Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

SuiteCRM 7.11.11 Phar Deserialization

Related Vulnerabilities: CVE-2020-8801  
Publish Date: 13 Feb 2020
Author: EgiX, karmainsecurity.com
Source 
                							

                -----------------------------------------------------------------
SuiteCRM <= 7.11.11 Multiple Phar Deserialization Vulnerabilities
-----------------------------------------------------------------


[-] Software Link:

https://suitecrm.com/


[-] Affected Versions:

Version 7.11.11 and prior versions.


[-] Vulnerabilities Description:

1) User input passed through the "backup_dir" parameter when handling 
the "Backups" action
within the "Administration" module is not properly sanitized before 
being used in a file
operation. This can be exploited by malicious users to inject arbitrary 
PHP objects into
the application scope (PHP Object Injection via phar:// stream wrapper), 
allowing them to
carry out a variety of attacks, such as executing arbitrary PHP code. 
Successful
exploitation of this vulnerability requires a System Administrator 
account.

2) User input passed through the "file_name" parameter when handling the 
"step3″ action
within the "Import" module is not properly sanitized before being used 
in a file operation.
This can be exploited by malicious users to inject arbitrary PHP objects 
into the application
scope (PHP Object Injection via phar:// stream wrapper), allowing them 
to carry out a variety
of attacks, such as executing arbitrary PHP code.

3) User input passed through the "load_module_from_dir" parameter when 
handling the
"UpgradeWizard" action within the "Administration" module is not 
properly sanitized before
being used in a file operation. This can be exploited by malicious users 
to inject arbitrary
PHP objects into the application scope (PHP Object Injection via phar:// 
stream wrapper),
allowing them to carry out a variety of attacks, such as executing 
arbitrary PHP code.
Successful exploitation of this vulnerability requires a System 
Administrator account.

4) User input passed through the "file_name" parameter when handling the 
"UploadFileCheck"
action within the "UpgradeWizard" module is not properly sanitized 
before being used in a
file operation. This can be exploited by malicious users to inject 
arbitrary PHP objects
into the application scope (PHP Object Injection via phar:// stream 
wrapper), allowing them
to carry out a variety of attacks, such as executing arbitrary PHP code. 
Successful
exploitation of this vulnerability would require a System Administrator 
account.
However, due to KIS-2020-04 it could be exploited by any user.


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[19/09/2019] - Vendor notified
[20/09/2019] - Vendor acknowledgement
[12/11/2019] - Vendor contacted again asking for updates, no response
[20/01/2020] - Vendor notified about public disclosure intention, no 
response
[07/02/2020] - CVE number assigned
[12/02/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-8801 to these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2020-02



<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started