Changes

A vulnerability allowing a user to get the list of contacts (name, firstname and id in database) has been discovered.  

A vulnerability allowing a user to get the list of contacts (name, firstname and id in database) has been discovered.  

Fix is available into {{Template:SafeVersion}}.

Fix is available into {{Template:SafeVersion}}and higher versions.

Note: You can also download from GitHub the '''intermediate''' versions (not yet released maintenance package) for all branches/version (https://github.com/Dolibarr/dolibarr/)

Note: You can also download from GitHub the '''intermediate''' versions (not yet released maintenance package) for all branches/version (https://github.com/Dolibarr/dolibarr/)

*Possibility to force HTTPS ^[*9].

*Possibility to force HTTPS ^[*9].

<syntaxHighlight lang="php">

<syntaxhighlight lang="php">

//conf/conf.php file

//conf/conf.php file

//example of $dolibarr_main_force_https  configuration

//example of $dolibarr_main_force_https  configuration

$dolibarr_main_force_https = '1';//to force https

$dolibarr_main_force_https = '1';//to force https

</syntaxHighlight>

</syntaxhighlight>

{| class="wikitable" style="width:100%;"

{| class="wikitable" style="width:100%;"

Note that it is also recommended to protect your web server by disabled Apache option

Note that it is also recommended to protect your web server by disabled Apache option

<syntaxHighlight lang="ini">

<syntaxhighlight lang="ini">

AcceptPathInfo Off

AcceptPathInfo Off

</syntaxHighlight>

</syntaxhighlight>

*No passwords in logs, even in technical logs ^[*7].

*No passwords in logs, even in technical logs ^[*7].

*Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (user or group or permission changes).

*Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (user or group or permission changes).

*Can output a log record into a log file (module Debug Log must be enabled with at least level 5-LOG_NOTICE on production server, higher on development server) after success or failed login attempt so you can add a fail2ban rule to lock brute force cracking. You can check record with syntax :  

*Can output a log record into a log file (module Debug Log must be enabled with at least level 5-LOG_NOTICE on production server, higher on development server) after success or failed login attempt so you can add a fail2ban rule to lock brute force cracking. You can check record with syntax :

 

  "YYYY-MM-DD HH:MM:SS (ERROR|NOTICE|INFO|DEBUG)    IP functions_dolibarr::check_user_password_.* Authentication KO"

  "YYYY-MM-DD HH:MM:SS (ERROR|NOTICE|INFO|DEBUG)    IP functions_dolibarr::check_user_password_.* Authentication KO"

A list of fail2ban rules to add to your server is provided on chapter '''DOS and Brute force rate Mitigation''' later.

A list of fail2ban rules to add to your server is provided on chapter '''DOS and Brute force rate Mitigation''' later.

The project provide examples of some fail2ban rules to block brute force attempts or abusive access on login page, password forgotten page and on any public pages. See https://github.com/Dolibarr/dolibarr/tree/develop/dev/setup/fail2ban

The project provide examples of some fail2ban rules to block brute force attempts or abusive access on login page, password forgotten page and on any public pages. See https://github.com/Dolibarr/dolibarr/tree/develop/dev/setup/fail2ban

=[[File:art.png]] Report a security vulnerability =

=[[File:art.png]] Report a security vulnerability=

*To report a vulnerability, see the file: https://github.com/Dolibarr/dolibarr/blob/develop/SECURITY.md

*To report a vulnerability, see the file: https://github.com/Dolibarr/dolibarr/blob/develop/SECURITY.md

In most cases, security reports are processed in few days only.

In most cases, security reports are processed in few days only.

----

----

^(*X) This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten] at range number X.

^(*X) This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten] at range number X.