SugarCRM, the popular customer relationship management (CRM) software, helps organizations collect critical information across marketing, sales and service departments. It is used for sales automation, marketing campaigns, customer support, and reporting across multiple platforms.
SugarCRM was created in 2004. Since its inception, it has become one of the most popular solutions in the marketplace. It has a free community edition Sugar CE. In 2013, SuiteCRM was forked from this version. Of course, SugarCRM Professional and Enterprise versions provide more functionality than Sugar CE.
Major companies like Apple, IBM, HTC, Reebok, Sennheiser, HTC, and Audi use SugarCRM for their customer relationship management.
Over the years, SugarCRM user base has grown across 120 countries to serve around 2 million end-users. With such a large customer base, it is necessary to look into any security issue the software might face. SugarCRM users need to be aware of:
-
Serialization-Related Issues: Security researcher Edigio Romano reported CVE-2012-0694 a PHP serialization-related issue in 2012. Using this vulnerability, users with valid accounts can orchestrate object injection attacks during the deserialization process. The suggested solution was to use
jason_encode()
andjson_decode()
functions but they weren’t used due to performance concerns. There was an attempt to fix the problem through using a wrapper unserialize function but it didn’t solve the original issue. -
Cross-Site Scripting (XSS) Attack: The software is also vulnerable to Stored XSS attacks. Attackers can create inputs that will get stored on the server as scripts and displayed with the HTML code. When other users interact with the page, the script can collect the targeted information. At the moment, SugarCRM only has a “Remove XSS” button in the administration panel to address the issue. Administrators have to manually trigger the button to clean XSS. From thread prevention stand point, tt is not a great solution.
-
Local File Inclusion (LFI) Issue: SugarCRM has an LFI issue with InboundEmail::setEmailForDisplay. It allows attackers to create a path to an executable file residing on the server. Using the path, attackers can execute code on the server from already uploaded files.
-
SQL Injection and Authentication Bypass: There are multiple SQL injection vulnerabilities in the software. For example, SQL injection vulnerabilities are present in
InboundEmail::importOneEmail
,InboundEmail::deleteMessageFromCache
, and/api/v1/note/search
API endpoint. SQL injection allows attackers to send malicious payload or SQL statements directly to the database server to obtain sensitive information.
SugarCRM has been addressing these issues over the years. However, the response has been slow. Most of the vulnerabilities are still unpatched on the Sugar Community Edition. SugarCRM has been more focused on their commercial product and the commercial releases have more security updates. The company announced that it is moving away from serialization functions to improve security issues. These issues are also applicable to variances of SugarCRM as well.
SugarCRM provides a great product for the customer relation management marketplace. However, the security issues should be a concern for users. A client-side solution like Yathit can improve functionality and usability of SugarCRM without the need for any PHP modifications. Yathit makes your SugareCRM solution safer and more reliable.