[Vtigercrm-developers] Restrict access thru Webservices
Błażej Pabiszczak
b.pabiszczak at yetiforce.com
Wed Sep 9 13:23:34 GMT 2015
Generally all mechanisms that allow external access should be default
disabled.
We created this file:
https://github.com/YetiForceCompany/YetiForceCRM/blob/stable/config/api.php
[4] , there you can easily disable/enable services. Webservice enabled
by default, together with available access keys for the users, is not a
good practice [I'd even say that the permissions control is fictional,
if it can be bypassed]. It's even worse with the mobile module in
modules/Mobile. This module should be disabled by default [and
eventually removed or written from scratch] because it's full of holes -
it's enough to run a scanner, such as Acunetix, or perform an audit, to
see how dangerous this module is.
---
Z poważaniem / Regards
BŁAŻEJ PABISZCZAK
_Chief Executive Officer_
M: +48.884999123
E: b.pabiszczak at yetiforce.com
W dniu 2015-09-09 13:51, Ranieri napisał(a):
> You blocked only file webservices.php ? is enough?
>
> 2015-09-09 1:31 GMT-03:00 Preexo <preexo at googlemail.com>:
>
>> I use apaches Allow from 123.123.123.13 for that.
>> http://httpd.apache.org/docs/2.2/howto/access.html [1]
>>
>> --
>> View this message in context: http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-Restrict-access-thru-Webservices-tp17267p17274.html [2]
>> Sent from the vtigercrm-developers mailing list archive at Nabble.com.
>> _______________________________________________
>> http://www.vtiger.com/ [3]
>
> _______________________________________________
> http://www.vtiger.com/ [3]
Links:
------
[1] http://httpd.apache.org/docs/2.2/howto/access.html
[2]
http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-Restrict-access-thru-Webservices-tp17267p17274.html
[3] http://www.vtiger.com/
[4]
https://github.com/YetiForceCompany/YetiForceCRM/blob/stable/config/api.php
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20150909/dbd57b05/attachment.html>
More information about the vtigercrm-developers
mailing list