Zurmo - Open Source CRM

News and announcements Yii-powered Applications
21

SugarCRM and Salesforce are solid CRM apps. Yes, we plan on a few email integration options including an Outlook plugin and potential Exchange integration. Those items are in our development roadmap, but not planned for our next release. You can see the feature set for our current release and plans for our upcoming release here: http://zurmo.org/roadmap

I like the recommendation for Google Apps. We are seeing that more in the SMB space. With the open source nature of Zurmo, we would welcome anyone that could contribute and get things started.

22

Appreciate the positive feedback. We have been getting great responses from developers, especially because of the Test Driven Development methodology that we have embedded into Zurmo.

23

Zurmo 0.5.3 was released last week. German language support plus additional bug fixes and more tests

24

The new Zurmo User Interface is coming along nicely. What do you think?

Homepage:

2437

NewUI_Homepage.JPG

Account Detail View:

2438

NewUI_AcctDetailView.JPG

Account Edit View:

2439

NewUI_AcctEditView.JPG

25

Your UI keeps looking better over time Raysto!

Just curious, what do you use for your UI? Custom CSS, or something like Bootstrap?

26

Thank you for the encouraging words. We are really trying to enhance the end user experience and building a fresh, new UI will help do so. We used a custom CSS.

27

I was wondering, how do you handle model validations with redbean php? From what Iā€™ve seen, itā€™s much more limited than Yiiā€™s active record.

28

If you are talking about attribute validation like if a field is too large or the correct type, we still utilize the Yii rules() method to validate attributes. If you are asking about something different, can you please elaborate?

29

Hello, Iā€™m interested in CRM systems for a while and accidentaly I found your here. I can help you with Czech and Slovak translation if itā€™s interesting for you.

30

Hello Bodik. Iā€™m glad to hear you have interest in CRM systems. It would be wonderful to have you join our Language Team. We already have English, Spanish, French, German, and Italian. You can see our different Teams here: http://zurmo.org/get-involved

If you can sign up on our Forums and send me a message, I can get you in touch with the Language Team Leader.

Thanks,

Ray

31

Iā€™m a novice TDD-user and using your tests as example. Thanks for Yii CRM and especially for using TDD.

32

looks great

always inspiring to see a real world application that looks professional

33

hi,Zurmo

Nice app of crm. there are two questions about the system. eg. 1.the system will be supported with db mongodb?

  1. I would like to translate the language to Chinese if u interesting it.
34

Sure, Iā€™m happy to answer your questions. Right now, we only support mysql, but we would like to support other databases such as MongoDB. We have our hands full with our current roadmap: http://zurmo.org/roadmap

Yes, we would be very interested in having a Chinese language translation. Thank you so much for offering assistance. I will send you a PM in the Zurmo forums to put you in touch with our Language Team.

35

RedBeansPHP looks really nice

36

http://dev2.zurmo.com/demos/stable/app/index.php/designer/default/modulesMenu?moduleClassName=../../../index

or

http://dev2.zurmo.com/demos/stable/app/index.php/designer/default/layoutEdit?viewClassName=../../../index&moduleClassName=UsersModule

and possibly others.

please fix it ;)

37

@twisted1919

Thanks for informing us about bug, but can you tell me where you found those invalid links?

Thanks,

Ivica

38

I didnā€™t ā€œfoundā€ them, rather i generated them.

I was curious if i can do a directory traversal and i start playing with your urls :)

39

@twisted1919

But can you tell us how did you generated those invalid urls?

Did you changed base script url or something else? This can be security issue,

so we want to be sure this will not involve any security risks.

Thanks!!!

40

Well, it is a security risk after all.

Here is the thing, the url was like:

http://dev2.zurmo.com/demos/stable/app/index.php/designer/default/modulesMenu?moduleClassName=ContactsModule

So i thought, why do they use ?moduleClassName=ContactsModule, do they instantiate this class based on the $_GET variable (which is wrong as you can see)?

Then to verify my idea, i accessed http://dev2.zurmo.com/demos/stable/app/index.php/designer/default/modulesMenu?moduleClassName=ContactsModulex just added an x to the class name to trigger an error, and i got this error:




include(ContactsModulex.php) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory

So of course the next thought was, can i include other files from the server if i change the ?moduleClassName=ContactsModule part of the url ? And yes this is possible as you can see, in this link:

http://dev2.zurmo.com/demos/stable/app/index.php/designer/default/modulesMenu?moduleClassName=../../../index

The idea here is that directory traversal is possible, so a bad intended user could use this to instantiate what class he wants or to include any file from the server.

Anyway, i donā€™t know your app at all, i just spent about 5 minutes in the backed of your app and found this, you should find a fix for it as soon as possible.

My suggestion would be to allow only a-zA-z chars for $_GET[ā€˜moduleClassNameā€™] and also to allow the reading from a single directory and check with is_file(ā€˜path/to/my-dir/ā€™.$_GET[ā€˜moduleClassNameā€™]) before instantiate that class, but again, i have no idea what you do in your backend so these suggestions might not help at all.