[Vtigercrm-developers] Let's make 7.4 fruitful
Błażej Pabiszczak
b.pabiszczak at yetiforce.com
Fri Sep 18 14:12:44 GMT 2020
Hello everyone, I'm sure you've missed me!
I've been with this project for over 12 years, although I'm present here
less and less with each day. I'm following closely changes and what is
happening here, more out of sentiment than real business benefit.
We haven't transferred a single line of Vtiger code to our fork for 5
years. Believe me, this is not something normal, because the license
allows it, and our fork had 100% Vtiger files 6 years ago. How can you
develop a project for 6 years and not contribute anything valuable to
it, so that developers could benefit from it?!?
The greatest change over the last 10 years was the update from 5.4 to
6.x when a new GUI was created and a large part of the libraries were
updated. Back then, Vtiger did a huge amount of work [I suppose it was a
few thousand hours of programming work or even more] and the changes
they made at the time were groundbreaking for this project [Vtiger
caught up with the changes in PHP and JS technology]. Obviously, version
6.x was not stable, but that's understandable for such significant
changes [you can read more on their blog:
https://www.vtiger.com/blog/vtiger-crm-open-source-version-6-0-released/
[1]]. All the changes were so revolutionary for us that we learned from
Vtiger how to code.
Unfortunately, after the release of 6.x, the project was no longer
developed technologically [there were improvements, new functionalities
and a new look and feel for the Cloud version, however, the Community
version sometimes only had some minor fixes]. All the changes were made
only from the frontend side, because the backend was stopped being
developed. Novelties in the programming languages [php, js] and the
thousands of libraries available for use on GitHub have been ignored.
Developers code the same way as 5-10 years ago.
Community is a process and takes time, unfortunately, Vtiger discouraged
the Community for years and all those willing to develop the system were
ignored. This led to some huge mistakes
* A few forks were created and each of them weakened the Community
[there were probably 4 forks - at least I remember 4]
* Nobody does core programming - what can be seen on code.vtiger.com
is such a small amount of work that one developer can do more in a month
than the whole community and Vtiger in a year!
* There are no language translators, and what we see in Cloud looks
like it was translated in Google Translate.
* The code quality is so low [compared to today's standards] that no
new developers join, and if someone joins, they run away very quickly.
Because how can they code in files from 10-15 years ago? How can they
not use composer and yarn?
Finally, an extremely bad thing happened and the community ceased to
exist and those who stayed stopped demanding, they are satisfied with
every crumb they receive. They have become so dependent on Vtiger that
removing their module from the Vtiger Marketplace would destroy them
financially. There are also members who generally either don't want to
or are afraid of changes. The joy and excitement of a handful of people
over the recent changes were amazing, Vtiger did nearly nothing but
everyone was so happy as if they had received the greatest gift.
How can you not have the courage and not say a word for 5-10 years, not
to rebel, not to unite as a Community and not force the producer to meet
your expectations? And why if the producer does not meet them, you do
not create a new solution together? How can you accept bad solutions
that affect not only you, your companies but also your customers? You
have consciously accepted low quality, no security, no progress. You
have become so useless to the project that you have not forced even the
smallest significant changes on the producer for 10 years.
That's what you have created together:
* The system that introduces nothing new.
* The system that doesn't comply with any security standards.
* The system that is technologically outdated, where neither the
producer nor the Community can program at least one new function that
complies with the applicable standards.
* The system with no Community and no future.
Everything the Community is able to say right now is silent requests for
the same changes that you asked for a year ago, two years ago, five
years ago, or ten years ago. As if the last 10 years have taught you
nothing. And you will probably wait for the next 2-3 years to receive
maybe 5% of what could be done with one developer.
Is there at least one developer in the Community who is aware of what
stage this project is at? Do you think that if you don't have libraries
organized using composer and yarn, you can't see what's inside? Today, I
downloaded the latest version of VtigerCRM and that's what I found in 4
hours:
* ~ 99% libraries in Vtiger are outdated [below are the first 40 I
found, and there are around 150 of them]. This means that this system
has never passed ANY security audit. Because if it did, the report would
have 150 libraries to update!
* ~ 20% of libraries have known security vulnerabilities [below is a
list of those that I found in these 4 hours], and some of these
vulnerabilities have been around for over 5 years. There is such a mess
in the libraries that often one library appears in the system in 5
different versions and in different folders without any control.
* ~ 50% of libraries are so outdated that they should be removed from
Vtiger. Most of them have not been updated in over 5 years, a large part
of the libraries no longer exist or have been replaced with others.
There are libraries that are 10-12 years old and their code is
structured!
There are hundreds of security errors in the application, it is possible
to access any records without permissions, there are unlimited brute
force attacks, there is no information about performing unauthorized
operations, no 2FA, there are hundreds of SQL injections and XSS.
Obviously, I'm aware of the fact that every application has security
bugs, but here I'm talking about ignoring security for the last 10
years. Currently, VtigerCRM does not comply with any of the requirements
described in OWASP ASVS 4!
Obviously, Vtiger can write whatever they want on the website, e.g .:
> _Engineering practices_
>
> _Engineering teams follow secure coding guidelines, as well as manual review/ screening of the code before it is deployed in the production._
>
> _The secure coding guidelines are based on OWASP standards and implemented accordingly to protect against common threats and attack vectors (like SQL injection,Cross site scripting) within the application layer._
>
> but the truth is that every lie has no legs and if we know how to crack any protection in Vtiger open source and cloud along with extracting data without logging into the system, it doesn't take much time for others to find the same.
OUTDATED LIBRARIES
* PHPMailer 5.2.27 > 6.1.7 [support finished with 5.2.x ]
* reCAPTCHA [chyba w wersji 1] - abandoned library
* simplehtmldom 1.5 > 1.9.1 - library has 8 years
* Zend Framework 1.12.0rc4 > 3.0.0 - library has 8 years
* KCFinder 2.21 > 3.12- library has over 10 years
* Anchorme.js 0.6.0 > 2.1.1 - library has over 3 years
* Moment.js 2.8.1 / 2.10.3 > 2.28.0 - library has over 6 years
* Daterangepicker.js 1.3.17 > 3.1 - library has over 6 years
* Bootstrap Notify 3.0.2 > 3.1.3 - library has over 5 years
* jQuery v1.11.2 / 1.7 / 1.3.2 > 3.5.1 - library has over 11 years
* FullCalendar 1.5.3 / 3.1.0 > 5.3.2 - library has over 8 years
* Gridster.js - 0.1.0 / 0.5.6 > 0.7.0 - library has over 8 years
* Handsontable 0.7.0-beta / 0.15.1 > 8.0.0 - library has over 8 years
* ZeroClipboard 2.2.0 > 2.3.0 - library has over 6 years
* jQuery UI 1.11.3 / 1.8.16 > 1.12.1 - library should be replaced with
a more developed one
* jQuery Validation Plugin 1.13.1 > 1.19.2- library has over 6 years
* instaFilta 1.4.4 - library not developed for 5 years
* perfect-scrollbar 0.6.5 > 1.5.0 - library has over 3 years
* select2 3.2 / 3.4.8 - 4.0.13 - library has over 6 years
* jquery-timepicker 1.8.1 > 1.13.14 - library has over 5 years
* webui popover plugin 1.1.3 - library not developed for 5 years
* jQuery Migrate 1.0.0 > 3.3.1 - library not developed for 5 years
* Bootstrap 3.3.0 > 4.5.2 - library has over 6 years
* ADOdb 5.20.9 > 5.20.18 - library has over 4 years
* Google-api-php-client 1.1.1 > 2.7.1 - library has over 6 years
* HTML Purifier 4.10.0 > 4.13.0 - library has over 2 years
* HTTP_Session 0.5.6 - abandoned library, it is over 13 years old
* HTTP_Session2 0.7.3 - abandoned library, it is over 10 years old
* Jasny Bootstrap 3.1.3 > 4.0.0 - library has over 6 years
* BxSlider v4.1 > 4.2.14 - library has over 8 years
* Chosen 0.9.5 > 1.8.7 - library has over 9 years
* CKEditor 4.3.1 > 4.15 - library has over 7 years
* jQueryGantt 1.0 > 6.3 - library has over 6 years
* Sticky Plugin v1.0.0 > 1.0.4 - library has over 6 years
* jqPlot Charts 1.0.2 > 1.1.0 - library has over 10 years
* LazyYT 0.3.0 > 0.3.4 - library has over 6 years
* Nusoap 1.94 > library has over 15 years
* PHPExcel 1.7.7 > PhpSpreadsheet > library has over 8 years
* PHP Markdown 1.4.1 > 1.9.0 - library has over 6 years
* Smarty 3.1.7 > 3.1.35 - library has over 9 years
* Tcpdf 4.6.012 > 6.3.5 - library has over 11 years
* +110 other libraries for which I didn't have time
SECURITY
* Numerous security vulnerabilities to the old version of Zend
Framework and dozens of related libraries -
https://www.cvedetails.com/vulnerability-list/vendor_id-5025/product_id-24644/version_id-142145/Zend-Zend-Framework-1.12.0.html
[2]]
* Security vulnerabilities for the old version of KCFinder -
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=KCFinder [3]
* Security vulnerabilities for the old version of Moment.js -
https://www.cvedetails.com/vulnerability-list/vendor_id-16043/Moment-Project.html
[4]
* Security vulnerabilities for old version of jquery -
https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html
[5]
* Security vulnerabilities for old version of jquery ui -
https://www.cvedetails.com/cve/CVE-2016-7103 [6]
* Security vulnerabilities for old version of select2 -
https://github.com/select2/select2/issues/4587 [7]
* Security vulnerabilities for old version of jQuery Migrate -
https://snyk.io/vuln/npm:jquery-migrate [8]
* Security vulnerabilities for the old version of Bootstrap -
https://www.cvedetails.com/vulnerability-list/vendor_id-19522/product_id-51406/Getbootstrap-Bootstrap.html
[9]
* Security vulnerabilities for the old AdoDB library -
https://github.com/ADOdb/ADOdb/blob/v5.20.7/docs/changelog.md [10]
* Security vulnerabilities for old CKEditor library -
https://www.cvedetails.com/vulnerability-list/vendor_id-12058/Ckeditor.html
[11]
* Security vulnerabilities for old Smarty library -
https://www.cvedetails.com/vulnerability-list/vendor_id-2921/product_id-5111/Smarty-Smarty.html
[12]
* Security vulnerabilities for old tcpdf library
-https://www.cvedetails.com/vulnerability-list/vendor_id-16116/product_id-35979/Tcpdf-Project-Tcpdf.html
[13]
Only some known vulnerabilities are listed above, but there are many
more of them, and they are often described on less-known blogs or
forums.
Have a look at jquery, which can be found in different versions in
various places of the system, and several dozen plugins are loaded along
with the main library. The plugins are also in different versions, and
ready-made CVEs can be found for many of them.
--
Kind regards
Błażej Pabiszczak
CEO & Co-Founder at YetiForce
+48 884 999 123 | b.pabiszczak at yetiforce.com
www.yetiforce.com
W dniu 2020-09-11 07:58, Uma S napisał(a):
> Dear Developer,
>
> We are happy to accept more ideas from the community on what are the top 10 wish enhancements for 7.4? So that we can make the release fruitful.
>
> I would request all the community members to take part in this to share their thoughts.
> --
>
> With
> Best Regards
> Uma.S
> Vtiger Team
> _______________________________________________
> http://www.vtiger.com/
Links:
------
[1]
https://www.vtiger.com/blog/vtiger-crm-open-source-version-6-0-released/
[2]
https://www.cvedetails.com/vulnerability-list/vendor_id-5025/product_id-24644/version_id-142145/Zend-Zend-Framework-1.12.0.html
[3] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=KCFinder
[4]
https://www.cvedetails.com/vulnerability-list/vendor_id-16043/Moment-Project.html
[5]
https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/Jquery-Jquery.html
[6] https://www.cvedetails.com/cve/CVE-2016-7103
[7] https://github.com/select2/select2/issues/4587
[8] https://snyk.io/vuln/npm:jquery-migrate
[9]
https://www.cvedetails.com/vulnerability-list/vendor_id-19522/product_id-51406/Getbootstrap-Bootstrap.html
[10] https://github.com/ADOdb/ADOdb/blob/v5.20.7/docs/changelog.md
[11]
https://www.cvedetails.com/vulnerability-list/vendor_id-12058/Ckeditor.html
[12]
https://www.cvedetails.com/vulnerability-list/vendor_id-2921/product_id-5111/Smarty-Smarty.html
[13]
https://www.cvedetails.com/vulnerability-list/vendor_id-16116/product_id-35979/Tcpdf-Project-Tcpdf.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200918/cabdf234/attachment-0001.html>
More information about the vtigercrm-developers
mailing list