Sugar Suite modules directory file include

sugarsuite-modules-file-include (26451) The risk level is classified as MediumMedium Risk


SugarCRM's Sugar Suite could allow a remote attacker to include malicious files. If 'register_globals' is enabled and .htaccess files are not accepted, a remote attacker could send a specially-crafted URL request to multiple scripts in the modules directory using the 'sugarEntry' parameter and other parameters to specify a malicious file from a remote or local system, which would allow the attacker to bypass security restrictions and execute arbitrary code on the vulnerable system.


Gain Access


Upgrade to the latest version of Sugar Suite (4.2.0b or later), available from the Sugar Suite Web site. See References.


  • BugTraq Mailing List, Sun May 14 2006 - 21:17:49 CDT: Sugar Suite Open Source <= 4.2 "OptimisticLock!" arbitrary remote inclusion exploit.
  • SugarCRM - CRM Software: SugarSuite 4.0 Beta.
  • BID-17987: Sugar Suite Open Source Multiple Remote and Local File Include Vulnerabilities
  • CVE-2006-2460: Sugar Suite Open Source (SugarCRM) 4.2 and earlier, when register_globals is enabled, does not protect critical variables such as $_GLOBALS and $_SESSION from modification, which allows remote attackers to conduct attacks such as directory traversal or PHP remote file inclusion, as demonstrated by modifying the GLOBALS[sugarEntry] parameter.
  • OSVDB ID: 25532: Sugar Suite Multiple Script sugarEntry Global Parameter Remote File Inclusion
  • SA20072: Sugar Suite "sugarEntry" Parameter Security Bypass
  • SECTRACK ID: 1016087: Sugar Suite `sugarEntry` Globals Entry Lets Remote Users Include and Execute Arbitrary Code

Platforms Affected:

  • SugarCRM Sugar Suite 4.2 and prior


May 14, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page