Security Bug: Create a empty record in SugarCRM

I have enough experience on SugarCRM ranging from development to integration solutions. This week I spent some time on the security of SugarCRM, I discovered a security bug that I consider very seriously: You can create blank records for each module. Just run an HTTP request with a URL like this: index.php?action=Save&module=Leads&record=&return_module=Leads&return_action=detailview

With web based applications you can resolve these issues (XSS, SQL injection, etc) without direct action on the application code, adopt a security solution using ModSecurity (

The version of SugarCRM where I found the problem is the 6.1 (Community, Professional and Enterprise).

SugarCRM’s open the bug on SugarCRM Bug Tracker #43159 (

Antonio Musarra.

Antonio Musarra

I began my journey into the world of computing from an Olivetti M24 PC ( bought by my father for his work. Day after day, quickly taking control until … Now doing business consulting for projects in the enterprise application development using web-oriented technologies such as J2EE, Web Services, ESB, TIBCO, PHP.

You may also like...