CVE-2004-1227

Name of the Vulnerable Software and Affected Versions: SugarCRM Sugar Sales versions 2.0.1c and earlier

Description: A directory traversal issue allows remote attackers to read arbitrary files and possibly execute arbitrary PHP code via .. (dot dot) sequences in the module, action, or theme parameters to "index.php", the theme parameter to "Login.php", and possibly other parameters or scripts.

Recommendations: For SugarCRM Sugar Sales versions 2.0.1c and earlier, as a temporary workaround, consider restricting access to the vulnerable parameters module, action, and theme in "index.php" and the theme parameter in "Login.php" until a patch is available.