[Vtigercrm-developers] Security?

Holbok István holbok at gmail.com
Sun Jul 20 19:07:03 GMT 2014 

Dear Vtiger Community,

I have just realized after the fresh install of vtiger 6.1 (SVN 14165) 
that the mentioned by Bastiaan security issue (below highlighted by 
bold) point 2 is resolved.

You can use any names for the admin user.
How you can do it?

After install go the user management, and change the admin user name 
into any string more safe then 'admin'.
Important note: after changing the admin user name, please chnage the 
admin user password also.
It looks like the password hash uses the username so, if you will not 
create a new password for the main admin user in this step, you will not 
be able to login next time.

But using these two steps the main admin user name can be changed to 
other string.

Kindest regards:
Istvan


üdvözlettel:

*Holbok István*

+3670-342-0900
*e-mail:* holbok at gmail.com
*SkyPe:* holboki

2014.07.01. 9:43 keltezéssel, Zebra Hosting írta:
> Since the CRM is used to store a lot of personal data, I was wondering 
> how secure vTiger is and if there are any extra options we could discuss.
>
> Let me start with a few points:
> 1. At the login I don’t see something simple as brute force protection.
> *2. The standard admin user cannot be changed, it needs another 
> account and then needs to be deleted. Using standard admin usernames 
> is bad practice.*
> 3. Having the vTiger name and even the version number at the login 
> screen makes it very easy for hackers .
> 4. It would be nice to have a black/whitelist to restrict access by 
> IP. (yes I know htaccess could be used but I talking about average users)
> 5. Use the http://www.projecthoneypot.org/ project to ban access at 
> the gate for spammers. (Works so very well in Joomla, I don’t need to 
> use captcha’s anymore )
> 6. Big warning in the installer to use https:// to encrypt the 
> loginscreen pw.
> 7. Minimum password length/complexity
>
> Just some thoughts.
>
> Bastiaan Houtkooper
> Zebra Hosting
>
>
>
>
>
>
> _______________________________________________
> http://www.vtiger.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20140720/5655a9a0/attachment.html>

More information about the vtigercrm-developers mailing list