[Vtigercrm-developers] Can Vtiger 7 be made secure enough?

Fri Jun 28 11:22:43 GMT 2019

Hi Nilay,

Thank you very much for this excellent list!

Should we (the open source community) try to collect a master-list to
maintain somewhere, so we have a ready list of tasks for security
improvements + "best practices" within security checks?

:)

Cheers!

On Fri, 28 Jun 2019 at 13:05, nilay khatri <nilay.spartan at gmail.com> wrote:

> Hi Chris,
>
> no it is not secure enough if you use it as it is.
>
> As I had sent an email warning everyone about hacks going on related to
> vtigersupport.com here are few things:
>
> 1. if you are using SMS integration, which I guess would be the case for
> the insurance industry, the passwords are stored in plain text. We need to
> have a salt-based encryption
>
> 2. Database credentials are stored in plain text, so if the file system is
> compromised the attacker would gain access to the database as well easily.
> Use some encryption system to encrypt the whole config file or store the
> database credentials in a separate file outside the document root and
> include that file in config.inc.php
>
> 3. Make sure you apply the change to normalize the web service error for
> invalud username or password
>
> 4. Disable import from zip files if not required
>
> 5. Define the .htaccess rules properly such that it allows access to only
> the files which should have direct access such as index.php, capture.php,
> .png jpeg etc. files in storage, etc.. Everything rest should be forbidden
>
> 6. There is no rule to set a secure password, even if you tel the users to
> always use a secure password, you can not be sure that users will do that.
> Quite possible the can set a password just 1 character long :)
>
> 7. Review the custom extension thoroughly, such as VGS Document Manager(it
> is all good unless you set the file permissions properly)
>
> 8. Make sure no 2 CRM systems on the same server have same application
> key. This normally happens if you use a Dump of already installed CRM to
> setup a new CRM
>
>
> These are a must "security checks" you should consider.
>
> To make it more secure you can consider few more things:
>
> 1. Keep the CRM behind Cloudflare. There are some issues which occur if
> you use Cloudflare, such captcha validation while sending an Email.
>
> 2. Have 2FA, we are working on this and will soon have an Open Source
> patch for this
>
> Hope this helps.
>
> I guess Blazej will have more comments :)
> .
>
>
>
>
>
>
>
>
> On Fri, Jun 28, 2019 at 1:22 PM socialboostdk <socialboostdk at gmail.com>
> wrote:
>
>> Hi there,
>>
>> I have a client who needs very high security (think "insurance"
>> category). They're asking if Vtiger 7 open source can actually be made
>> secure enough? Ie. assuming we apply all patches, collect all known
>> bugs/holes etc., and try to fix those.
>>
>> I would like to give them a honest answer.
>>
>> What do you think?
>>
>> Thanks,
>> Chris
>> _______________________________________________
>> http://www.vtiger.com/
>
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20190628/21a20113/attachment-0001.html>