Changes

[[Category:Admin_en]]

[[Category:Admin_en]]

=[[File:securite.png]] Alerts=

This page is an entry point to the various information relating to Dolibarr ERP CRM in relation to security.

Note: You can also download from GitHub the '''intermediate''' versions (not yet released maintenance package) for all branches/version (https://github.com/Dolibarr/dolibarr/)

=[[File:securite.png]] Security Alerts=

 

To list or receive all official alerts about known security vulnerabilities (aggregation of official published CVE, Private Vulnerability Disclosure, project issues) on Dolibarr project you can:

* look at the section "'''Security alerts'''" available on this page https://cti.dolibarr.org,

* or subscribe to the RSS feed at https://cti.dolibarr.org/index-security.rss (for example with the Android application [https://f-droid.org/packages/com.nononsenseapps.feeder/ Feeder]) if you need to receive or read alert in real time on your smartphone.

 

* If you want to also receive security alerts not yet known by the project team, and published in the international CVE database, you can subscribe to a CVE alert service. A good service for example https://opencve.io).

=[[File:art.png]] Security Features=

=[[File:art.png]] Security Features=

*Protection against SQL injection. Protected by an Internal WAF, and unit test to check database good practice for escapement. ^[*2].

*Protection against SQL injection. Protected by an Internal WAF, and unit test to check database good practice for escapement. ^[*2].

*Protection against XSS injection (Cross Site Scripting). Protected by an internal WAF and web page headers. ^[*1].

*Protection against XSS injection (Cross Site Scripting). Protected by an internal WAF and web page headers. ^[*1].

*Protection against SSRF.

*Protection against SSRF. All access to an URL uses the getURLContent() method into core/lib/geturl.lib.php that bring this protection.

*Protection against CSRF (Cross Site Request Forgery). Protected by an internal WAF and a token system. ^[*5].

*Protection against CSRF (Cross Site Request Forgery). Protected by an internal WAF and a token system. ^[*5].

Note that it is also recommended to protect your web server by disabled Apache option

Note that it is also recommended to protect your web server by disabling the Apache option

<syntaxhighlight lang="ini">

<syntaxhighlight lang="ini">

AcceptPathInfo Off

AcceptPathInfo Off

*Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) ^[*4] ^[*10].

*Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) ^[*4] ^[*10].

*Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) ^[*3] ^[*10]. Note: You must check that you did not choose the "'''document'''" directory (for upload files) to be in same directory neither in a sub-directory than the "'''htdocs'''" directory. You web virtual host must point to the htdocs directory only (and this directoy can/should be in read only mode). So any uploaded file (stored into the document directory) can't be download without using the wrapper page.

*Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) ^[*3] ^[*10]. Note: You must check that you did not choose the "'''document'''" directory (for upload files) to be in same directory neither in a sub-directory than the "'''htdocs'''" directory. You web virtual host must point to the htdocs directory only (and this directoy can/should be in read only mode). So any uploaded file (stored into the document directory) can't be download without using the wrapper page.

*Dolibarr directories content can't be accessed even if Apache option Indexes has been forgotten to on (should not) ^[*3].

*Sanitization of directory and file names (internal functions dol_sanitizeFilename() and dol_sanitizePathname().

*Restrict access to backoffice for some IP only ^[*7].

*Restrict access to backoffice for some IP only ^[*7].

*No passwords in logs, even in technical logs ^[*7].

*No passwords in logs, even in technical logs ^[*7].

*Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (user or group or permission changes).

*Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (like user or group or permission changes).

*Can output a log record into a log file (module Debug Log must be enabled with at least level 5-LOG_NOTICE on production server, higher on development server) after success or failed login attempt so you can add a fail2ban rule to lock brute force cracking. You can check record with syntax :

*Can output a log record into a log file (module Debug Log must be enabled with at least level 5-LOG_NOTICE on production server, higher on development server) after success or failed login attempt so you can add a fail2ban rule to lock brute force cracking. You can check record with syntax :

  "YYYY-MM-DD HH:MM:SS (ERROR|NOTICE|INFO|DEBUG)    IP functions_dolibarr::check_user_password_.* Authentication KO"

  "YYYY-MM-DD HH:MM:SS (ERROR|NOTICE|INFO|DEBUG)    IP functions_dolibarr::check_user_password_.* Authentication KO"

A list of fail2ban rules to add to your server is provided on chapter '''DOS and Brute force rate Mitigation''' later.

A list of fail2ban rules to add to your server is provided on chapter '''DOS and Brute force rate Mitigation''' later.

'''Viruses'''

'''Viruses'''

Our release process bring each version with a footprint file (also available online) to validate all files of your local installation.

Our release process bring each version with a footprint file (also available online) to validate all files of your local installation.

The project provide examples of some fail2ban rules to block brute force attempts or abusive access on login page, password forgotten page and on any public pages. See https://github.com/Dolibarr/dolibarr/tree/develop/dev/setup/fail2ban

The project provide examples of some fail2ban rules to block brute force attempts or abusive access on login page, password forgotten page and on any public pages. See https://github.com/Dolibarr/dolibarr/tree/develop/dev/setup/fail2ban

=[[File:art.png]] Report a security vulnerability=

=[[File:art.png]] Report a security vulnerability=

*To report a vulnerability, see the file: https://github.com/Dolibarr/dolibarr/blob/develop/SECURITY.md

To report a vulnerability, see the file: https://github.com/Dolibarr/dolibarr/blob/develop/SECURITY.md

In most cases, security reports are processed in few days only.

In most cases, security reports are processed in few days.

----

----

^(*X) This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten] at range number X.

^(*X) This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten 2007] at range number X. Value for position X may have been changed since.