[Vtigercrm-developers] Can Vtiger 7 be made secure enough?
prasad at vtiger.com
Mon Jul 1 05:34:10 GMT 2019
Your recommendations on "security checks" is more towards deployment and
hosting than product itself.
Vtiger product as such does open unauthenticated access from Web / API -
please confirm if it does so.
FB <http://www.facebook.com/vtiger> I Twit <http://twitter.com/vtigercrm> I
LIn <https://www.linkedin.com/company/1270573?trk=tyah> I Blog
<https://blogs.vtiger.com> I Website <https://www.vtiger.com/>
On Fri, Jun 28, 2019 at 4:37 PM nilay khatri <nilay.spartan at gmail.com>
> Hi Chris,
> no it is not secure enough if you use it as it is.
> As I had sent an email warning everyone about hacks going on related to
> vtigersupport.com here are few things:
> 1. if you are using SMS integration, which I guess would be the case for
> the insurance industry, the passwords are stored in plain text. We need to
> have a salt-based encryption
> 2. Database credentials are stored in plain text, so if the file system is
> compromised the attacker would gain access to the database as well easily.
> Use some encryption system to encrypt the whole config file or store the
> database credentials in a separate file outside the document root and
> include that file in config.inc.php
> 3. Make sure you apply the change to normalize the web service error for
> invalud username or password
> 4. Disable import from zip files if not required
> 5. Define the .htaccess rules properly such that it allows access to only
> the files which should have direct access such as index.php, capture.php,
> .png jpeg etc. files in storage, etc.. Everything rest should be forbidden
> 6. There is no rule to set a secure password, even if you tel the users to
> always use a secure password, you can not be sure that users will do that.
> Quite possible the can set a password just 1 character long :)
> 7. Review the custom extension thoroughly, such as VGS Document Manager(it
> is all good unless you set the file permissions properly)
> 8. Make sure no 2 CRM systems on the same server have same application
> key. This normally happens if you use a Dump of already installed CRM to
> setup a new CRM
> These are a must "security checks" you should consider.
> To make it more secure you can consider few more things:
> 1. Keep the CRM behind Cloudflare. There are some issues which occur if
> you use Cloudflare, such captcha validation while sending an Email.
> 2. Have 2FA, we are working on this and will soon have an Open Source
> patch for this
> Hope this helps.
> I guess Blazej will have more comments :)
> On Fri, Jun 28, 2019 at 1:22 PM socialboostdk <socialboostdk at gmail.com>
>> Hi there,
>> I have a client who needs very high security (think "insurance"
>> category). They're asking if Vtiger 7 open source can actually be made
>> secure enough? Ie. assuming we apply all patches, collect all known
>> bugs/holes etc., and try to fix those.
>> I would like to give them a honest answer.
>> What do you think?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the vtigercrm-developers