Tales of SugarCRM Security Horrors

The SugarCRM administration panel has a button labeled &quot;remove XSS&quot;. We have a picture of it up in our office.<p>Yes. A button that attempts to remove XSS payloads from the database that admins can click. That&#x27;s the level of security competence we are talking about here.<p>Edit: Here is the button: <a href="http:&#x2F;&#x2F;i.imgur.com&#x2F;hC9KmWh.png" rel="nofollow">http:&#x2F;&#x2F;i.imgur.com&#x2F;hC9KmWh.png</a>

&gt; there are still chances for both authenticated (CVE-2012-0694) and unauthenticated (KIS-2016-07) attackers to exploit PHP internal memory corruption vulnerabilities which do not require objects declarations, like this ten years old vulnerability which requires just an array definition or this one which relies on references and arrays declarations<p>The two bugs linked were both fixed around 10 years ago. If you&#x27;re running PHP v4.4, your problems are basically infinite. It would be nice to make a clearer distinction between PHP problems and SugarCRM problems.

How timely; I recently evaluated sugarcrm&#x2F;suitecrm but similar to author was dismayed by their code quality.<p>Does anyone have any recommendations of other open source CRMs?

Wow, this kept getting better and better, I didn&#x27;t expect to make it through the entire text. Some parts are shocking.

Whoa! That&#x27;s horrifying. Not only don&#x27;t they update their open source version when fixing security bugs (Great argument against choosing open core solutions btw), they don&#x27;t even fix most bugs!

A few years ago, my team and I tried building a small CRM solution based on SugarCRM; we figured, &quot;hey, it&#x27;s basically a simple CRUD app with some reports and somewhat-dynamic objects, right&quot;?<p>We gave up after a week (ended up building the thing in Django). vTiger&#x2F;SugarCRM is most likely the worst PHP codebase still in active development&#x2F;production.

The core issue is that sugar crm uses PHP built in `unserialize` on user controlled input, and they don&#x27;t want to switch to json ostensibly because of performance issues.<p>Why don&#x27;t they hmac the payloads (with a timestamp and something tied to the user (an ID, the username, whatever)) and verify the hmac before deserializing?Verifying an hmac prevents undetected tampering, is fast, and there are libraries for it in ~every language.

I wonder what&#x27;s the use case for serializing and unserializing objects using php built-in functions. Is this some kind of &quot;I&#x27;m too lazy to json encode a subset of properties&quot; or are there some edge cases where one would use this extremely sharp knife?

You need to run a WAF like modsecurity in front of any PHP application these days.

The good thing is that Sugar is slowly but steadily replacing the old codebase but they should be more transparent on addressing these serious issues.

Other CRM providers would probably deserve a closer look too.<p>Marketcircle for example has never been able to offer reliable SSL support for its CalDAV &#x2F; CardDAV server. And they are switching to a cloud solution too – closed source and proprietary …

SugarCRM stopped public development long ago. Most people use Sugar non-CE or SuiteCRM (a maintained fork) which probably has similar&#x2F;same vulns.

response to the blog: <a href="https:&#x2F;&#x2F;blog.sugarcrm.com&#x2F;2017&#x2F;04&#x2F;24&#x2F;important-security-update&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.sugarcrm.com&#x2F;2017&#x2F;04&#x2F;24&#x2F;important-security-upda...</a>

Can someone recommend a CRM? Preferably open source and free?<p>Currently we are considering odoo but any advice appreciated. <a href="https:&#x2F;&#x2F;comparisons.financesonline.com&#x2F;sugar-crm-vs-odoo" rel="nofollow">https:&#x2F;&#x2F;comparisons.financesonline.com&#x2F;sugar-crm-vs-odoo</a>

The page is unreadable on mobile :(