Security information

From Dolibarr ERP CRM Wiki

Revision as of 18:48, 22 August 2009 by Eldy (talk | contribs) (→‎File:art.png Features)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Alerts

Last update: 2009-08-22

No security bugs known at the moment.

Features

Dolibarr implements several security features. Among them :

Encryption

User passwords can be encrypted in database ^[*8] ^[*7].
Database technical password can be obfuscated the Dolibarr configuration file (conf.php) ^[*8].
Possibility to force HTTPS ^[*9].

Hacks and cracks

Works with register_globals on or off (off highly recommended) ^[*2].
Works with PHP safe_mode on or off (on recommended) ^[*3].
Production option to disable any technical information leakage (debug, error stacktrace, version informations) ^[*6] (TODO Not yet available).
Protection against SQL injection ^[*2].
Protection against XSS injection (Cross Site Scripting) ^[*1].
Protection against CSRF (Cross Site Request Forgery) ^[*5].

Pages and files access

Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) ^[*4] ^[*10].
Files saved by Dolibarr are stored in a different root directory than web application (so they can not be downloaded without passing by the Dolibarr wrapper) ^[*3] ^[*10].
Dolibarr directories content can't be accessed even if Apache option Indexes has be forgotten to on (should not) ^[*3].

Login protection

Delay anti brute force cracking on login page ^[*7].
Graphical code (CAPTCHA) against robots on login page ^[*7].
No passwords in logs, even in technical logs ^[*7].
Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins.

Viruses

Possibility to run an anti-virus on every uploaded file.

Retrieved from "https://wiki.dolibarr.org/index.php?title=Security_information&oldid=15188"

Admin