[Vtigercrm-developers] https://vtiger.com.co/ is it owned by Vtiger?

Uma S uma.s at vtiger.com
Sun Sep 20 11:38:17 GMT 2020 

Thanks! for the input Nilay.

Yes! I agree we need to take a step towards improving our platform which
includes upgrading the outdated libraries and compatibility for recent php.

Let's work together to contribute more to the product mainly on important
things first Security, Coding practises and we are sure community
contribution is most respected. I will share the sequence of tasks for 7.4
soon, So we can plan and start working on them.

On Sun, Sep 20, 2020 at 3:24 PM nilay khatri <nilay.spartan at gmail.com>
wrote:

> I did that already when the attack happened.
>
> The path through which they were able to gain access was by uploading an
> extension that contained a lightweight File Manager and a DB Manager. Also,
> related to view extensions which already contained a File Manager, and
> later those were removed from the extension store as well. Similarly one of
> development instances was compromised because of very weak password set by
> client. (1)
>
> Always make sure when any instance is setup for a demo or for public, to
> disable extension store and option to import module zip file.
>
> Later, the attacker also modified the login script of other instances on
> the same server and had put a code that keeps sending the credentials to
> domain vtigersupport.com . I hope this clarifies why similar domains are
> kept on check by us.
>
> That is the best I can share as of now, for more information one can refer
> to the old threads. I spoke/contacted other members of the community as
> well, even they have faced similar attacks.
>
> Looking at the brighter side, it is a lesson learnt hard way and then
> onwards we go through a monthly security audit, our solution which is built
> on top of Vtiger is also under continuous security review and improvements.
> I seriously stand on this with Blazej.
>
> To be frank I was taken aback that even after Blazej reported manhy issues
> no-one from the Vtiger team took any action (I am not aware if any, because
> nothing was published on public domain by Vtiger about that) until I took
> those points and created issues at code.vtiger.com . And then 7.2 was
> planned. Even right now there are several. I feel embarrassed to bring
> those basic kindergarten issues in light again and again.  (1) Having a
> min. viable rule to set password, login failure due to some characters.
> Which even led to locking of the test instance which was setup by Vtiger
> for 7.3.
>
> I have many times emphasized on few incompatibilities and outdated
> libraries etc. such as with cloudflare, basic/obvious observable things
> reported by github depandabot, snyk etc. but no attention has been given.
> I am ready to share more and more information given the community
> contribution is planned, kept transparent and important things are focused
> first. Security, Coding practises, Features is what I feel is the right
> sequence that should be followed.
>
> I am happy that there is more traction now, and slowly the community is
> being given attention to. And so our contributions as well will increase,
> it will be hand in hand!
>
> -Cheers, Nilay
>
>
> On Sun, Sep 20, 2020 at 2:52 PM Uma S <uma.s at vtiger.com> wrote:
>
>> Ok! Nilay. Thanks! for the update.
>>
>> Brief introduction about the issue you faced, will help to plan a
>> strategy to solve such issues.
>>
>> On Sat, Sep 19, 2020 at 9:42 PM nilay khatri <nilay.spartan at gmail.com>
>> wrote:
>>
>>> Thanks Uma, I guess the legal team has been already notified.
>>>
>>> Just to remind, a couple of years back we faced attacks which emerged
>>> from the vtigersupport.com domain, and so it is really necessary to
>>> keep a tap on such domains.
>>>
>>> On Sat, Sep 19, 2020 at 9:14 PM Uma S <uma.s at vtiger.com> wrote:
>>>
>>>> Hi Nilay,
>>>>
>>>> Thanks! For the alert, I have placed this request with our legal team
>>>> who are acting on this issue.
>>>>
>>>> >>The reason why we need to be aware is to block any requests from such
>>>> domains and to list them as not-officially-associated with Vtiger list and
>>>> to share with our clients who are using Open Source Vtiger CRM.
>>>> Sure! We need to take necessary actions to block any requests from
>>>> these domains. Can you please file an issue on code.vtiger.com
>>>>
>>>> On Fri, Sep 18, 2020 at 7:08 AM nilay khatri <nilay.spartan at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Uma,
>>>>>
>>>>> would there be any action that would be taken against them? I have
>>>>> reported the urls to your legal and partner team as well.
>>>>>
>>>>> The reason why we need to be aware is to block any requests from such
>>>>> domains and to list them as not-officially-associated with Vtiger list and
>>>>> to share with our clients who are using Open Source Vtiger CRM.
>>>>>
>>>>>
>>>>> On Sun, Sep 13, 2020 at 10:07 AM Uma S <uma.s at vtiger.com> wrote:
>>>>>
>>>>>> Hi Nilay,
>>>>>>
>>>>>> No! none of these belongs to Vtiger. These might be using the
>>>>>> on-premise application for their business.
>>>>>>
>>>>>> On Sat, Sep 12, 2020 at 11:14 PM nilay khatri <
>>>>>> nilay.spartan at gmail.com> wrote:
>>>>>>
>>>>>>> What about followings:
>>>>>>>
>>>>>>> https://persianvtiger.com/
>>>>>>> http://www.itvtiger.com/
>>>>>>> http://vtiger-crm.ru/
>>>>>>> https://www.javtiger.com/
>>>>>>> http://www.lightcast-vtiger.com/
>>>>>>> http://www.teamvtiger.com/
>>>>>>> http://vtigercrmhosting.com/
>>>>>>> https://vt01.vtigercrmhosting.com/
>>>>>>> http://vtiger-hilfe.info/
>>>>>>>
>>>>>>>
>>>>>>> Most  of them are providing Vtiger services or related somehow.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Sep 12, 2020 at 10:55 PM Uma S <uma.s at vtiger.com> wrote:
>>>>>>>
>>>>>>>> Hi Nilay,
>>>>>>>>
>>>>>>>> No! This is not from Vtiger.
>>>>>>>>
>>>>>>>> On Sat, Sep 12, 2020 at 10:45 PM nilay khatri <
>>>>>>>> nilay.spartan at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Hi Vtiger team,
>>>>>>>>>
>>>>>>>>> just came across https://vtiger.com.co/  is that a website from
>>>>>>>>> Vtiger?
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> http://www.vtiger.com/
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> With
>>>>>>>> Best Regards
>>>>>>>> Uma.S
>>>>>>>> Vtiger Team
>>>>>>>> _______________________________________________
>>>>>>>> http://www.vtiger.com/
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> http://www.vtiger.com/
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> With
>>>>>> Best Regards
>>>>>> Uma.S
>>>>>> Vtiger Team
>>>>>> _______________________________________________
>>>>>> http://www.vtiger.com/
>>>>>
>>>>> _______________________________________________
>>>>> http://www.vtiger.com/
>>>>
>>>>
>>>>
>>>> --
>>>> With
>>>> Best Regards
>>>> Uma.S
>>>> Vtiger Team
>>>> _______________________________________________
>>>> http://www.vtiger.com/
>>>
>>> _______________________________________________
>>> http://www.vtiger.com/
>>
>>
>>
>> --
>> With
>> Best Regards
>> Uma.S
>> Vtiger Team
>> _______________________________________________
>> http://www.vtiger.com/
>
> _______________________________________________
> http://www.vtiger.com/



-- 
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200920/2de749ec/attachment-0001.html>

More information about the vtigercrm-developers mailing list