header-logo
Suggest Exploit
vendor:
XRMS CRM
by:
AzzCoder
7.5
CVSS
HIGH
Remote File Inclusion, XSS, Information Gathering
94, 79, 200
CWE
Product Name: XRMS CRM
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: No
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

XMRS Multiple Vulnerabilities (ZeroDay at 25-07-2008)

XMRS Multiple Vulnerabilities (ZeroDay at 25-07-2008) is a vulnerability that affects the XRMS CRM product. It allows an attacker to remotely include files, perform XSS attacks, and gather information. The vulnerable files are activities/workflow-activities.php, multiple files with the variable $msg, and tests/info.php. The required register_globals is set to Yes. Quote limitations are set to Yes. The phpinfo() call is also present.

Mitigation:

Disable register_globals, set quote limitations to No, and remove the phpinfo() call.
Source

Exploit-DB raw data:

##############################################################

XMRS Multiple Vulnerabilities (ZeroDay at 25-07-2008)
Author: AzzCoder [azzcoder@hotmail.com]
Product: http://www.xrms.org/
Product Type: CRM
Thanks: coresecurity.com

Remote File Inclusion
	File: activities/workflow-activities.php
	Variable: $include_directory
	Required register_globals: Yes

XSS
	Multiple Files
	Variable: $msg
	Quote limitations: Yes

Information Gathering
	tests/info.php
	phpinfo() call

##############################################################

# milw0rm.com [2008-07-25]

Navigation

Suggest Exploit

Services By CQR