28,936
edits
Changes
m
→File:securite.png Security Alerts
Line 10:
Line 10:
=[[File:securite.png]] Alerts=+To receive known security alerts about Dolibarr (aggregation of official published CVE, Private Vulnerability Disclosure, project issues) you can read the section "Securities alert" available on this page https://cti.dolibarr.org or subscribe to the RSS feed at https://cti.dolibarr.org/index-security.rss
−You can also receive security alerts not yet known by the project team and published in the international CVE database by subscribing to a CVE alert service. A good service for example https://opencve.io).+
+
+
[[Category:Admin_en]]
[[Category:Admin_en]]
−This page is an entry point to the various information relating to Dolibarr ERP CRM in relation to security.
−=[[File:securite.png]] Security Alerts=
+To list or receive all official alerts about known security vulnerabilities (aggregation of official published CVE, Private Vulnerability Disclosure, project issues) on Dolibarr project you can:
+* look at the section "'''Security alerts'''" available on this page https://cti.dolibarr.org,
+* or subscribe to the RSS feed at https://cti.dolibarr.org/index-security.rss (for example with the Android application [https://f-droid.org/packages/com.nononsenseapps.feeder/ Feeder]) if you need to receive or read alert in real time on your smartphone.
+* If you want to also receive security alerts not yet known by the project team, and published in the international CVE database, you can subscribe to a CVE alert service. A good service for example https://opencve.io).
=[[File:art.png]] Security Features=
=[[File:art.png]] Security Features=
Line 85:
Line 90:
*Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>.
*Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>.
*Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>. Note: You must check that you did not choose the "'''document'''" directory (for upload files) to be in same directory neither in a sub-directory than the "'''htdocs'''" directory. You web virtual host must point to the htdocs directory only (and this directoy can/should be in read only mode). So any uploaded file (stored into the document directory) can't be download without using the wrapper page.
*Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>. Note: You must check that you did not choose the "'''document'''" directory (for upload files) to be in same directory neither in a sub-directory than the "'''htdocs'''" directory. You web virtual host must point to the htdocs directory only (and this directoy can/should be in read only mode). So any uploaded file (stored into the document directory) can't be download without using the wrapper page.
+*Sanitization of directory and file names (internal functions dol_sanitizeFilename() and dol_sanitizePathname().
Line 133:
Line 139:
To report a vulnerability, see the file: https://github.com/Dolibarr/dolibarr/blob/develop/SECURITY.md
To report a vulnerability, see the file: https://github.com/Dolibarr/dolibarr/blob/develop/SECURITY.md
−In most cases, security reports are processed in few days only.
+In most cases, security reports are processed in few days.
----
----
−<sup>(*X)</sup> This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten] at range number X.
+<sup>(*X)</sup> This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten 2007] at range number X. Value for position X may have been changed since.