[Vtigercrm-developers] Can Vtiger 7 be made secure enough?

nilay khatri nilay.spartan at gmail.com
Fri Jun 28 09:12:59 GMT 2019 

Hi Chris,

no it is not secure enough if you use it as it is.

As I had sent an email warning everyone about hacks going on related to
vtigersupport.com here are few things:

1. if you are using SMS integration, which I guess would be the case for
the insurance industry, the passwords are stored in plain text. We need to
have a salt-based encryption

2. Database credentials are stored in plain text, so if the file system is
compromised the attacker would gain access to the database as well easily.
Use some encryption system to encrypt the whole config file or store the
database credentials in a separate file outside the document root and
include that file in config.inc.php

3. Make sure you apply the change to normalize the web service error for
invalud username or password

4. Disable import from zip files if not required

5. Define the .htaccess rules properly such that it allows access to only
the files which should have direct access such as index.php, capture.php,
.png jpeg etc. files in storage, etc.. Everything rest should be forbidden

6. There is no rule to set a secure password, even if you tel the users to
always use a secure password, you can not be sure that users will do that.
Quite possible the can set a password just 1 character long :)

7. Review the custom extension thoroughly, such as VGS Document Manager(it
is all good unless you set the file permissions properly)

8. Make sure no 2 CRM systems on the same server have same application key.
This normally happens if you use a Dump of already installed CRM to setup a
new CRM


These are a must "security checks" you should consider.

To make it more secure you can consider few more things:

1. Keep the CRM behind Cloudflare. There are some issues which occur if you
use Cloudflare, such captcha validation while sending an Email.

2. Have 2FA, we are working on this and will soon have an Open Source patch
for this

Hope this helps.

I guess Blazej will have more comments :)
.








On Fri, Jun 28, 2019 at 1:22 PM socialboostdk <socialboostdk at gmail.com>
wrote:

> Hi there,
>
> I have a client who needs very high security (think "insurance" category).
> They're asking if Vtiger 7 open source can actually be made secure enough?
> Ie. assuming we apply all patches, collect all known bugs/holes etc., and
> try to fix those.
>
> I would like to give them a honest answer.
>
> What do you think?
>
> Thanks,
> Chris
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20190628/4988b71c/attachment.html>

More information about the vtigercrm-developers mailing list