[Vtigercrm-developers] Reminder: Please be a contributor than a whistleblower - on security issues.

Mon Apr 23 14:07:28 GMT 2018

@Prasad 

Who is all this marketing spam for? Security, safety, and data privacy
aren't your priorities. If that were the case you'd have a different
approach for all these years. If we cared about publicity we'd post all
these errors to CVE and LinkedIn, in large groups that have 100k-200k
members, like the Open Source group. For now we just want to embarrass
you, so that you get stuff done. 

The majority of the errors that we're going to publish will be sent to
you earlier [what email address should we send it to?] so you have some
time to fix them; depending on the type of an error it will be 7,14, or
21 days. If you don't fix them [like coreBOS does] then we'll stop
reporting them to you and you will find out about them on the day we
publish the articles. 

Please don't try to convince people that this system is safe because it
isn't. You're not in touch with any security consultants; if you are you
should change them. You've never had a decent security audit, and even
if there was any it must've been short and a very long time ago. 

I'll tell you how things are right now: 

 	* You don't follow any standards as far as creating software is
concerned, eg. PSR
 	* You don't analyze the code statically improving it according to
current standards, eg.: https://insight.sensiolabs.com/,
https://scrutinizer-ci.com/, https://sonarwhal.com [8] 
 	* You have no unit/automatic tests.
 	* You don't follow OWASP ASVS guidelines
 	* You don't fix errors, you suppress them instead, and compatibility
with the latest PHP versions is done with as little effort as possible.
 	* You don't know what libraries you use, many of them have security
errors. It took us several months to clean up and update libraries, how
long will it take you?
 	* You don't know under what license your libraries are, you still use
GPL/AGPL in your system.

And what does the security look like? It's terrible, believe me. Please
provoke me [block me here for example] or keep saying that the system is
safe, then I'll do what I don't have time to do; I'll write a few dozen
articles, each with critical security vulnerabilities. Please tell your
community: 

 	* When are you going to update libraries to the latest versions?
The're full of holes! Eg.: jQuery 2.1.1 [CVE-2015-9251, CVE-2016-10707].
 	* When are you going to move key files away from public_html?
 	* When are you going to start checking permissions to each module,
action, record; instead of what you do now, which is creating dozens of
weird exceptions that lower the security level?
 	* When are you going to properly [and centrally] check/clean data sent
in request [especially when it comes to HTML files]
 	* When are you going to verify security and quality of the addons in 
https://marketplace.vtiger.com/app/listings because the products
available there aren't under any control.
 	* When are you going to present the results of security audits
performed by a reputable company that specializes in web applications?

Every week we'll publish 1-2 articles related to
coreBOS/Vtiger/VTE/SuiteCRM/EPESI, I hope you change your approach and
start improving the core of your system.

---
Z poważaniem / Regards

BŁAŻEJ PABISZCZAK 
M: +48.884999123
E: b.pabiszczak at yetiforce.com 

W dniu 2018-04-20 13:44, Prasad napisał(a):

> I hope you are following issue tracker as well. 
> 
> -- 
> FB [1] I Twit [2] I LIn [3] I Blog [4] I Website [5] 
> On Fri, Apr 20, 2018 at 5:11 PM, socialboostdk <socialboostdk at gmail.com> wrote:
> 
> +1 
> 
> Also avoid using users email to hash passwords. Its crap + means that you cannot change email without also changing password... 
> 
> On 20 April 2018 at 13:31, Conrado Maggi <comaggi at gmail.com> wrote: 
> 
> Basically, Not doing this: https://unsecure.blog/en/114-vtigercrm-storing-passwords-in-md5.html [6]  
> 
> Conrado 
> 
> On Fri, Apr 20, 2018 at 12:22 PM, Prasad <prasad at vtiger.com> wrote: 
> 
> Thank you for the references. We are in touch with few wise security advisories as well. 
> 
> The intent behind the post was to raise the awareness of quality of information that need to be exchanged 
> when understanding the security issue. 
> 
> Regards, 
> Prasad 
> 
> -- 
> FB [1] I Twit [2] I LIn [3] I Blog [4] I Website [5] 
> 
> On Fri, Apr 20, 2018 at 3:20 PM, IT-Solutions4You <info at its4you.sk> wrote:
> I found this interesting project
> https://hacktrophy.com/en/price-ethical-hacking/ [7]
> 
> I think to contact them for scanning vtiger. Maybe you(vtiger) can cooperate, basically it's your software ;-)
> 
> Matus
> 
> Dňa 20. 4. 2018 o 10:54 Prasad napísal(a):
> 
> Dear members,
> 
> Security and Data-Privacy is our top priority.
> 
> Without providing much details citing security concern on public channels is more like whistleblowing, which does no good but creates suspicion in those who aren't full aware of the details.
> 
> If you are aware of a security risk or suspect a possible hole that
> can give attacker ability to gain customer data, please feel to reach to us
> with complete details or file the issue on our tracker to keep our community informed.
> 
> Regards,
> Prasad
> 
> _______________________________________________
> http://www.vtiger.com/
> 
> _______________________________________________
> http://www.vtiger.com/
 _______________________________________________
http://www.vtiger.com/ _______________________________________________
http://www.vtiger.com/ 
_______________________________________________
http://www.vtiger.com/ 
_______________________________________________
http://www.vtiger.com/ 

Links:
------
[1] http://www.facebook.com/vtiger
[2] http://twitter.com/vtigercrm
[3] https://www.linkedin.com/company/1270573?trk=tyah
[4] https://blogs.vtiger.com
[5] https://www.vtiger.com/
[6] https://unsecure.blog/en/114-vtigercrm-storing-passwords-in-md5.html
[7] https://hacktrophy.com/en/price-ethical-hacking/
[8] https://sonarwhal.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20180423/9d00b482/attachment.html>