Well, it is a security risk after all.
Here is the thing, the url was like:
So i thought, why do they use ?moduleClassName=ContactsModule, do they instantiate this class based on the $_GET variable (which is wrong as you can see)?
Then to verify my idea, i accessed http://dev2.zurmo.co...ContactsModulex
just added an x to the class name to trigger an error, and i got this error:
include(ContactsModulex.php) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory
So of course the next thought was, can i include other files from the server if i change the ?moduleClassName=ContactsModule
part of the url ? And yes this is possible as you can see, in this link:
The idea here is that directory traversal is possible, so a bad intended user could use this to instantiate what class he wants or to include any file from the server.
Anyway, i don't know your app at all, i just spent about 5 minutes in the backed of your app and found this, you should find a fix for it as soon as possible.
My suggestion would be to allow only a-zA-z chars for $_GET['moduleClassName'] and also to allow the reading from a single directory and check with is_file('path/to/my-dir/'.$_GET['moduleClassName']) before instantiate that class, but again, i have no idea what you do in your backend so these suggestions might not help at all.