[Vtigercrm-developers] Can Vtiger 7 be made secure enough?

Prasad prasad at vtiger.com
Mon Jul 1 05:26:30 GMT 2019


Tony,

code.vtiger.com is up for me.
Please confirm.
--
FB <http://www.facebook.com/vtiger> I Twit <http://twitter.com/vtigercrm> I
LIn <https://www.linkedin.com/company/1270573?trk=tyah> I Blog
<https://blogs.vtiger.com> I Website <https://www.vtiger.com/>


On Sat, Jun 29, 2019 at 5:44 AM Tony Sandman <tonysandman999 at gmail.com>
wrote:

> @ the moment code.vtiger.com allows for nothing. It is down.
>
> T
>
> On Fri, Jun 28, 2019 at 7:12 PM nilay khatri <nilay.spartan at gmail.com>
> wrote:
>
>> Does code.vtiger.com allow wiki pages?
>>
>> On Fri, Jun 28, 2019 at 4:54 PM socialboostdk <socialboostdk at gmail.com>
>> wrote:
>>
>>> Hi Nilay,
>>>
>>> Thank you very much for this excellent list!
>>>
>>> Should we (the open source community) try to collect a master-list to
>>> maintain somewhere, so we have a ready list of tasks for security
>>> improvements + "best practices" within security checks?
>>>
>>> :)
>>>
>>> Cheers!
>>>
>>> On Fri, 28 Jun 2019 at 13:05, nilay khatri <nilay.spartan at gmail.com>
>>> wrote:
>>>
>>>> Hi Chris,
>>>>
>>>> no it is not secure enough if you use it as it is.
>>>>
>>>> As I had sent an email warning everyone about hacks going on related to
>>>> vtigersupport.com here are few things:
>>>>
>>>> 1. if you are using SMS integration, which I guess would be the case
>>>> for the insurance industry, the passwords are stored in plain text. We need
>>>> to have a salt-based encryption
>>>>
>>>> 2. Database credentials are stored in plain text, so if the file system
>>>> is compromised the attacker would gain access to the database as well
>>>> easily. Use some encryption system to encrypt the whole config file or
>>>> store the database credentials in a separate file outside the document root
>>>> and include that file in config.inc.php
>>>>
>>>> 3. Make sure you apply the change to normalize the web service error
>>>> for invalud username or password
>>>>
>>>> 4. Disable import from zip files if not required
>>>>
>>>> 5. Define the .htaccess rules properly such that it allows access to
>>>> only the files which should have direct access such as index.php,
>>>> capture.php, .png jpeg etc. files in storage, etc.. Everything rest should
>>>> be forbidden
>>>>
>>>> 6. There is no rule to set a secure password, even if you tel the users
>>>> to always use a secure password, you can not be sure that users will do
>>>> that. Quite possible the can set a password just 1 character long :)
>>>>
>>>> 7. Review the custom extension thoroughly, such as VGS Document
>>>> Manager(it is all good unless you set the file permissions properly)
>>>>
>>>> 8. Make sure no 2 CRM systems on the same server have same application
>>>> key. This normally happens if you use a Dump of already installed CRM to
>>>> setup a new CRM
>>>>
>>>>
>>>> These are a must "security checks" you should consider.
>>>>
>>>> To make it more secure you can consider few more things:
>>>>
>>>> 1. Keep the CRM behind Cloudflare. There are some issues which occur if
>>>> you use Cloudflare, such captcha validation while sending an Email.
>>>>
>>>> 2. Have 2FA, we are working on this and will soon have an Open Source
>>>> patch for this
>>>>
>>>> Hope this helps.
>>>>
>>>> I guess Blazej will have more comments :)
>>>> .
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Jun 28, 2019 at 1:22 PM socialboostdk <socialboostdk at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi there,
>>>>>
>>>>> I have a client who needs very high security (think "insurance"
>>>>> category). They're asking if Vtiger 7 open source can actually be made
>>>>> secure enough? Ie. assuming we apply all patches, collect all known
>>>>> bugs/holes etc., and try to fix those.
>>>>>
>>>>> I would like to give them a honest answer.
>>>>>
>>>>> What do you think?
>>>>>
>>>>> Thanks,
>>>>> Chris
>>>>> _______________________________________________
>>>>> http://www.vtiger.com/
>>>>
>>>> _______________________________________________
>>>> http://www.vtiger.com/
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>
>> _______________________________________________
>> http://www.vtiger.com/
>
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20190701/89817e98/attachment.html>


More information about the vtigercrm-developers mailing list