[Vtigercrm-developers] Fwd: Re: Security?
Vic Cekvenich
vic.cvc at gmx.com
Sun Aug 17 19:14:51 GMT 2014
-------- Original Message --------
Subject: Re: [Vtigercrm-developers] Security?
Date: Tue, 1 Jul 2014 13:45:55 +0530
From: Uma S <uma.s at vtiger.com>
Reply-To: vtigercrm-developers at lists.vtigercrm.com
To: vtigercrm-developers at lists.vtigercrm.com
<vtigercrm-developers at lists.vtigercrm.com>
Hi,
Thanks for sharing security holes where we can improve a lot to reduce
chances for hackers. I have created trac
<http://trac.vtiger.com/cgi-bin/trac.cgi/ticket/8117>for same. Please
have a look and update your observation. Will look into this soon.
On Tue, Jul 1, 2014 at 1:13 PM, Zebra Hosting <support at zebrahosting.eu
<mailto:support at zebrahosting.eu>> wrote:
Since the CRM is used to store a lot of personal data, I was
wondering how secure vTiger is and if there are any extra options we
could discuss.
Let me start with a few points:
1. At the login I don’t see something simple as brute force protection.
2. The standard admin user cannot be changed, it needs another
account and then needs to be deleted. Using standard admin usernames
is bad practice.
3. Having the vTiger name and even the version number at the login
screen makes it very easy for hackers .
4. It would be nice to have a black/whitelist to restrict access by
IP. (yes I know htaccess could be used but I talking about average
users)
5. Use the http://www.projecthoneypot.org/ project to ban access at
the gate for spammers. (Works so very well in Joomla, I don’t need
to use captcha’s anymore )
6. Big warning in the installer to use https:// to encrypt the
loginscreen pw.
7. Minimum password length/complexity
Just some thoughts.
Bastiaan Houtkooper
Zebra Hosting
_______________________________________________
http://www.vtiger.com/
--
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
_______________________________________________
http://www.vtiger.com/
More information about the vtigercrm-developers
mailing list