
<div dir="ltr">but it's only at yetiforce right?</div><div class="gmail_extra"><br><div class="gmail_quote">2015-09-09 10:23 GMT-03:00 Błażej Pabiszczak <span dir="ltr"><<a href="mailto:b.pabiszczak@yetiforce.com" target="_blank">b.pabiszczak@yetiforce.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="font-size:10pt;font-family:Verdana,Geneva,sans-serif">

<p> </p>

<p><span>Generally all mechanisms that allow external access should be default disabled.<br>We created this file:  </span><a href="https://github.com/YetiForceCompany/YetiForceCRM/blob/stable/config/api.php" rel="noreferrer" target="_blank"><span><span><span>https://github.com/YetiForceCompany/YetiForceCRM/blob/stable/config/api.php</span></span></span></a><span><span><span> , there you can easily disable/enable services. Webservice enabled by default, together with available access keys for the users, is not a good practice [I'd even say that the permissions control is fictional, if it can be bypassed]. It's even worse with the mobile module in modules/Mobile. This module should be disabled by default [and eventually removed or written from scratch] because it's full of holes - it's enough to run a scanner, such as Acunetix, or perform an audit, to see how dangerous this module is.</span></span></span></p>

<div>---<br>

<div>Z poważaniem / Regards</div>

<div> </div>

<div><strong>Błażej Pabiszczak</strong></div>

<div><em>Chief Executive Officer</em></div>

<div>M: +48.884999123<br>E: <a title="Mail do Błażej Pabiszczak" href="mailto:b.pabiszczak@yetiforce.com" target="_blank">b.pabiszczak@yetiforce.com</a></div>

</div><div><div class="h5">

<p> </p>

<p>W dniu 2015-09-09 13:51, Ranieri napisał(a):</p>

</div></div><blockquote type="cite" style="padding:0 0.4em;border-left:#1010ff 2px solid;margin:0"><div><div class="h5">

<div dir="ltr">You blocked only file webservices.php ? is enough?</div>

<div class="gmail_extra"><br>

<div class="gmail_quote">2015-09-09 1:31 GMT-03:00 Preexo <span><<a href="mailto:preexo@googlemail.com" target="_blank">preexo@googlemail.com</a>></span>:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I use apaches Allow from 123.123.123.13 for that.<br><a href="http://httpd.apache.org/docs/2.2/howto/access.html" target="_blank">http://httpd.apache.org/docs/2.2/howto/access.html</a><br><br><br><br> --<br> View this message in context: <a href="http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-Restrict-access-thru-Webservices-tp17267p17274.html" target="_blank">http://vtiger-crm.2324883.n4.nabble.com/Vtigercrm-developers-Restrict-access-thru-Webservices-tp17267p17274.html</a><br> Sent from the vtigercrm-developers mailing list archive at Nabble.com.<br> _______________________________________________<br><a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a></blockquote>

</div>

</div>

<br>

</div></div><div style="margin:0;padding:0;font-family:monospace">_______________________________________________<br><a href="http://www.vtiger.com/" target="_blank">http://www.vtiger.com/</a></div>

</blockquote>

</div>

<br>_______________________________________________<br>

<a href="http://www.vtiger.com/" rel="noreferrer" target="_blank">http://www.vtiger.com/</a><br></blockquote></div><br></div>