[Vtigercrm-developers] Can Vtiger 7 be made secure enough?

[Prasad]

No - code.vtiger.com is not meant for wiki.
--
FB <http://www.facebook.com/vtiger> I Twit <http://twitter.com/vtigercrm> I
LIn <https://www.linkedin.com/company/1270573?trk=tyah> I Blog
<https://blogs.vtiger.com> I Website <https://www.vtiger.com/>


On Fri, Jun 28, 2019 at 5:44 PM nilay khatri <nilay.spartan at gmail.com>
wrote:

> Does code.vtiger.com allow wiki pages?
>
> On Fri, Jun 28, 2019 at 4:54 PM socialboostdk <socialboostdk at gmail.com>
> wrote:
>
>> Hi Nilay,
>>
>> Thank you very much for this excellent list!
>>
>> Should we (the open source community) try to collect a master-list to
>> maintain somewhere, so we have a ready list of tasks for security
>> improvements + "best practices" within security checks?
>>
>> :)
>>
>> Cheers!
>>
>> On Fri, 28 Jun 2019 at 13:05, nilay khatri <nilay.spartan at gmail.com>
>> wrote:
>>
>>> Hi Chris,
>>>
>>> no it is not secure enough if you use it as it is.
>>>
>>> As I had sent an email warning everyone about hacks going on related to
>>> vtigersupport.com here are few things:
>>>
>>> 1. if you are using SMS integration, which I guess would be the case for
>>> the insurance industry, the passwords are stored in plain text. We need to
>>> have a salt-based encryption
>>>
>>> 2. Database credentials are stored in plain text, so if the file system
>>> is compromised the attacker would gain access to the database as well
>>> easily. Use some encryption system to encrypt the whole config file or
>>> store the database credentials in a separate file outside the document root
>>> and include that file in config.inc.php
>>>
>>> 3. Make sure you apply the change to normalize the web service error for
>>> invalud username or password
>>>
>>> 4. Disable import from zip files if not required
>>>
>>> 5. Define the .htaccess rules properly such that it allows access to
>>> only the files which should have direct access such as index.php,
>>> capture.php, .png jpeg etc. files in storage, etc.. Everything rest should
>>> be forbidden
>>>
>>> 6. There is no rule to set a secure password, even if you tel the users
>>> to always use a secure password, you can not be sure that users will do
>>> that. Quite possible the can set a password just 1 character long :)
>>>
>>> 7. Review the custom extension thoroughly, such as VGS Document
>>> Manager(it is all good unless you set the file permissions properly)
>>>
>>> 8. Make sure no 2 CRM systems on the same server have same application
>>> key. This normally happens if you use a Dump of already installed CRM to
>>> setup a new CRM
>>>
>>>
>>> These are a must "security checks" you should consider.
>>>
>>> To make it more secure you can consider few more things:
>>>
>>> 1. Keep the CRM behind Cloudflare. There are some issues which occur if
>>> you use Cloudflare, such captcha validation while sending an Email.
>>>
>>> 2. Have 2FA, we are working on this and will soon have an Open Source
>>> patch for this
>>>
>>> Hope this helps.
>>>
>>> I guess Blazej will have more comments :)
>>> .
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Jun 28, 2019 at 1:22 PM socialboostdk <socialboostdk at gmail.com>
>>> wrote:
>>>
>>>> Hi there,
>>>>
>>>> I have a client who needs very high security (think "insurance"
>>>> category). They're asking if Vtiger 7 open source can actually be made
>>>> secure enough? Ie. assuming we apply all patches, collect all known
>>>> bugs/holes etc., and try to fix those.
>>>>
>>>> I would like to give them a honest answer.
>>>>
>>>> What do you think?
>>>>
>>>> Thanks,
>>>> Chris
>>>> _______________________________________________
>>>> http://www.vtiger.com/
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>
>> _______________________________________________
>> http://www.vtiger.com/
>
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20190701/6ea6d5de/attachment.html>