[raysto]

nix, on 23 November 2011 - 08:19 PM, said:

What I found out is that most people use SugarCRM and Salesforce because of their MS Outlook Plug-ins and contact/task auto sync features so I guess you guys probably have a plan for developing MS Outlook plugins too

You might also want to be looking at developing a sync tool for Google App powered emails

SugarCRM and Salesforce are solid CRM apps. Yes, we plan on a few email integration options including an Outlook plugin and potential Exchange integration. Those items are in our development roadmap, but not planned for our next release. You can see the feature set for our current release and plans for our upcoming release here: http://zurmo.org/roadmap

I like the recommendation for Google Apps. We are seeing that more in the SMB space. With the open source nature of Zurmo, we would welcome anyone that could contribute and get things started.

[raysto]

Junta, on 23 November 2011 - 10:10 AM, said:

Very nice

Appreciate the positive feedback. We have been getting great responses from developers, especially because of the Test Driven Development methodology that we have embedded into Zurmo.

[raysto]

Zurmo 0.5.3 was released last week. German language support plus additional bug fixes and more tests

[raysto]

The new Zurmo User Interface is coming along nicely. What do you think?

Homepage:
 NewUI_Homepage.JPG (334.84K)
Number of downloads: 115

Account Detail View:
 NewUI_AcctDetailView.JPG (354.62K)
Number of downloads: 110

Account Edit View:
 NewUI_AcctEditView.JPG (220.09K)
Number of downloads: 86

[yJeroen]

Your UI keeps looking better over time Raysto!

Just curious, what do you use for your UI? Custom CSS, or something like Bootstrap?

[raysto]

Jeroendh, on 13 January 2012 - 03:31 PM, said:

Your UI keeps looking better over time Raysto!

Just curious, what do you use for your UI? Custom CSS, or something like Bootstrap?

Thank you for the encouraging words. We are really trying to enhance the end user experience and building a fresh, new UI will help do so. We used a custom CSS.

[jellysandwich]

I was wondering, how do you handle model validations with redbean php? From what I've seen, it's much more limited than Yii's active record.

[raysto]

jellysandwich, on 14 January 2012 - 12:29 PM, said:

I was wondering, how do you handle model validations with redbean php? From what I've seen, it's much more limited than Yii's active record.

If you are talking about attribute validation like if a field is too large or the correct type, we still utilize the Yii rules() method to validate attributes. If you are asking about something different, can you please elaborate?

[bodik]

Hello, I'm interested in CRM systems for a while and accidentaly I found your here. I can help you with Czech and Slovak translation if it's interesting for you.

[raysto]

bodik, on 18 January 2012 - 11:27 AM, said:

Hello, I'm interested in CRM systems for a while and accidentaly I found your here. I can help you with Czech and Slovak translation if it's interesting for you.

Hello Bodik. I'm glad to hear you have interest in CRM systems. It would be wonderful to have you join our Language Team. We already have English, Spanish, French, German, and Italian. You can see our different Teams here: http://zurmo.org/get-involved

If you can sign up on our Forums and send me a message, I can get you in touch with the Language Team Leader.
Thanks,
Ray

[fantgeass]

I'm a novice TDD-user and using your tests as example. Thanks for Yii CRM and especially for using TDD.

[edmondscommerce]

looks great

always inspiring to see a real world application that looks professional

[holyxing]

hi,Zurmo
Nice app of crm. there are two questions about the system. eg. 1.the system will be supported with db mongodb?
2. I would like to translate the language to Chinese if u interesting it.

[raysto]

holyxing, on 03 February 2012 - 08:17 AM, said:

hi,Zurmo
Nice app of crm. there are two questions about the system. eg. 1.the system will be supported with db mongodb?
2. I would like to translate the language to Chinese if u interesting it.

Sure, I'm happy to answer your questions. Right now, we only support mysql, but we would like to support other databases such as MongoDB. We have our hands full with our current roadmap: http://zurmo.org/roadmap

Yes, we would be very interested in having a Chinese language translation. Thank you so much for offering assistance. I will send you a PM in the Zurmo forums to put you in touch with our Language Team.

[ekerazha]

RedBeansPHP looks really nice

[twisted1919]

http://dev2.zurmo.co...=../../../index
or
http://dev2.zurmo.co...ame=UsersModule

and possibly others.

please fix it

[Ivica]

@twisted1919
Thanks for informing us about bug, but can you tell me where you found those invalid links?

Thanks,
Ivica

[twisted1919]

I didn't "found" them, rather i generated them.
I was curious if i can do a directory traversal and i start playing with your urls

[Ivica]

@twisted1919
But can you tell us how did you generated those invalid urls?
Did you changed base script url or something else? This can be security issue,
so we want to be sure this will not involve any security risks.

Thanks!!!

[twisted1919]

Well, it is a security risk after all.
Here is the thing, the url was like:
http://dev2.zurmo.co...=ContactsModule

So i thought, why do they use ?moduleClassName=ContactsModule, do they instantiate this class based on the $_GET variable (which is wrong as you can see)?
Then to verify my idea, i accessed http://dev2.zurmo.co...ContactsModulex just added an x to the class name to trigger an error, and i got this error:

include(ContactsModulex.php) [<a href='function.include'>function.include</a>]: failed to open stream: No such file or directory

So of course the next thought was, can i include other files from the server if i change the ?moduleClassName=ContactsModule part of the url ? And yes this is possible as you can see, in this link:
http://dev2.zurmo.co...=../../../index

The idea here is that directory traversal is possible, so a bad intended user could use this to instantiate what class he wants or to include any file from the server.

Anyway, i don't know your app at all, i just spent about 5 minutes in the backed of your app and found this, you should find a fix for it as soon as possible.

My suggestion would be to allow only a-zA-z chars for $_GET['moduleClassName'] and also to allow the reading from a single directory and check with is_file('path/to/my-dir/'.$_GET['moduleClassName']) before instantiate that class, but again, i have no idea what you do in your backend so these suggestions might not help at all.