Difference between revisions of "Security information"

From Dolibarr ERP CRM Wiki
Jump to navigation Jump to search
Tag: 2017 source edit
m
Tag: 2017 source edit
Line 72: Line 72:
 
* Option for graphical code (CAPTCHA) against robots on login page <sup>[*7]</sup>.
 
* Option for graphical code (CAPTCHA) against robots on login page <sup>[*7]</sup>.
 
* No passwords in logs, even in technical logs <sup>[*7]</sup>.
 
* No passwords in logs, even in technical logs <sup>[*7]</sup>.
* Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins.
+
* Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (user or group or permission changes).
  
 
'''Viruses'''
 
'''Viruses'''

Revision as of 13:56, 12 August 2019


Securite.png Alerts

Last update: 2019-08-12

Some SQL injections vulnerabilities have been reported. They are a small risk as they are in page that need to be logged to be used. Fix is available into 11.0.1.

Art.png Features

Dolibarr implements several security features. Among them :

Encryption

  • User passwords are encrypted in database [*7] [*8].
  • Database technical password can be obfuscated into the Dolibarr configuration file (conf.php) [*8].
  • Possibility to force HTTPS [*9].
//conf/conf.php file
//example of $dolibarr_main_force_https  configuration
$dolibarr_main_force_https = '1';//to force https
Values Description

0

No forced redirect

1

Force redirect to https, until SCRIPT_URI start with https into response

2

Force redirect to https, until SERVER["HTTPS"] is 'on' into response

Hacks and cracks

  • Works with register_globals on or off (off highly recommended) [*2].
  • Works with PHP safe_mode on or off (on recommended) [*3].
  • Production option to disable any technical information leakage like debug, error stacktrace, version informations (See configuration file) [*6].
  • Protection against SQL injection [*2].
  • Protection against XSS injection (Cross Site Scripting) [*1].
  • Protection against CSRF (Cross Site Request Forgery) [*5].

Note that it is also recommanded to protect your web server by disabled Apache option

AcceptPathInfo Off

Pages and files access

  • Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) [*4] [*10].
  • Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) [*3] [*10].
  • Dolibarr directories content can't be accessed even if Apache option Indexes has be forgotten to on (should not) [*3].

Login protection

  • Delay anti brute force cracking on login page [*7].
  • Option for graphical code (CAPTCHA) against robots on login page [*7].
  • No passwords in logs, even in technical logs [*7].
  • Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (user or group or permission changes).

Viruses

  • Possibility to run an external anti-virus on every uploaded files [*3].



(*X) This solution is part of protection used to solve vulnerabilities classified by the OWASP Top Ten at range number X.