Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[KIS-2020-01] SuiteCRM <= 7.11.11 Second-Order PHP Object Injection Vulnerabilities

Related Vulnerabilities: CVE-2020-8800  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="2"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#3">By Date</a>
<a href="4"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="10"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#3">By Thread</a>
<a href="4"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[KIS-2020-01] SuiteCRM &lt;= 7.11.11 Second-Order PHP Object Injection Vulnerabilities</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Egidio Romano &lt;research () karmainsecurity com&gt;


<em>Date</em>: Wed, 12 Feb 2020 20:01:58 +0100


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">---------------------------------------------------------------------
SuiteCRM &lt;= 7.11.11 Second-Order PHP Object Injection Vulnerabilities
---------------------------------------------------------------------


[-] Software Link:

<a rel="nofollow" href="https://suitecrm.com/">https://suitecrm.com/</a>


[-] Affected Versions:

Version 7.11.11 and prior versions.


[-] Vulnerabilities Description:

</pre><tt>1) The vulnerability exists because the 
</tt><tt>"EmailsControllerActionGetFromFields::getEmailSignatures()” method
</tt><tt>is using the unserialize() function with the "account_signatures” user 
</tt><tt>preference, and such a value can be
</tt><tt>arbitrarily manipulated by evil users through the EmailUIAjax interface. 
</tt><tt>This can be exploited to inject
</tt><tt>arbitrary PHP objects into the application scope, allowing an attacker 
</tt><tt>to perform a variety of attacks,
</tt><pre style="margin: 0em;">such as executing arbitrary PHP code.

</pre><tt>2) The vulnerability exists because the 
</tt><tt>"EmailsControllerActionGetFromFields::handleActionGetFromFields()”
</tt><tt>method is using the unserialize() function with the "showFolders” user 
</tt><tt>preference, and such a value can be
</tt><tt>arbitrarily manipulated by evil users through the EmailUIAjax interface. 
</tt><tt>This can be exploited to inject
</tt><tt>arbitrary PHP objects into the application scope, allowing an attacker 
</tt><tt>to perform a variety of attacks,
</tt><pre style="margin: 0em;">such as executing arbitrary PHP code.


[-] Solution:

No official solution is currently available.


[-] Disclosure Timeline:

[19/09/2019] - Vendor notified
[20/09/2019] - Vendor acknowledgement
[12/11/2019] - Vendor contacted again asking for updates, no response
</pre><tt>[20/01/2020] - Vendor notified about public disclosure intention, no 
</tt><tt>response
</tt><pre style="margin: 0em;">[07/02/2020] - CVE number assigned
[12/02/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-8800 to these vulnerabilities.


[-] Credits:

Vulnerabilities discovered by Egidio Romano.


[-] Original Advisory:

<a rel="nofollow" href="http://karmainsecurity.com/KIS-2020-01">http://karmainsecurity.com/KIS-2020-01</a>


_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a></pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="2"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#3">By Date</a>
<a href="4"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="10"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#3">By Thread</a>
<a href="4"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[KIS-2020-01] SuiteCRM &lt;= 7.11.11 Second-Order PHP Object Injection Vulnerabilities</strong> <em>Egidio Romano (Feb 12)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started