Dolibarr ERP CRM Wiki

Changes

Security information (view source)

Revision as of 10:17, 2 April 2025

5,842 bytes added ,  9 days ago
m
→‎File:art.png Security Features
Line 1: Line 1:  +
<!-- BEGIN origin interlang links -->
 +
<!-- You can edit this section but do NOT remove these comments
 +
    Links below will be automatically replicated on translated pages by PolyglotBot -->
 +
[[fr:Informations_sécurité]]
 +
[[es:Información_de_seguridad]]
 +
[[zh:安全信息]]
 +
<!-- END interlang links -->
 +
 
[[Category:Admin]]
 
[[Category:Admin]]
= [[File:securite.png]] Alerts =
+
[[Category:Admin_en]]
Last update: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY}}
+
 
 +
This page is an entry point to the various information relating to Dolibarr ERP CRM in relation to security.
 +
 
 +
 
 +
=[[File:securite.png]] Security Alerts=
 +
 
 +
To list or receive all official alerts about known security vulnerabilities (aggregation of official published CVE, Private Vulnerability Disclosure, project issues) on Dolibarr project you can:
 +
* look at the section "'''Security alerts'''" available on this page https://cti.dolibarr.org,
 +
* or subscribe to the RSS feed at https://cti.dolibarr.org/index-security.rss (for example with the Android application [https://f-droid.org/packages/com.nononsenseapps.feeder/ Feeder]) if you need to receive or read alert in real time on your smartphone.
 +
 
 +
* If you want to also receive security alerts not yet known by the project team, and published in the international CVE database, you can subscribe to a CVE alert service. A good service for example https://opencve.io).
   −
No security bugs known at the moment.
+
=[[File:art.png]] Security Features=
 +
Dolibarr implements several security features to match best practices rules related to security.
 +
 +
This is a list of main security features you can find :
   −
= [[File:art.png]] Features =
  −
Dolibarr implements several security features. Among them :
      
'''Encryption'''
 
'''Encryption'''
* User passwords can be encrypted in database.
  −
* Database technical password can be encoded in the [[Configuration_file|Dolibarr configuration file]] (conf.php).
  −
* Possibility to force HTTPS.
     −
'''Hacks and cracks'''
+
*Passwords or security keys data are encrypted in database <sup>[*7]</sup> <sup>[*8]</sup>.
* Works with register_globals on or off (off highly recommended).
+
*The database technical password can be obfuscated into the [[Configuration_file|Dolibarr configuration file]] (conf.php) <sup>[*8]</sup>.
* Works with and without PHP safe_mode enabled (on recommended).
+
*Possibility to force HTTPS <sup>[*9]</sup>.
* Protection against SQL injection.
+
 
* Protection against CSRF (Cross Site Request Forgery).
+
<syntaxhighlight lang="php">
 +
//conf/conf.php file
 +
//example of $dolibarr_main_force_https  configuration
 +
$dolibarr_main_force_https = '1';//to force https
 +
</syntaxhighlight>
 +
 
 +
{| class="wikitable" style="width:100%;"
 +
! scope="col" |Values
 +
! scope="col" |Description
 +
 
 +
|-
 +
| style="width:50%;" |
 +
0
 +
| style="width:50%;" |
 +
No forced redirect
 +
 
 +
|-
 +
| style="width:50%;" |
 +
1
 +
| style="width:50%;" |
 +
Force redirect to https, until SCRIPT_URI start with https into response
 +
 
 +
|-
 +
| style="width:50%;" |
 +
2
 +
| style="width:50%;" |
 +
Force redirect to https, until SERVER["HTTPS"] is 'on' into response
 +
 
 +
|-
 +
| style="width:50%;" |
 +
https://mydomain
 +
| style="width:50%;" |
 +
Force redirect to the https domain name mydomain (recommended method)
 +
 
 +
|}
 +
 
 +
 
 +
'''Features Anti Hacks and cracks'''
 +
 
 +
*Works with PHP register_globals on or off (off highly recommended) <sup>[*2]</sup>.
 +
*Works with PHP safe_mode on or off (on recommended) <sup>[*3]</sup>.
 +
*Production mode to disable any technical information leakage like debug, error stacktrace, version informations (See [[Configuration_file|configuration file]]) <sup>[*6]</sup>.
 +
*WAF: Protection against SQL injection. Protected by an Internal WAF, and unit test to check database good practice for escapement. <sup>[*2]</sup>.
 +
*WAF: Protection against XSS injection (Cross Site Scripting). Protected by an internal WAF and web page headers. <sup>[*1]</sup>.
 +
*Protection against SSRF. All access to an URL uses the getURLContent() method into core/lib/geturl.lib.php that bring this protection.
 +
*Protection against CSRF (Cross Site Request Forgery). Protected by an internal WAF and a token system (with several level of renewal policies, by session or by page). <sup>[*5]</sup>.
 +
 
 +
Note that it is also recommended to protect your web server by disabling the Apache option
 +
<syntaxhighlight lang="ini">
 +
AcceptPathInfo Off
 +
</syntaxhighlight>
 +
 
    
'''Pages and files access'''
 
'''Pages and files access'''
* Pages and contents are protected by permissions (granted on groups or users) for each functional module.
+
 
* Files saved by Dolibarr are stored in a different root directory than web application (so they can not be downloaded without passing by the Dolibarr wrapper).
+
*Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>.
* Dolibarr directories content can't be accessed even if Apache option Indexes has be forgotten to on (should not).
+
*Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>. Note: You must check that you did not choose the "'''document'''" directory (for upload files) to be in same directory neither in a sub-directory than the "'''htdocs'''" directory. You web virtual host must point to the htdocs directory only (and this directoy can/should be in read only mode). So any uploaded file (stored into the document directory) can't be download without using the wrapper page.
 +
*Sanitization of directory and file names (internal functions dol_sanitizeFilename() and dol_sanitizePathname().
 +
 
    
'''Login protection'''
 
'''Login protection'''
* Delay anti brute force cracking on login page.
+
 
* Graphical code (CAPTCHA) against robots on login page.
+
*Delay anti brute force cracking on login page <sup>[*7]</sup>. Currently this delay is fixed (May be exponential with tries in a future version).
* No passwords in logs, even in technical logs.
+
*Option for graphical code (CAPTCHA) against robots on login page <sup>[*7]</sup>.
* Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins.
+
*Restrict access to backoffice for some IP only <sup>[*7]</sup>.
 +
*No passwords in logs, even in technical logs <sup>[*7]</sup>.
 +
*Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (like user or group or permission changes).
 +
*Can output a log record into a log file (module Debug Log must be enabled with at least level 5-LOG_NOTICE on production server, higher on development server) after success or failed login attempt so you can add a fail2ban rule to lock brute force cracking. You can check record with syntax :
 +
 
 +
"YYYY-MM-DD HH:MM:SS (ERROR|NOTICE|INFO|DEBUG)    IP functions_dolibarr::check_user_password_.* Authentication KO"
 +
A list of fail2ban rules to add to your server is provided on chapter '''DOS and Brute force rate Mitigation''' later.
 +
 
    
'''Viruses'''
 
'''Viruses'''
* Possibility to run an anti-virus on every uploaded file.
+
 
 +
*Possibility to run an external anti-virus on every uploaded files <sup>[*3]</sup>.
 +
 
 +
 
 +
'''Security Information Center'''
 +
 
 +
*From version 14, you will find into menu Home - Admin tools - Security, a security information center that report you all recommandations done and to do related to your installation.
 +
 
 +
 
 +
'''A CTI for security'''
 +
 
 +
A continuous integration platform run Security unit tests and static code analysis on each modification of code.
 +
 
 +
 
 +
'''A footprint for each version'''
 +
 
 +
Our release process bring each version with a footprint file (also available online) to validate all files of your local installation and detect any change on any file with the integrated tool available in menu Home - Administration - Security.
 +
 
 +
 
 +
'''DOS and Brute force rate Mitigation'''
 +
 
 +
* Embedded AntiDOS features with quota on public action per IP.
 +
 
 +
* The project provide also examples of some fail2ban rules to block brute force attempts or abusive access on login page, password forgotten page and on any public pages. See https://github.com/Dolibarr/dolibarr/tree/develop/dev/setup/fail2ban
 +
 
 +
 
 +
'''OpenSourceSSF'''
 +
 
 +
Dolibarr conforms to the Best Practices defined by the OpenSourceSSF: https://bestpractices.coreinfrastructure.org/projects/5521
 +
 
 +
=[[File:art.png]] Report a security vulnerability=
 +
 
 +
To report a vulnerability, see the file: https://github.com/Dolibarr/dolibarr/blob/develop/SECURITY.md
 +
 
 +
In most cases, security reports are processed in few days.
 +
 
 +
 
 +
----
 +
<sup>(*X)</sup> This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten 2007] at range number X. Value for position X may have been changed since.
Retrieved from "https://wiki.dolibarr.org/index.php?title=Special:MobileDiff/15095...62942"