Security Bug: Create a empty record in SugarCRM
I have enough experience on SugarCRM ranging from development to integration solutions. This week I spent some time on the security of SugarCRM, I discovered a security bug that I consider very seriously: You can create blank records for each module. Just run an HTTP request with a URL like this: index.php?action=Save&module=Leads&record=&return_module=Leads&return_action=detailview
With web based applications you can resolve these issues (XSS, SQL injection, etc) without direct action on the application code, adopt a security solution using ModSecurity (http://www.modsecurity.org/).
The version of SugarCRM where I found the problem is the 6.1 (Community, Professional and Enterprise).
SugarCRM's open the bug on SugarCRM Bug Tracker #43159 (http://www.sugarcrm.com/crm/support/bugs.html?bug_number=43159).
Bye,
Antonio Musarra.