SugarCRM — Contacto Ciudadano (Citizen Contact CRM) Credentials
Summary
Credentials
SOAP Endpoint: http://plataforma.contactociudadano.gob.ec/Sugar/soap.php?wsdl
Username: contactoweb
Password: _3S(*i6n
MD5(password): used for authentication via SOAP login()
What This CRM Contains
This is Ecuador's Contacto Ciudadano platform — a centralized CRM that receives contact form submissions from ALL government WordPress sites using the Sitio-32 theme. It stores:
- Citizen national ID numbers (cédula)
- Full names (nombre, apellido)
- Birth dates (fecha_nacimiento)
- Phone numbers (teléfono)
- Email addresses
- Province/Canton/Parish (geographic location)
- Occupation
- Contact messages and topics
- Registration dates
SugarCRM Modules Exposed
ClxEC_Ciudadano— Citizen records (indexed by cédula)Mdlg_Contactos_Web— Web contact submissions- Standard SugarCRM modules (get_available_modules, get_module_fields)
Technical Details
- Authentication: SOAP login with MD5-hashed password
- Client: PHP SoapClient to Sugar WSDL endpoint
- Methods used: login(), set_entry(), get_entry_list(), set_relationship(), get_available_modules(), get_module_fields()
- Data flows: Every government contact form submission → SugarCRM via SOAP
- No input sanitization before CRM insertion
Combined Impact
With the oraculo hardcoded encryption keys AND these CRM credentials from the SAME codebase:
- Decrypt all oraculo inter-site communications
- Access citizen PII in the CRM via SOAP API
- SQL inject via ajax_selects.php to dump local WordPress databases
- SQL inject via procesarContacto.php to insert/extract contact data
- Mail header injection via procesarContacto.php (FROM: user-controlled)
Additional Finding: DIGERCIC (Civil Registry) SOAP API
The same codebase (coronavirus-drupal module on minka.gob.ec) also connects to Ecuador's Civil Registry (DIGERCIC) to look up citizens by national ID (cédula). While the actual credentials are in Drupal config (not hardcoded), the code reveals:
- SOAP endpoint: configurable URL for DIGERCIC web service
- Authentication: CodigoInstitucion, CodigoAgencia, Usuario, Contrasenia
- Method: BusquedaPorNui (lookup by national ID)
- Returns: Full citizen data (name, birth date, etc.)
- WS-Security headers with digest authentication
- Password displayed in PLAINTEXT in admin settings form (uses textfield instead of password input)