SugarCRM 5.2.0e Remote Code Execution - EDB-8949

On June 15, 2009, Exploit-DB published an advisory on a Remote Code Execution vulnerability in SugarCRM version 5.2.0e, attributing the discovery to the USH team, composed of Francesco “ascii” Ongaro, Antonio “s4tan” Parata, and Giovanni “evilaliv3” Pellerano. The advisory (EDB-ID 8949) described a flaw in email attachment upload that allowed saving files with .php extension and thus executing arbitrary code on the server. The vendor acknowledged the vulnerability and released a patch (version 5.2.0f) a few days later. Ongaro is also credited as the author and copyright holder of the document.