To Report a Open URL Redirect Security Vulnerability in zurmo v3.1.1.7

Issue #425 closed
Unknown user 92090 created an issue


I would like to report a vulnerability that I have found today on
zurmo-stable- in which the attacker can redirect the victim
into a malicious domain.

Technical Description: Unvalidated redirects/Open url redirects and
forwards are possible when a web application accepts untrusted input
that could cause the web application to redirect the request to a URL
contained within untrusted input. By modifying untrusted URL input to
a malicious site, an attacker may successfully launch a phishing scam
and steal user credentials. Because the server name in the modified
link is identical to the original site, phishing attempts may have a
more trustworthy appearance. Unvalidated redirect and forward attacks
can also be used to maliciously craft a URL that would pass the
application's access control check and then forward the attacker to
privileged functions that they would normally not be able to access.

Vulnerability Type

Open URL Redirects and Forwards

Affected Product Code Base

Zurmo CRM - zurmo-stable-

Affected Component

  1. https://localhost/zurmo/app/index.php/zurmo/default/toggleCollapse?returnUrl=
  2. https://localhost/zurmo/app/index.php/meetings/default/createMeeting?redirectUrl=

Attack Vectors


1.Login into zurmo-crm by user(tested on super user).

2.Open the first url it will redirect user directly without any kind of input.

3.For second url:

a. Goto https://localhost/zurmo/app/index.php/meetings/default/createMeeting

b. Enter any redirect url. In our case ?redirectUrl=

c. Fill the meeting form, then by clicking on save button user is redirected to the malicious url.



Organization: Provensec LLC

Comments (14)

  1. Unknown user 7b331

    I tested this on and was not able to replicate it. The demo is running on 3.2.1 and the latest downloadable version is 3.2.1.
    The issue seems to be patched with current versions.

  2. Unknown user 92090 reporter


    I did not check that vulnerability in the current version. I mentioned the version in which I found the flaw.

  3. Unknown user 7b331

    Don't get me wrong, it's great you found something, but why look into such an old version in the first place and not check if the vulnerability has been patched already?
    I guess you can close this ticket, as the fix is already deployed.

  4. Unknown user 92090 reporter

    Gabriel Shahzad, I am not getting you in wrong way. I reported that vulnerability on 2017-03-09 before three months at that time it is a latest and stable version of zurmo.

  5. Unknown user 92090 reporter

    Gabriel, I will close the ticket because that flaw is not present in a new version.

  6. Log in to comment