28,967
edits
Changes
m
→File:art.png Security Features
Line 4:
Line 4:
= [[File:securite.png]] Alerts =+Last update: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY}}
−Some SQL injections vulnerabilities have been reported. They are a small risk as they are in page that need to be logged to be used. Fix is available into 9.0.6.
−
+
+
+
+
−
+
−
−
+* Protection against CSRF (Cross Site Request Forgery) <sup>[*5]</sup>.+
−* Dolibarr directories content can't be accessed even if Apache option Indexes has be forgotten to on (should not) <sup>[*3]</sup>.+
−
+
* Possibility to run an external anti-virus on every uploaded files <sup>[*3]</sup>.
− +
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
[[fr:Informations_sécurité]]
[[fr:Informations_sécurité]]
[[es:Información_de_seguridad]]
[[es:Información_de_seguridad]]
+[[zh:安全信息]]
<!-- END interlang links -->
<!-- END interlang links -->
Line 9:
Line 10:
[[Category:Admin_en]]
[[Category:Admin_en]]
−This page is an entry point to the various information relating to Dolibarr ERP CRM in relation to security.
−= [[File:art.png]] Features =
+=[[File:securite.png]] Security Alerts=
−Dolibarr implements several security features. Among them :
+To list or receive all official alerts about known security vulnerabilities (aggregation of official published CVE, Private Vulnerability Disclosure, project issues) on Dolibarr project you can:
+* look at the section "'''Security alerts'''" available on this page https://cti.dolibarr.org,
+* or subscribe to the RSS feed at https://cti.dolibarr.org/index-security.rss (for example with the Android application [https://f-droid.org/packages/com.nononsenseapps.feeder/ Feeder]) if you need to receive or read alert in real time on your smartphone.
+* If you want to also receive security alerts not yet known by the project team, and published in the international CVE database, you can subscribe to a CVE alert service. A good service for example https://opencve.io).
+=[[File:art.png]] Security Features=
+Dolibarr implements several security features to match best practices rules related to security.
+This is a list of main security features you can find :
+'''Encryption'''
'''Encryption'''
−* User passwords can be encrypted in database <sup>[*7]</sup> <sup>[*8]</sup>.
+* Database technical password can be obfuscated into the [[Configuration_file|Dolibarr configuration file]] (conf.php) <sup>[*8]</sup>.
+*Passwords or security keys data are encrypted in database <sup>[*7]</sup> <sup>[*8]</sup>.
−* Possibility to force HTTPS <sup>[*9]</sup>.
+*The database technical password can be obfuscated into the [[Configuration_file|Dolibarr configuration file]] (conf.php) <sup>[*8]</sup>.
−<source lang="php">
+*Possibility to force HTTPS <sup>[*9]</sup>.
+<syntaxhighlight lang="php">
//conf/conf.php file
//conf/conf.php file
//example of $dolibarr_main_force_https configuration
//example of $dolibarr_main_force_https configuration
$dolibarr_main_force_https = '1';//to force https
$dolibarr_main_force_https = '1';//to force https
−</source>
+</syntaxhighlight>
−{| class=wikitable style="width:100%;"
+{| class="wikitable" style="width:100%;"
−! scope="col"| Values
+! scope="col" |Values
−! scope="col"| Description
+! scope="col" |Description
|-
|-
Line 48:
Line 60:
| style="width:50%;" |
| style="width:50%;" |
Force redirect to https, until SERVER["HTTPS"] is 'on' into response
Force redirect to https, until SERVER["HTTPS"] is 'on' into response
+
+|-
+| style="width:50%;" |
+https://mydomain
+| style="width:50%;" |
+Force redirect to the https domain name mydomain (recommended method)
|}
|}
−'''Hacks and cracks'''
+* Works with register_globals on or off (off highly recommended) <sup>[*2]</sup>.
+'''Features Anti Hacks and cracks'''
−* Works with PHP safe_mode on or off (on recommended) <sup>[*3]</sup>.
+* Production option to disable any technical information leakage like debug, error stacktrace, version informations (See [[Configuration_file|configuration file]]) <sup>[*6]</sup>.
+*Works with PHP register_globals on or off (off highly recommended) <sup>[*2]</sup>.
−* Protection against SQL injection <sup>[*2]</sup>.
+*Works with PHP safe_mode on or off (on recommended) <sup>[*3]</sup>.
−* Protection against XSS injection (Cross Site Scripting) <sup>[*1]</sup>. Note that it is better to also protect your web server by disabled Apache option
+*Production mode to disable any technical information leakage like debug, error stacktrace, version informations (See [[Configuration_file|configuration file]]) <sup>[*6]</sup>.
−<source lang="ini">
+*WAF: Protection against SQL injection. Protected by an Internal WAF, and unit test to check database good practice for escapement. <sup>[*2]</sup>.
+*WAF: Protection against XSS injection (Cross Site Scripting). Protected by an internal WAF and web page headers. <sup>[*1]</sup>.
+*Protection against SSRF. All access to an URL uses the getURLContent() method into core/lib/geturl.lib.php that bring this protection.
+*Protection against CSRF (Cross Site Request Forgery). Protected by an internal WAF and a token system (with several level of renewal policies, by session or by page). <sup>[*5]</sup>.
+Note that it is also recommended to protect your web server by disabling the Apache option
+<syntaxhighlight lang="ini">
AcceptPathInfo Off
AcceptPathInfo Off
−</source>
+</syntaxhighlight>
−'''Pages and files access'''
'''Pages and files access'''
−* Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>.
+* Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>.
+*Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>.
−*Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>. Note: You must check that you did not choose the "'''document'''" directory (for upload files) to be in same directory neither in a sub-directory than the "'''htdocs'''" directory. You web virtual host must point to the htdocs directory only (and this directoy can/should be in read only mode). So any uploaded file (stored into the document directory) can't be download without using the wrapper page.
+*Sanitization of directory and file names (internal functions dol_sanitizeFilename() and dol_sanitizePathname().
+'''Login protection'''
'''Login protection'''
−* Delay anti brute force cracking on login page <sup>[*7]</sup>.
+* Option for graphical code (CAPTCHA) against robots on login page <sup>[*7]</sup>.
+*Delay anti brute force cracking on login page <sup>[*7]</sup>. Currently this delay is fixed (May be exponential with tries in a future version).
−* No passwords in logs, even in technical logs <sup>[*7]</sup>.
+*Option for graphical code (CAPTCHA) against robots on login page <sup>[*7]</sup>.
−* Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins.
+*Restrict access to backoffice for some IP only <sup>[*7]</sup>.
+*No passwords in logs, even in technical logs <sup>[*7]</sup>.
+*Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (like user or group or permission changes).
+*Can output a log record into a log file (module Debug Log must be enabled with at least level 5-LOG_NOTICE on production server, higher on development server) after success or failed login attempt so you can add a fail2ban rule to lock brute force cracking. You can check record with syntax :
+ "YYYY-MM-DD HH:MM:SS (ERROR|NOTICE|INFO|DEBUG) IP functions_dolibarr::check_user_password_.* Authentication KO"
+A list of fail2ban rules to add to your server is provided on chapter '''DOS and Brute force rate Mitigation''' later.
+'''Viruses'''
'''Viruses'''
−*Possibility to run an external anti-virus on every uploaded files <sup>[*3]</sup>.
+'''Security Information Center'''
+*From version 14, you will find into menu Home - Admin tools - Security, a security information center that report you all recommandations done and to do related to your installation.
+'''A CTI for security'''
+A continuous integration platform run Security unit tests and static code analysis on each modification of code.
+'''A footprint for each version'''
+Our release process bring each version with a footprint file (also available online) to validate all files of your local installation and detect any change on any file with the integrated tool available in menu Home - Administration - Security.
+'''DOS and Brute force rate Mitigation'''
+* Embedded AntiDOS features with quota on public action per IP.
+* The project provide also examples of some fail2ban rules to block brute force attempts or abusive access on login page, password forgotten page and on any public pages. See https://github.com/Dolibarr/dolibarr/tree/develop/dev/setup/fail2ban
+'''OpenSourceSSF'''
+Dolibarr conforms to the Best Practices defined by the OpenSourceSSF: https://bestpractices.coreinfrastructure.org/projects/5521
+=[[File:art.png]] Report a security vulnerability=
+To report a vulnerability, see the file: https://github.com/Dolibarr/dolibarr/blob/develop/SECURITY.md
+In most cases, security reports are processed in few days.
+----
----
−<sup>(*X)</sup> This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten] at range number X.
+<sup>(*X)</sup> This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten 2007] at range number X. Value for position X may have been changed since.