[Vtigercrm-developers] Can Vtiger 7 be made secure enough?
nilay khatri
nilay.spartan at gmail.com
Fri Jun 28 12:10:28 GMT 2019
Does code.vtiger.com allow wiki pages?
On Fri, Jun 28, 2019 at 4:54 PM socialboostdk <socialboostdk at gmail.com>
wrote:
> Hi Nilay,
>
> Thank you very much for this excellent list!
>
> Should we (the open source community) try to collect a master-list to
> maintain somewhere, so we have a ready list of tasks for security
> improvements + "best practices" within security checks?
>
> :)
>
> Cheers!
>
> On Fri, 28 Jun 2019 at 13:05, nilay khatri <nilay.spartan at gmail.com>
> wrote:
>
>> Hi Chris,
>>
>> no it is not secure enough if you use it as it is.
>>
>> As I had sent an email warning everyone about hacks going on related to
>> vtigersupport.com here are few things:
>>
>> 1. if you are using SMS integration, which I guess would be the case for
>> the insurance industry, the passwords are stored in plain text. We need to
>> have a salt-based encryption
>>
>> 2. Database credentials are stored in plain text, so if the file system
>> is compromised the attacker would gain access to the database as well
>> easily. Use some encryption system to encrypt the whole config file or
>> store the database credentials in a separate file outside the document root
>> and include that file in config.inc.php
>>
>> 3. Make sure you apply the change to normalize the web service error for
>> invalud username or password
>>
>> 4. Disable import from zip files if not required
>>
>> 5. Define the .htaccess rules properly such that it allows access to only
>> the files which should have direct access such as index.php, capture.php,
>> .png jpeg etc. files in storage, etc.. Everything rest should be forbidden
>>
>> 6. There is no rule to set a secure password, even if you tel the users
>> to always use a secure password, you can not be sure that users will do
>> that. Quite possible the can set a password just 1 character long :)
>>
>> 7. Review the custom extension thoroughly, such as VGS Document
>> Manager(it is all good unless you set the file permissions properly)
>>
>> 8. Make sure no 2 CRM systems on the same server have same application
>> key. This normally happens if you use a Dump of already installed CRM to
>> setup a new CRM
>>
>>
>> These are a must "security checks" you should consider.
>>
>> To make it more secure you can consider few more things:
>>
>> 1. Keep the CRM behind Cloudflare. There are some issues which occur if
>> you use Cloudflare, such captcha validation while sending an Email.
>>
>> 2. Have 2FA, we are working on this and will soon have an Open Source
>> patch for this
>>
>> Hope this helps.
>>
>> I guess Blazej will have more comments :)
>> .
>>
>>
>>
>>
>>
>>
>>
>>
>> On Fri, Jun 28, 2019 at 1:22 PM socialboostdk <socialboostdk at gmail.com>
>> wrote:
>>
>>> Hi there,
>>>
>>> I have a client who needs very high security (think "insurance"
>>> category). They're asking if Vtiger 7 open source can actually be made
>>> secure enough? Ie. assuming we apply all patches, collect all known
>>> bugs/holes etc., and try to fix those.
>>>
>>> I would like to give them a honest answer.
>>>
>>> What do you think?
>>>
>>> Thanks,
>>> Chris
>>> _______________________________________________
>>> http://www.vtiger.com/
>>
>> _______________________________________________
>> http://www.vtiger.com/
>
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20190628/2f9c7748/attachment.html>
More information about the vtigercrm-developers
mailing list