empty record in SugarCRM

I have enough experience on SugarCRM ranging from development to integration solutions. This week I spent some time on the security of SugarCRM, I discovered a security bug that I consider very seriously: You can create blank records for each module. Just run an HTTP request with a URL like this: index.php?action=Save&module=Leads&record=&return_module=Leads&return_action=detailview

With web based applications you can resolve these issues (XSS, SQL injection, etc) without direct action on the application code, adopt a security solution using ModSecurity (http://www.modsecurity.org/).

The version of SugarCRM where I found the problem is the 6.1 (Community, Professional and Enterprise).

SugarCRM’s open the bug on SugarCRM Bug Tracker #43159 (http://www.sugarcrm.com/crm/support/bugs.html?bug_number=43159).

Bye,
Antonio Musarra.

0 Condivisioni

Antonio Musarra

I began my journey into the world of computing from an Olivetti M24 PC (http://it.wikipedia.org/wiki/Olivetti_M24) bought by my father for his work. Day after day, quickly taking control until … Now doing business consulting for projects in the enterprise application development using web-oriented technologies such as J2EE, Web Services, ESB, TIBCO, PHP.

Potrebbero interessarti anche...

TIBCO JasperReports Server & JBoss EAP 7.2Come installare Liferay 7.2 GA2 su WildFly 16 + Oracle Database 19c

In questo video tutorial vi mostrerò come installare step-by-step TIBCO Jasper Reports Server 7.5 Community Edition su RedHat JBoss EAP 7.2, utilizzando CentOS 8.1 come sistema operativo e PostgreSQL come database server.

Vedremo come affrontare l'installazione di Jasper Reports Server senza l'ausilio dell'installer; questa è l'opzione solitamente adottata in ambiti enterprise. I punti salienti di questo tutorial sono:

  • Quali sono i requisiti software
  • Quali sono i requisiti hardware
  • Download del software
  • Layout d’installazione
  • Installazione di OpenJDK 11
  • Installazione di PostgreSQL 10
  • Installazione di JBoss EAP 7.2.0
  • Configurazione & Installazione di Jasper Reports Server
  • Configurazione di JBoss EAP 7.2.0
  • Start di Jasper Reports Server