Security: Possibility to Execute any file
Possibility to execute any file: permissions to the Home and Users modules aren’t verified (?!?) and in the Home module there is include 'modules/' . $_REQUEST['module'] . '/' . $_REQUEST['file'] . '.php' so everything from the address can be executed, e.g. URL: http://test/coreBOS/7.0/index.php?action=HomeAjax&module=Home&file=../VtigerBackup/VtigerBackupRequest Triggers the file from VtigerBackup module: modules/Home/../VtigerBackup/VtigerBackupRequest.php