[Vtigercrm-developers] https://vtiger.com.co/ is it owned by Vtiger?

nilay khatri nilay.spartan at gmail.com
Sun Sep 20 09:50:45 GMT 2020


I did that already when the attack happened.

The path through which they were able to gain access was by uploading an
extension that contained a lightweight File Manager and a DB Manager. Also,
related to view extensions which already contained a File Manager, and
later those were removed from the extension store as well. Similarly one of
development instances was compromised because of very weak password set by
client. (1)

Always make sure when any instance is setup for a demo or for public, to
disable extension store and option to import module zip file.

Later, the attacker also modified the login script of other instances on
the same server and had put a code that keeps sending the credentials to
domain vtigersupport.com . I hope this clarifies why similar domains are
kept on check by us.

That is the best I can share as of now, for more information one can refer
to the old threads. I spoke/contacted other members of the community as
well, even they have faced similar attacks.

Looking at the brighter side, it is a lesson learnt hard way and then
onwards we go through a monthly security audit, our solution which is built
on top of Vtiger is also under continuous security review and improvements.
I seriously stand on this with Blazej.

To be frank I was taken aback that even after Blazej reported manhy issues
no-one from the Vtiger team took any action (I am not aware if any, because
nothing was published on public domain by Vtiger about that) until I took
those points and created issues at code.vtiger.com . And then 7.2 was
planned. Even right now there are several. I feel embarrassed to bring
those basic kindergarten issues in light again and again.  (1) Having a
min. viable rule to set password, login failure due to some characters.
Which even led to locking of the test instance which was setup by Vtiger
for 7.3.

I have many times emphasized on few incompatibilities and outdated
libraries etc. such as with cloudflare, basic/obvious observable things
reported by github depandabot, snyk etc. but no attention has been given.
I am ready to share more and more information given the community
contribution is planned, kept transparent and important things are focused
first. Security, Coding practises, Features is what I feel is the right
sequence that should be followed.

I am happy that there is more traction now, and slowly the community is
being given attention to. And so our contributions as well will increase,
it will be hand in hand!

-Cheers, Nilay


On Sun, Sep 20, 2020 at 2:52 PM Uma S <uma.s at vtiger.com> wrote:

> Ok! Nilay. Thanks! for the update.
>
> Brief introduction about the issue you faced, will help to plan a
> strategy to solve such issues.
>
> On Sat, Sep 19, 2020 at 9:42 PM nilay khatri <nilay.spartan at gmail.com>
> wrote:
>
>> Thanks Uma, I guess the legal team has been already notified.
>>
>> Just to remind, a couple of years back we faced attacks which emerged
>> from the vtigersupport.com domain, and so it is really necessary to keep
>> a tap on such domains.
>>
>> On Sat, Sep 19, 2020 at 9:14 PM Uma S <uma.s at vtiger.com> wrote:
>>
>>> Hi Nilay,
>>>
>>> Thanks! For the alert, I have placed this request with our legal team
>>> who are acting on this issue.
>>>
>>> >>The reason why we need to be aware is to block any requests from such
>>> domains and to list them as not-officially-associated with Vtiger list and
>>> to share with our clients who are using Open Source Vtiger CRM.
>>> Sure! We need to take necessary actions to block any requests from these
>>> domains. Can you please file an issue on code.vtiger.com
>>>
>>> On Fri, Sep 18, 2020 at 7:08 AM nilay khatri <nilay.spartan at gmail.com>
>>> wrote:
>>>
>>>> Hi Uma,
>>>>
>>>> would there be any action that would be taken against them? I have
>>>> reported the urls to your legal and partner team as well.
>>>>
>>>> The reason why we need to be aware is to block any requests from such
>>>> domains and to list them as not-officially-associated with Vtiger list and
>>>> to share with our clients who are using Open Source Vtiger CRM.
>>>>
>>>>
>>>> On Sun, Sep 13, 2020 at 10:07 AM Uma S <uma.s at vtiger.com> wrote:
>>>>
>>>>> Hi Nilay,
>>>>>
>>>>> No! none of these belongs to Vtiger. These might be using the
>>>>> on-premise application for their business.
>>>>>
>>>>> On Sat, Sep 12, 2020 at 11:14 PM nilay khatri <nilay.spartan at gmail.com>
>>>>> wrote:
>>>>>
>>>>>> What about followings:
>>>>>>
>>>>>> https://persianvtiger.com/
>>>>>> http://www.itvtiger.com/
>>>>>> http://vtiger-crm.ru/
>>>>>> https://www.javtiger.com/
>>>>>> http://www.lightcast-vtiger.com/
>>>>>> http://www.teamvtiger.com/
>>>>>> http://vtigercrmhosting.com/
>>>>>> https://vt01.vtigercrmhosting.com/
>>>>>> http://vtiger-hilfe.info/
>>>>>>
>>>>>>
>>>>>> Most  of them are providing Vtiger services or related somehow.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sat, Sep 12, 2020 at 10:55 PM Uma S <uma.s at vtiger.com> wrote:
>>>>>>
>>>>>>> Hi Nilay,
>>>>>>>
>>>>>>> No! This is not from Vtiger.
>>>>>>>
>>>>>>> On Sat, Sep 12, 2020 at 10:45 PM nilay khatri <
>>>>>>> nilay.spartan at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi Vtiger team,
>>>>>>>>
>>>>>>>> just came across https://vtiger.com.co/  is that a website from
>>>>>>>> Vtiger?
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> http://www.vtiger.com/
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> With
>>>>>>> Best Regards
>>>>>>> Uma.S
>>>>>>> Vtiger Team
>>>>>>> _______________________________________________
>>>>>>> http://www.vtiger.com/
>>>>>>
>>>>>> _______________________________________________
>>>>>> http://www.vtiger.com/
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> With
>>>>> Best Regards
>>>>> Uma.S
>>>>> Vtiger Team
>>>>> _______________________________________________
>>>>> http://www.vtiger.com/
>>>>
>>>> _______________________________________________
>>>> http://www.vtiger.com/
>>>
>>>
>>>
>>> --
>>> With
>>> Best Regards
>>> Uma.S
>>> Vtiger Team
>>> _______________________________________________
>>> http://www.vtiger.com/
>>
>> _______________________________________________
>> http://www.vtiger.com/
>
>
>
> --
> With
> Best Regards
> Uma.S
> Vtiger Team
> _______________________________________________
> http://www.vtiger.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200920/0f8cae5c/attachment-0001.html>


More information about the vtigercrm-developers mailing list