[Vtigercrm-developers] security advisory about vtiger + some thoughts
Carlo Beschi
carloz at gnumerica.org
Mon Aug 24 03:09:42 PDT 2009
Hi all,
I'm pretty sure many of you already read this:
http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/
It got quite popular since it was then republished here:
http://secunia.com/advisories/36309/
I'd like to start from here to share a couple of thoughts ...
I love vtiger CRM, and I know that many of the issues highlighted have
been solved in 5.1.
I also appreciate the fact that the team attitude towards the community
has evolved a lot, in the last months / years: some of the issues
contained in the current advisory were originally reported on vtiger
forums at the end of 2007:
http://forums.vtiger.com/viewtopic.php?t=16756
At that time, the post(er), was not given, in my opinion, the deserved
attention.
I know vtiger software quite well, and understand that some of the
issues are "architectural", so it's very complicate to fix them in 5.0.x
versions.
But I also know that version migration is not that easy either
(expecially for customized installs) - although the scripts are getting
better and better.
I expect we'll have an important number of 5.0.x still around, for a
quite long time ...
We should not forget this.
I was happy to see the 5.0.4 securiy patch released, last year. It fixed
a good number of issues ...
I'm not able to locate that patch from vtiger.com downloads page anymore
... (I see 5.1.0 downoads, 5.0.4 language packs. link to download
archives were the patch is not listed).
My point: I think you/we should put security as a priority, even if
(paradoxally) it was only for marketing reasons !
I bet you/we're loosing hundreds of potential vtiger users, because of
the buzz that advisories generated on twitter and linkedin and all
around ...
People who don't know vtiger yet, who don't know nothing about the great
things the new wonderful 5.1 release is bringing ...
People who will think ... "vtiger is not that much enterprise ready,
after all"...
One more brief point, about 5.1 itself. Documents security is still very
basic ...
See please this forum thread:
http://forums.vtiger.com/viewtopic.php?p=86615#86615
There's also a trac ticket related to this, with milestone deleted ...
http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6216
I'm testing and confirming this myself ...
webmaster at aragorn:/mnt/var/www/demo.vtiger-italia.net/510/storage/2009/August/week4$
ls
131_joomla1.5_com_vtiger_forms-1.0.zip
vtiger CRM is a candidate for a serious, stable, complete Document
Manager System. But this kind of things need to be solved, first.
OK, the rant has ended :-)
Please do not see this as critics, but as a positive contribution.
Beside language, geographical and cultural differences, we're all
willing to help ... To keep the software great and the community strong :-))
Ciao
Carlo(z)
More information about the vtigercrm-developers
mailing list