[Vtigercrm-developers] security advisory about vtiger + some thoughts

Mon Aug 24 03:55:34 PDT 2009

I would like to take this opportunity, to thank all of our security
advisories to share their reports
and making the follow up which helped us getting many of the security issues
closed.

@Carlo:
Thank you for expressing your satisfaction on 5.1.0 and backing up support
for team.

I'm not able to locate that patch from vtiger.com downloads page anymore
>

We have move the download links for 5.0.4 and earlier to our Archive Page:
http://www.vtiger.com/index.php?option=com_content&task=view&id=68&Itemid=57

The downloads are available on sourceforge under: vtiger CRM Release
Archive<http://sourceforge.net/projects/vtigercrm/files/vtiger%2520CRM%2520Release%2520Archive/>section.

My point: I think you/we should put security as a priority, even if
> (paradoxally) it was only for marketing reasons !

Impact due to bug-fix also in prioritizing the issue or when rolling in
changes while addressing it, this is required because
we will need to take care of existing installations.

Addressing security issues is given high priority without any reason.

Care is taken to spare more time in analyzing, designing the solution to
avoid re-fixes etc...

We would certainly encourage community developers in sharing patches or
suggestion in this front.

There's also a trac ticket related to this, with milestone deleted ...
> http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6216

I would like to clarify that deleting the milestone doesn't mean we are
ignoring it.
All the open tickets and set desired milestone before fixing it.

Our team is continuing effort to strengthen vtiger CRM framework and we will
roll changes incrementally.

There is a work-around for securing the document at
http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6153
(which involves moving the storage folder out of web access, our team is
evaluating this option)

Please do not see this as critics, but as a positive contribution.

As always, we are open to any critics be it good or bad ... as there is
something to learn from it.

Thank you for your continually support and keep spreading the word - vtiger

Regards,
Prasad
vtiger Team

On 8/24/09, Carlo Beschi <carloz at gnumerica.org> wrote:
>
> Hi all,
>
> I'm pretty sure many of you already read this:
>
> http://www.ush.it/2009/08/18/vtiger-crm-504-multiple-vulnerabilities/
>
> It got quite popular since it was then republished here:
>
> http://secunia.com/advisories/36309/
>
>
> I'd like to start from here to share a couple of thoughts ...
>
> I love vtiger CRM, and I know that many of the issues highlighted have
> been solved in 5.1.
>
> I also appreciate the fact that the team attitude towards the community
> has evolved a lot, in the last months / years: some of the issues
> contained in the current advisory were originally reported on vtiger
> forums at the end of 2007:
>
> http://forums.vtiger.com/viewtopic.php?t=16756
>
> At that time, the post(er), was not given, in my opinion, the deserved
> attention.
>
> I know vtiger software quite well, and understand that some of the
> issues are "architectural", so it's very complicate to fix them in 5.0.x
> versions.
>
> But I also know that version migration is not that easy either
> (expecially for customized installs) - although the scripts are getting
> better and better.
>
> I expect we'll have an important number of 5.0.x still around, for a
> quite long time ...
>
> We should not forget this.
>
> I was happy to see the 5.0.4 securiy patch released, last year. It fixed
> a good number of issues ...
>
> I'm not able to locate that patch from vtiger.com downloads page anymore
> ... (I see 5.1.0 downoads, 5.0.4 language packs. link to download
> archives were the patch is not listed).
>
>
> My point: I think you/we should put security as a priority, even if
> (paradoxally) it was only for marketing reasons !
>
>
> I bet you/we're loosing hundreds of potential vtiger users, because of
> the buzz that advisories generated on twitter and linkedin and all
> around ...
>
> People who don't know vtiger yet, who don't know nothing about the great
> things the new wonderful 5.1 release is bringing ...
>
> People who will think ... "vtiger is not that much enterprise ready,
> after all"...
>
>
> One more brief point, about 5.1 itself. Documents security is still very
> basic ...
> See please this forum thread:
> http://forums.vtiger.com/viewtopic.php?p=86615#86615
>
> There's also a trac ticket related to this, with milestone deleted ...
> http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/6216
>
> I'm testing and confirming this myself ...
>
> webmaster at aragorn:/mnt/var/www/
> demo.vtiger-italia.net/510/storage/2009/August/week4$
> ls
> 131_joomla1.5_com_vtiger_forms-1.0.zip
>
> vtiger CRM is a candidate for a serious, stable, complete Document
> Manager System. But this kind of things need to be solved, first.
>
>
> OK, the rant has ended :-)
>
> Please do not see this as critics, but as a positive contribution.
>
> Beside language, geographical and cultural differences, we're all
> willing to help ... To keep the software great and the community strong
> :-))
>
> Ciao
> Carlo(z)
>
>
>
> _______________________________________________
> Reach hundreds of potential candidates - http://jobs.vtiger.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20090824/a6f301ee/attachment-0003.html 