Difference between revisions of "Security information"

Alerts

Last update: 2009-08-31

No security bugs known at the moment.

Features

Dolibarr implements several security features. Among them :

Encryption

• User passwords can be encrypted in database ^{[*7] [*8]}.
• Database technical password can be obfuscated into the Dolibarr configuration file (conf.php) ^[*8].
• Possibility to force HTTPS ^[*9].

Hacks and cracks

• Works with register_globals on or off (off highly recommended) ^[*2].
• Works with PHP safe_mode on or off (on recommended) ^[*3].
• Production option to disable any technical information leakage like debug, error stacktrace, version informations (See configuration file) ^[*6].
• Protection against SQL injection ^[*2].
• Protection against XSS injection (Cross Site Scripting) ^[*1].
• Protection against CSRF (Cross Site Request Forgery) ^[*5].

Pages and files access

• Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) ^{[*4] [*10]}.
• Files saved by Dolibarr are stored in a different root directory than web application (so they can not be downloaded without passing by the Dolibarr wrapper) ^{[*3] [*10]}.
• Dolibarr directories content can't be accessed even if Apache option Indexes has be forgotten to on (should not) ^[*3].

Login protection

• Delay anti brute force cracking on login page ^[*7].
• Graphical code (CAPTCHA) against robots on login page ^[*7].
• No passwords in logs, even in technical logs ^[*7].
• Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins.

Viruses

• Possibility to run an anti-virus on every uploaded file (linux only) ^[*3].

^(*X) This solution is part of protection used to solve vulnerabilities classified by the OWASP Top Ten at range number X.