Description:
Hi, Hereby I would like to report Directory Listing vulnerability that I have found on zurmo-stable- 3.2.1.57987acc3018 which provides an attacker with the complete index of all the resources located inside of the directory.

Technical Description:
Directory listing, as it is named, allow a user to view all the files (including source files) under a directory served by the web site. If an adversary is able to view all the files (including the source files), one can forge attacks that potentially can by-pass the security checks. This basically turns a black box into a white box from the adversary's point of view, which reduces the complexity of attack.

Vulnerability Type: Directory Listing

Affected Product Code Base: zurmo-stable-3.2.1.57987acc3018

Affected Component:
http://127.0.0.1/zurmo/app/assets/1a4c59ce/
http://127.0.0.1/zurmo/app/assets/566eb800/
http://127.0.0.1/zurmo/app/assets/6416ba5e/
http://127.0.0.1/zurmo/app/assets/96dee418/
http://127.0.0.1/zurmo/app/assets/98a907b/
http://127.0.0.1/zurmo/app/assets/a0110a6f/
http://127.0.0.1/zurmo/app/assets/cc7cc1db/
http://127.0.0.1/zurmo/app/assets/d2ef22f2/
http://127.0.0.1/zurmo/app/assets/e07527b/
http://127.0.0.1/zurmo/app/assets/fd697b80/
Note: http://127.0.0.1/zurmo/app/assets/ itself is not vulnerable to directory listing. But the above listed are.

http://127.0.0.1/zurmo/app/themes/
Including /themes/ and all links beyond are vulnerable to directory listing and that’s why they were not mentioned specifically.

Attack Vectors:
Steps to Replicate:
You can just visit all the above-mentioned links which don't even require authentication. By visiting those links anyone will be able to view the directory.
Note: Zurmo is not altered/modified in any way while subjected to testing.

Discoverer: Meshach. M
Organization: StrongBox IT
Website: http://www.strongboxit.com/

Due to HTTPS policy the form couldn't be loaded from https (because in the code the script url and other references (resources references) are set to http instead of //

This will cause a Mixed Content error in Chrome-like browsers due to this restriction (as it should be).

Possible fix: convert code from http to //

Hello, Bitnami engineer here,

We were tracking the latest releases of Plone in this site:

http://zurmo.org/download

Since the site is down, do you offer any alternative?

Latest release detected by us was 3.2.7.c53e0c6df135.

Using some of the common Vagrant box builders, specifically ProtoBox in my case, I can have it automatically checkout a Git repo. I was excited when I saw there was a git mirror of the mercurial repo here, but was sad again when I realized it hasn't been updated in a long time. The readme says:

We update this repository only when we release new stable releases

Any chance this will be updated any time soon? It looks like the latest stable release was October 2014 https://bitbucket.org/zurmo/zurmo/commits/tag/stable

Are there any plans on updating this repository?

The repo over at BitBucker appears to be more up-to-date. Is there a reason for this?
https://bitbucket.org/zurmo/zurmo

[*] Page affected

index.php/tasks/default/list#

[*] Fields affected

CheckList

PoC:
You only need to create a list with a "check list" like ">< img src='' onerror=alert(23) ;>

Regards

I had this error when logging in as one of my sales staff.

The following fixed the issue:
http://zurmo.org/forums/index.php?/topic/5167-accessdeniedsecurityexception/#entry15809

When going into the config file, it says "Check in as true", but it was set to false by default.

Please update the following entry default from "false" to "true" as stated in the excerpt below from the config file:

// Turn this off to use php to do permissions, rights, and polices.
// Use this to comparatively test the mysql stored functions and procedures.
// Check it in as true!
$securityOptimized = false;

                   ^----------> This is false by default, needs to be true!!

Hi,

I found this Open Redirect in ZurmoCRM.

[*] Page affected

index.php/meetings/default/edit?id=182&redirectUrl=http://www.google.com

[*] Fields affected

RedirectUrl

When you write any domain in the parameter RedirectURL the user is redirect to this url This attack can be used to do phishings or redirection to exploit kits.

Regards.

Hello, i've noticed that when you try to upload the logo, if you don't have the php-gd extension it enters in a loop.

Maybe you should add gd extension check at installation process?

Hi,
In the "item" model "getModuleClassName()" is missing. when i was tried to add the filter for the report, it will cause the not supported exception. What is the best way to include the same.

Hi,

[*] Page afected
index.php/products/default

[*] Field Affected
Name

[*] POC:

• If you create a Product with this name: < h1 >injection< /h1> (without spaces)
• When you go to "products" page, you can see the injection:

Regards

Hi
I have followed your documentation for accessing your rest api but it's not working. Can you please solve this? when I try it always shows me

ApiException

Invalid API request type.

please check the attachment

Description:
Hi, Hereby I would like to report Cross Site Scripting vulnerability that I have found on zurmo-stable- 3.2.1.57987acc3018 in which base64 encoded XSS Payload was used to carry out the attack successfully.

Technical Description:
Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. The attacker does not directly target his victim. Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript for him. To the victim's browser, the malicious JavaScript appears to be a legitimate part of the website, and the website has thus acted as an unintentional accomplice to the attacker.

Vulnerability Type: Cross Site Scripting

Affected Product Code Base: zurmo-stable-3.2.1.57987acc3018

Affected Component: http://127.0.0.1/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=data:text/html;base64,PHNjcmlwdD5hbGVydCgnU3Ryb25nQm94IElUIC0gWFNTIFRlc3QnKTwvc2NyaXB0Pg==
(Will add more when I test other components too)

Attack Vectors:
Steps to Replicate:

1. Login into zurmo-crm (User: super user).

2. Go to http://127.0.0.1/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=data:text/html;base64,PHNjcmlwdD5hbGVydCgnU3Ryb25nQm94IElUIC0gWFNTIFRlc3QnKTwvc2NyaXB0Pg==.

3. The XSS Payload used is base64 encoded “PHNjcmlwdD5hbGVydCgnU3Ryb25nQm94IElUIC0gWFNTIFRlc3QnKTwvc2NyaXB0Pg==”.

4. Fill the meeting form and click save. XSS will get executed.

Reference: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Discoverer: Meshach. M
Organization: StrongBox IT
Website: http://www.strongboxit.com/

hi,

When you put %00 in moduleClassName you can see the full path of the installation of ZurmoCRM:

/index.php/designer/default/modulesMenu?moduleClassName=%00

include(): Failed opening '' for inclusion (include_path='.:/home/zurmo/public_html/demos/stable/app/protected/extensions/phaActiveColumn:/home/zurmo/public_html/demos/stable/app/protected/modules/api/tests/unit/forms:/home/zurmo/public_html/demos/stable/app/protected/modules/api/tests/unit/models:/usr/share/pear:/usr/share/php')
The reference id for this error is 60dc202103104e478ef8af89a5123b60.

Regards

Description:
Hi, Hereby I would like to report a security vulnerability that I have found on zurmo-stable- 3.2.1.57987acc3018 in which an attacker can redirect the victim into a malicious domain by modifying the URL value to a malicious site and may successfully launch a phishing scam and steal user credentials.

Technical Description:
According to OWASP, Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application's access control check and then forward the attacker to privileged functions that they would normally not be able to access.

Vulnerability Type: Open URL Redirects / Unvalidated Redirects

Affected Product Code Base: zurmo-stable-3.2.1.57987acc3018

Affected Component: http://127.0.0.1/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=http://www.strongboxit.com/ (Will add more when I test other components too)

Attack Vectors:
Steps to Replicate:

1. Login into zurmo-crm (User: super user).
2. Go to the http://127.0.0.1/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=%2Fzurmo%2Fapp%2Findex.php%2Fhome%2Fdefault&startDate=2017-09-12.
3. Enter any redirect URL by modifying the original redirect URL and press enter. In this test case, I have used ?redirectUrl=http://www.strongboxit.com/.
4. Fill the meeting form. Once done then click save. By clicking save button, the user will be redirected to the entered/modified (malicious) URL.

Reference: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Discoverer: Meshach. M
Organization: StrongBox IT
Website: http://www.strongboxit.com/