28,936
edits
Changes
m
→File:securite.png Security Alerts
Line 9:
Line 9:
=[[File:securite.png]] Alerts=
−
+
+
+
[[Category:Admin]]
[[Category:Admin]]
[[Category:Admin_en]]
[[Category:Admin_en]]
−To receive all official alerts about known security vulnerabilities on Dolibarr project (aggregation of official published CVE, Private Vulnerability Disclosure, project issues) you can:
+This page is an entry point to the various information relating to Dolibarr ERP CRM in relation to security.
+=[[File:securite.png]] Security Alerts=
+To list or receive all official alerts about known security vulnerabilities (aggregation of official published CVE, Private Vulnerability Disclosure, project issues) on Dolibarr project you can:
* look at the section "'''Security alerts'''" available on this page https://cti.dolibarr.org,
* look at the section "'''Security alerts'''" available on this page https://cti.dolibarr.org,
* or subscribe to the RSS feed at https://cti.dolibarr.org/index-security.rss (for example with the Android application [https://f-droid.org/packages/com.nononsenseapps.feeder/ Feeder]) if you need to receive or read alert in real time on your smartphone.
* or subscribe to the RSS feed at https://cti.dolibarr.org/index-security.rss (for example with the Android application [https://f-droid.org/packages/com.nononsenseapps.feeder/ Feeder]) if you need to receive or read alert in real time on your smartphone.
Line 86:
Line 90:
*Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>.
*Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>.
*Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>. Note: You must check that you did not choose the "'''document'''" directory (for upload files) to be in same directory neither in a sub-directory than the "'''htdocs'''" directory. You web virtual host must point to the htdocs directory only (and this directoy can/should be in read only mode). So any uploaded file (stored into the document directory) can't be download without using the wrapper page.
*Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>. Note: You must check that you did not choose the "'''document'''" directory (for upload files) to be in same directory neither in a sub-directory than the "'''htdocs'''" directory. You web virtual host must point to the htdocs directory only (and this directoy can/should be in read only mode). So any uploaded file (stored into the document directory) can't be download without using the wrapper page.
+*Sanitization of directory and file names (internal functions dol_sanitizeFilename() and dol_sanitizePathname().
Line 138:
Line 143:
----
----
−<sup>(*X)</sup> This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten] at range number X.
+<sup>(*X)</sup> This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten 2007] at range number X. Value for position X may have been changed since.