zurmo / zurmo Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU Affero General Public License v3.0
License: GNU Affero General Public License v3.0
hi,
When you put %00 in moduleClassName you can see the full path of the installation of ZurmoCRM:
/index.php/designer/default/modulesMenu?moduleClassName=%00
include(): Failed opening '' for inclusion (include_path='.:/home/zurmo/public_html/demos/stable/app/protected/extensions/phaActiveColumn:/home/zurmo/public_html/demos/stable/app/protected/modules/api/tests/unit/forms:/home/zurmo/public_html/demos/stable/app/protected/modules/api/tests/unit/models:/usr/share/pear:/usr/share/php')
The reference id for this error is 60dc202103104e478ef8af89a5123b60.
Regards
Hello, Bitnami engineer here,
We were tracking the latest releases of Plone in this site:
Since the site is down, do you offer any alternative?
Latest release detected by us was 3.2.7.c53e0c6df135
.
Description:
Hi, Hereby I would like to report Directory Listing vulnerability that I have found on zurmo-stable- 3.2.1.57987acc3018 which provides an attacker with the complete index of all the resources located inside of the directory.
Technical Description:
Directory listing, as it is named, allow a user to view all the files (including source files) under a directory served by the web site. If an adversary is able to view all the files (including the source files), one can forge attacks that potentially can by-pass the security checks. This basically turns a black box into a white box from the adversary's point of view, which reduces the complexity of attack.
Vulnerability Type: Directory Listing
Affected Product Code Base: zurmo-stable-3.2.1.57987acc3018
Affected Component:
http://127.0.0.1/zurmo/app/assets/1a4c59ce/
http://127.0.0.1/zurmo/app/assets/566eb800/
http://127.0.0.1/zurmo/app/assets/6416ba5e/
http://127.0.0.1/zurmo/app/assets/96dee418/
http://127.0.0.1/zurmo/app/assets/98a907b/
http://127.0.0.1/zurmo/app/assets/a0110a6f/
http://127.0.0.1/zurmo/app/assets/cc7cc1db/
http://127.0.0.1/zurmo/app/assets/d2ef22f2/
http://127.0.0.1/zurmo/app/assets/e07527b/
http://127.0.0.1/zurmo/app/assets/fd697b80/
Note: http://127.0.0.1/zurmo/app/assets/ itself is not vulnerable to directory listing. But the above listed are.
http://127.0.0.1/zurmo/app/themes/
Including /themes/ and all links beyond are vulnerable to directory listing and that’s why they were not mentioned specifically.
Attack Vectors:
Steps to Replicate:
You can just visit all the above-mentioned links which don't even require authentication. By visiting those links anyone will be able to view the directory.
Note: Zurmo is not altered/modified in any way while subjected to testing.
Discoverer: Meshach. M
Organization: StrongBox IT
Website: http://www.strongboxit.com/
I had this error when logging in as one of my sales staff.
The following fixed the issue:
http://zurmo.org/forums/index.php?/topic/5167-accessdeniedsecurityexception/#entry15809
When going into the config file, it says "Check in as true", but it was set to false by default.
Please update the following entry default from "false" to "true" as stated in the excerpt below from the config file:
// Turn this off to use php to do permissions, rights, and polices.
// Use this to comparatively test the mysql stored functions and procedures.
// Check it in as true!
$securityOptimized = false;
^----------> This is false by default, needs to be true!!
Hi,
In the "item" model "getModuleClassName()" is missing. when i was tried to add the filter for the report, it will cause the not supported exception. What is the best way to include the same.
Hi,
[*] Page afected
index.php/products/default
[*] Field Affected
Name
[*] POC:
Regards
Description:
Hi, Hereby I would like to report a security vulnerability that I have found on zurmo-stable- 3.2.1.57987acc3018 in which an attacker can redirect the victim into a malicious domain by modifying the URL value to a malicious site and may successfully launch a phishing scam and steal user credentials.
Technical Description:
According to OWASP, Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application's access control check and then forward the attacker to privileged functions that they would normally not be able to access.
Vulnerability Type: Open URL Redirects / Unvalidated Redirects
Affected Product Code Base: zurmo-stable-3.2.1.57987acc3018
Affected Component: http://127.0.0.1/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=http://www.strongboxit.com/ (Will add more when I test other components too)
Attack Vectors:
Steps to Replicate:
Reference: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
Discoverer: Meshach. M
Organization: StrongBox IT
Website: http://www.strongboxit.com/
Due to HTTPS policy the form couldn't be loaded from https (because in the code the script url and other references (resources references) are set to http
instead of //
This will cause a Mixed Content
error in Chrome-like browsers due to this restriction (as it should be).
Possible fix: convert code from http
to //
Hello, i've noticed that when you try to upload the logo, if you don't have the php-gd extension it enters in a loop.
Maybe you should add gd extension check at installation process?
Hi,
I found this Open Redirect in ZurmoCRM.
[*] Page affected
index.php/meetings/default/edit?id=182&redirectUrl=http://www.google.com
[*] Fields affected
RedirectUrl
When you write any domain in the parameter RedirectURL the user is redirect to this url This attack can be used to do phishings or redirection to exploit kits.
Regards.
Description:
Hi, Hereby I would like to report Cross Site Scripting vulnerability that I have found on zurmo-stable- 3.2.1.57987acc3018 in which base64 encoded XSS Payload was used to carry out the attack successfully.
Technical Description:
Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.
Vulnerability Type: Cross Site Scripting
Affected Product Code Base: zurmo-stable-3.2.1.57987acc3018
Affected Component: http://127.0.0.1/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=data:text/html;base64,PHNjcmlwdD5hbGVydCgnU3Ryb25nQm94IElUIC0gWFNTIFRlc3QnKTwvc2NyaXB0Pg==
(Will add more when I test other components too)
Attack Vectors:
Steps to Replicate:
Login into zurmo-crm (User: super user).
The XSS Payload used is base64 encoded “PHNjcmlwdD5hbGVydCgnU3Ryb25nQm94IElUIC0gWFNTIFRlc3QnKTwvc2NyaXB0Pg==”.
Fill the meeting form and click save. XSS will get executed.
Reference: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
Discoverer: Meshach. M
Organization: StrongBox IT
Website: http://www.strongboxit.com/
Using some of the common Vagrant box builders, specifically ProtoBox in my case, I can have it automatically checkout a Git repo. I was excited when I saw there was a git mirror of the mercurial repo here, but was sad again when I realized it hasn't been updated in a long time. The readme says:
We update this repository only when we release new stable releases
Any chance this will be updated any time soon? It looks like the latest stable release was October 2014 https://bitbucket.org/zurmo/zurmo/commits/tag/stable
Are there any plans on updating this repository?
The repo over at BitBucker appears to be more up-to-date. Is there a reason for this?
https://bitbucket.org/zurmo/zurmo
[*] Page affected
index.php/tasks/default/list#
[*] Fields affected
CheckList
PoC:
You only need to create a list with a "check list" like ">< img src='' onerror=alert(23) ;>
Regards
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.