Dolibarr ERP CRM Wiki

Changes

Security information (view source)

Revision as of 13:01, 12 September 2024

545 bytes added ,  6 months ago
m
→‎File:securite.png Security Alerts
Line 4: Line 4:  
[[fr:Informations_sécurité]]
 
[[fr:Informations_sécurité]]
 
[[es:Información_de_seguridad]]
 
[[es:Información_de_seguridad]]
 +
[[zh:安全信息]]
 
<!-- END interlang links -->
 
<!-- END interlang links -->
   Line 9: Line 10:  
[[Category:Admin_en]]
 
[[Category:Admin_en]]
   −
=[[File:securite.png]] Alerts=
+
This page is an entry point to the various information relating to Dolibarr ERP CRM in relation to security.
Last update: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY}}
     −
A vulnerability allowing a user to get the list of contacts (name, firstname and id in database) has been discovered.
  −
Fix is available into {{Template:SafeVersion}}.
     −
Note: You can also download from GitHub the '''intermediate''' versions (not yet released maintenance package) for all branches/version (https://github.com/Dolibarr/dolibarr/)
+
=[[File:securite.png]] Security Alerts=
 +
 
 +
To list or receive all official alerts about known security vulnerabilities (aggregation of official published CVE, Private Vulnerability Disclosure, project issues) on Dolibarr project you can:
 +
* look at the section "'''Security alerts'''" available on this page https://cti.dolibarr.org,
 +
* or subscribe to the RSS feed at https://cti.dolibarr.org/index-security.rss (for example with the Android application [https://f-droid.org/packages/com.nononsenseapps.feeder/ Feeder]) if you need to receive or read alert in real time on your smartphone.
 +
 
 +
* If you want to also receive security alerts not yet known by the project team, and published in the international CVE database, you can subscribe to a CVE alert service. A good service for example https://opencve.io).
    
=[[File:art.png]] Security Features=
 
=[[File:art.png]] Security Features=
Line 29: Line 33:  
*Possibility to force HTTPS <sup>[*9]</sup>.
 
*Possibility to force HTTPS <sup>[*9]</sup>.
   −
<syntaxHighlight lang="php">
+
<syntaxhighlight lang="php">
 
//conf/conf.php file
 
//conf/conf.php file
 
//example of $dolibarr_main_force_https  configuration
 
//example of $dolibarr_main_force_https  configuration
 
$dolibarr_main_force_https = '1';//to force https
 
$dolibarr_main_force_https = '1';//to force https
</syntaxHighlight>
+
</syntaxhighlight>
    
{| class="wikitable" style="width:100%;"
 
{| class="wikitable" style="width:100%;"
Line 73: Line 77:  
*Protection against SQL injection. Protected by an Internal WAF, and unit test to check database good practice for escapement. <sup>[*2]</sup>.
 
*Protection against SQL injection. Protected by an Internal WAF, and unit test to check database good practice for escapement. <sup>[*2]</sup>.
 
*Protection against XSS injection (Cross Site Scripting). Protected by an internal WAF and web page headers. <sup>[*1]</sup>.
 
*Protection against XSS injection (Cross Site Scripting). Protected by an internal WAF and web page headers. <sup>[*1]</sup>.
*Protection against SSRF.
+
*Protection against SSRF. All access to an URL uses the getURLContent() method into core/lib/geturl.lib.php that bring this protection.
 
*Protection against CSRF (Cross Site Request Forgery). Protected by an internal WAF and a token system. <sup>[*5]</sup>.
 
*Protection against CSRF (Cross Site Request Forgery). Protected by an internal WAF and a token system. <sup>[*5]</sup>.
   −
Note that it is also recommended to protect your web server by disabled Apache option
+
Note that it is also recommended to protect your web server by disabling the Apache option
<syntaxHighlight lang="ini">
+
<syntaxhighlight lang="ini">
 
AcceptPathInfo Off
 
AcceptPathInfo Off
</syntaxHighlight>
+
</syntaxhighlight>
      Line 86: Line 90:  
*Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>.
 
*Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>.
 
*Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>. Note: You must check that you did not choose the "'''document'''" directory (for upload files) to be in same directory neither in a sub-directory than the "'''htdocs'''" directory. You web virtual host must point to the htdocs directory only (and this directoy can/should be in read only mode). So any uploaded file (stored into the document directory) can't be download without using the wrapper page.
 
*Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>. Note: You must check that you did not choose the "'''document'''" directory (for upload files) to be in same directory neither in a sub-directory than the "'''htdocs'''" directory. You web virtual host must point to the htdocs directory only (and this directoy can/should be in read only mode). So any uploaded file (stored into the document directory) can't be download without using the wrapper page.
*Dolibarr directories content can't be accessed even if Apache option Indexes has been forgotten to on (should not) <sup>[*3]</sup>.
+
*Sanitization of directory and file names (internal functions dol_sanitizeFilename() and dol_sanitizePathname().
      Line 95: Line 99:  
*Restrict access to backoffice for some IP only <sup>[*7]</sup>.
 
*Restrict access to backoffice for some IP only <sup>[*7]</sup>.
 
*No passwords in logs, even in technical logs <sup>[*7]</sup>.
 
*No passwords in logs, even in technical logs <sup>[*7]</sup>.
*Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (user or group or permission changes).
+
*Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (like user or group or permission changes).
*Can output a log record into a log file (module Debug Log must be enabled with at least level 5-LOG_NOTICE on production server, higher on development server) after success or failed login attempt so you can add a fail2ban rule to lock brute force cracking. You can check record with syntax :  
+
*Can output a log record into a log file (module Debug Log must be enabled with at least level 5-LOG_NOTICE on production server, higher on development server) after success or failed login attempt so you can add a fail2ban rule to lock brute force cracking. You can check record with syntax :
 +
 
 
  "YYYY-MM-DD HH:MM:SS (ERROR|NOTICE|INFO|DEBUG)    IP functions_dolibarr::check_user_password_.* Authentication KO"
 
  "YYYY-MM-DD HH:MM:SS (ERROR|NOTICE|INFO|DEBUG)    IP functions_dolibarr::check_user_password_.* Authentication KO"
 
A list of fail2ban rules to add to your server is provided on chapter '''DOS and Brute force rate Mitigation''' later.
 
A list of fail2ban rules to add to your server is provided on chapter '''DOS and Brute force rate Mitigation''' later.
 +
    
'''Viruses'''
 
'''Viruses'''
Line 118: Line 124:     
Our release process bring each version with a footprint file (also available online) to validate all files of your local installation.
 
Our release process bring each version with a footprint file (also available online) to validate all files of your local installation.
  −
Note: Dolibarr conforms to the Best Practices defined by the OpenSourceSSF: https://bestpractices.coreinfrastructure.org/projects/5521
        Line 126: Line 130:  
The project provide examples of some fail2ban rules to block brute force attempts or abusive access on login page, password forgotten page and on any public pages. See https://github.com/Dolibarr/dolibarr/tree/develop/dev/setup/fail2ban
 
The project provide examples of some fail2ban rules to block brute force attempts or abusive access on login page, password forgotten page and on any public pages. See https://github.com/Dolibarr/dolibarr/tree/develop/dev/setup/fail2ban
   −
=[[File:art.png]] Report a security vulnerability =
     −
*To report a vulnerability, see the file: https://github.com/Dolibarr/dolibarr/blob/develop/SECURITY.md
+
'''OpenSourceSSF'''
*If you are allowed, you can also use the security feature of GitHub on https://github.com/Dolibarr/dolibarr/security
+
 
 +
Dolibarr conforms to the Best Practices defined by the OpenSourceSSF: https://bestpractices.coreinfrastructure.org/projects/5521
 +
 
 +
=[[File:art.png]] Report a security vulnerability=
   −
In most cases, security reports are processed in few days only.
+
To report a vulnerability, see the file: https://github.com/Dolibarr/dolibarr/blob/develop/SECURITY.md
    +
In most cases, security reports are processed in few days.
       
----
 
----
<sup>(*X)</sup> This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten] at range number X.
+
<sup>(*X)</sup> This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten 2007] at range number X. Value for position X may have been changed since.
Retrieved from "https://wiki.dolibarr.org/index.php?title=Special:MobileDiff/56096...61393"