Suitecrm Vulnerability

English Language - Forum
1

Hi Team,
I 'm working on Version 7.11.10 Sugar Version 6.5.25 (Build 344) and during testing our team finds some application vulnerability.

  1. Stored XSS : During the assessment, it was observed that the application accepts malicious JavaScript input from uploaded file and it gets executed.

  2. Cross Site Request Forgery : During the assessment, it was observed that application is vulnerable to Cross-Site request Forgery.

  3. Cleartext Password Submission : During the assessment ,we observed that the password submission in the request was in cleartext. This means that credentials are vulnerable to MITM attacks and can easily be compromised over public networks etc.

  4. Cookie Attributes Not Set Properly : “During Assessment it was observed that below cookie parameters are not set properly.
    1.Path: The ‘path’ attribute signifies the URL or path for which the cookie is valid. The default path attribute is set as ‘/’ which should be changed to the exact path of the application.
    2.Secure: When a secure flag is used, then the cookie will only be sent over HTTPS, which is HTTP over SSL/TLS.
    3.Domain: The ‘domain’ attribute signifies the domain for which the cookie is valid and can be submitted with every request for this domain or its subdomains. If this attribute is not specified, then the hostname of the originating server is used as the default value.”

  5. Application Displays Web Server Banner : “During Assessment it was observed that HTTP responses from the web server reveal information about the type and version of the Application framework being used.
    - Server : Microsoft IIS/10.0
    - X-Powered-By : PHP/7.4.13”

  6. HTTP Security Headers Are Not Set : "During Assessment it was observed that below mentioned HTTP Headers were not set:

    1. Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
    2. The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks."

  7. Concurrent login : During the assessment, it was observed that it was possible to login to multiple sessions of the same user.

  8. Arbitrary HTTP methods enabled : During the assessment, it was observed that arbitray HTTP methods are enabled.

1 Like
2

You’re supposed to send that to

security@suitecrm.com

with all the details.

3

@jrawoot That’s a thorough effort, kudos to your security engineering team. Do you know if these issues have been addressed? Thank you!

4

The following is for the Bitnami container of Suite 7.14.3:

  1. Cookie attributes.

    • SOME cookies (sugar_user_theme, etc.) are set to “true” (secure). The eleven other cookies are inexplicably still set to “false” (not secure). All cookies should be set to true (secure) unless the app is running on plain HTTP behind a HTTPS proxy on the same LAN.

  2. Application displays server/php banners in the HTTP headers:

    • The “X-Powered-By: PHP/7.4.13” header has been removed.
    • However, “server” header is still there, showing “Apache”.

  3. HTTP Security headers are not set:

    • Content-Security-Policy is still not set.
    • X-XSS-Protection is still not set.
    • Also, both X-Frame-Options and Strict-Transport-Security are recommended and not set!