Difference between revisions of "Security information"

From Dolibarr ERP CRM Wiki
Jump to navigation Jump to search
m (how to force https in conf.php)
m
Tag: 2017 source edit
 
(29 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 +
<!-- BEGIN origin interlang links -->
 +
<!-- You can edit this section but do NOT remove these comments
 +
    Links below will be automatically replicated on translated pages by PolyglotBot -->
 +
[[fr:Informations_sécurité]]
 +
[[es:Información_de_seguridad]]
 +
<!-- END interlang links -->
 +
 
[[Category:Admin]]
 
[[Category:Admin]]
 
[[Category:Admin_en]]
 
[[Category:Admin_en]]
  
= [[File:securite.png]] Alerts =
+
=[[File:securite.png]] Alerts=
 
Last update: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY}}
 
Last update: {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY}}
  
Some SQL injections vulnerabilities have been reported. They are a small risk as they are in page that need to be logged to be used. Fix is available into 7.0.
+
Some SQL injections and CSRF vulnerabilities have been reported. They are a small risk as they are in pages that need to be logged to be used. Fix is available into {{Template:SafeVersion}}.
  
= [[File:art.png]] Features =
+
Note: You can download from GitHub the '''intermediate''' versions (not yet realeased maintenance package) from [https://github.com/Dolibarr/dolibarr/archive/11.0.zip version 11]
 +
 
 +
=[[File:art.png]] Features=
 
Dolibarr implements several security features. Among them :
 
Dolibarr implements several security features. Among them :
  
 
'''Encryption'''
 
'''Encryption'''
* User passwords can be encrypted in database <sup>[*7]</sup> <sup>[*8]</sup>.
+
 
* Database technical password can be obfuscated into the [[Configuration_file|Dolibarr configuration file]] (conf.php) <sup>[*8]</sup>.
+
*User passwords are encrypted in database <sup>[*7]</sup> <sup>[*8]</sup>.
* Possibility to force HTTPS <sup>[*9]</sup>.  
+
*Database technical password can be obfuscated into the [[Configuration_file|Dolibarr configuration file]] (conf.php) <sup>[*8]</sup>.
 +
*Possibility to force HTTPS <sup>[*9]</sup>.
 +
 
 
<source lang="php">
 
<source lang="php">
 
//conf/conf.php file
 
//conf/conf.php file
//$dolibarr_main_force_https = '0';
+
//example of $dolibarr_main_force_https configuration
 
$dolibarr_main_force_https = '1';//to force https
 
$dolibarr_main_force_https = '1';//to force https
 +
</source>
 +
 +
{| class="wikitable" style="width:100%;"
 +
! scope="col" |Values
 +
! scope="col" |Description
 +
 +
|-
 +
| style="width:50%;" |
 +
0
 +
| style="width:50%;" |
 +
No forced redirect
 +
 +
|-
 +
| style="width:50%;" |
 +
1
 +
| style="width:50%;" |
 +
Force redirect to https, until SCRIPT_URI start with https into response
 +
 +
|-
 +
| style="width:50%;" |
 +
2
 +
| style="width:50%;" |
 +
Force redirect to https, until SERVER["HTTPS"] is 'on' into response
 +
 +
|-
 +
| style="width:50%;" |
 +
https://mydomain
 +
| style="width:50%;" |
 +
Force redirect to this https domain name
  
</source>
+
|}
  
 
'''Hacks and cracks'''
 
'''Hacks and cracks'''
* Works with register_globals on or off (off highly recommended) <sup>[*2]</sup>.
+
 
* Works with PHP safe_mode on or off (on recommended) <sup>[*3]</sup>.
+
*Works with register_globals on or off (off highly recommended) <sup>[*2]</sup>.
* Production option to disable any technical information leakage like debug, error stacktrace, version informations (See [[Configuration_file|configuration file]]) <sup>[*6]</sup>.  
+
*Works with PHP safe_mode on or off (on recommended) <sup>[*3]</sup>.
* Protection against SQL injection <sup>[*2]</sup>.
+
*Production option to disable any technical information leakage like debug, error stacktrace, version informations (See [[Configuration_file|configuration file]]) <sup>[*6]</sup>.
* Protection against XSS injection (Cross Site Scripting) <sup>[*1]</sup>. Note that it is better to also protect your web server by disabled Apache option
+
*Protection against SQL injection <sup>[*2]</sup>.
 +
*Protection against XSS injection (Cross Site Scripting) <sup>[*1]</sup>.
 +
*Protection against CSRF (Cross Site Request Forgery) <sup>[*5]</sup>.
 +
 
 +
Note that it is also recommanded to protect your web server by disabled Apache option
 
<source lang="ini">
 
<source lang="ini">
 
AcceptPathInfo Off
 
AcceptPathInfo Off
 
</source>
 
</source>
* Protection against CSRF (Cross Site Request Forgery) <sup>[*5]</sup>.
 
  
 
'''Pages and files access'''
 
'''Pages and files access'''
* Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>.
+
 
* Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>.
+
*Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) <sup>[*4]</sup> <sup>[*10]</sup>.
* Dolibarr directories content can't be accessed even if Apache option Indexes has be forgotten to on (should not) <sup>[*3]</sup>.
+
*Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) <sup>[*3]</sup> <sup>[*10]</sup>. Note: You must check that you did not choose the "'''document'''" directory (for upload files) to be in same directory neither in a sub-directory than the "'''htdocs'''" directory. You web virtual host must point to the htdocs directory only. So any uploaded file (and store into the document directory can be called by forging a simple URL.
 +
*Dolibarr directories content can't be accessed even if Apache option Indexes has been forgotten to on (should not) <sup>[*3]</sup>.
  
 
'''Login protection'''
 
'''Login protection'''
* Delay anti brute force cracking on login page <sup>[*7]</sup>.
+
 
* Option for graphical code (CAPTCHA) against robots on login page <sup>[*7]</sup>.
+
*Delay anti brute force cracking on login page <sup>[*7]</sup>.
* No passwords in logs, even in technical logs <sup>[*7]</sup>.
+
*Option for graphical code (CAPTCHA) against robots on login page <sup>[*7]</sup>.
* Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins.
+
*Restrict access to backoffice for some IP only <sup>[*7]</sup>.
 +
*No passwords in logs, even in technical logs <sup>[*7]</sup>.
 +
*Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (user or group or permission changes).
 +
*Can output a log record into a log file (module Debug Log must be enabled with at least level 5 - LOG_NOTICE) after success or failed login attempt so you can add a fail2ban rule to lock brute force cracking. You can check record with syntax :
 +
"YYYY-MM-DD HH:MM:SS (ERROR|NOTICE|INFO|DEBUG)    IP functions_dolibarr::check_user_password_.* Authentication KO"
 +
 
  
 
'''Viruses'''
 
'''Viruses'''
* Possibility to run an external anti-virus on every uploaded files <sup>[*3]</sup>.
 
  
+
*Possibility to run an external anti-virus on every uploaded files <sup>[*3]</sup>.
 +
 
 +
 
 +
 
 +
'''Report a security vulnerability'''
 +
 
 +
*You can submit an email at '''security@dolibarr.org'''
 +
*Or (better) you can use the security feature of GitHub on https://github.com/Dolibarr/dolibarr/security
 +
 
 +
In most cases, security reports are processed in few days only.
 +
 
 +
 
 
----
 
----
 
<sup>(*X)</sup> This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten] at range number X.
 
<sup>(*X)</sup> This solution is part of protection used to solve vulnerabilities classified by the [http://www.owasp.org/index.php/Top_10_2007 OWASP Top Ten] at range number X.

Latest revision as of 14:57, 18 May 2020


Securite.png Alerts

Last update: 2020-05-18

Some SQL injections and CSRF vulnerabilities have been reported. They are a small risk as they are in pages that need to be logged to be used. Fix is available into 11.0.4.

Note: You can download from GitHub the intermediate versions (not yet realeased maintenance package) from version 11

Art.png Features

Dolibarr implements several security features. Among them :

Encryption

  • User passwords are encrypted in database [*7] [*8].
  • Database technical password can be obfuscated into the Dolibarr configuration file (conf.php) [*8].
  • Possibility to force HTTPS [*9].
//conf/conf.php file
//example of $dolibarr_main_force_https  configuration
$dolibarr_main_force_https = '1';//to force https
Values Description

0

No forced redirect

1

Force redirect to https, until SCRIPT_URI start with https into response

2

Force redirect to https, until SERVER["HTTPS"] is 'on' into response

https://mydomain

Force redirect to this https domain name

Hacks and cracks

  • Works with register_globals on or off (off highly recommended) [*2].
  • Works with PHP safe_mode on or off (on recommended) [*3].
  • Production option to disable any technical information leakage like debug, error stacktrace, version informations (See configuration file) [*6].
  • Protection against SQL injection [*2].
  • Protection against XSS injection (Cross Site Scripting) [*1].
  • Protection against CSRF (Cross Site Request Forgery) [*5].

Note that it is also recommanded to protect your web server by disabled Apache option

AcceptPathInfo Off

Pages and files access

  • Pages and contents are protected by centralized entry code to check permissions (granted on groups or users for each functional module) [*4] [*10].
  • Files saved by Dolibarr are stored in a different root directory than web application (so they can't be downloaded without passing by the Dolibarr wrapper) [*3] [*10]. Note: You must check that you did not choose the "document" directory (for upload files) to be in same directory neither in a sub-directory than the "htdocs" directory. You web virtual host must point to the htdocs directory only. So any uploaded file (and store into the document directory can be called by forging a simple URL.
  • Dolibarr directories content can't be accessed even if Apache option Indexes has been forgotten to on (should not) [*3].

Login protection

  • Delay anti brute force cracking on login page [*7].
  • Option for graphical code (CAPTCHA) against robots on login page [*7].
  • Restrict access to backoffice for some IP only [*7].
  • No passwords in logs, even in technical logs [*7].
  • Internal logger to save permanently all Dolibarr events about user's administration and successful or failed logins or administration events (user or group or permission changes).
  • Can output a log record into a log file (module Debug Log must be enabled with at least level 5 - LOG_NOTICE) after success or failed login attempt so you can add a fail2ban rule to lock brute force cracking. You can check record with syntax :
"YYYY-MM-DD HH:MM:SS (ERROR|NOTICE|INFO|DEBUG)    IP functions_dolibarr::check_user_password_.* Authentication KO"


Viruses

  • Possibility to run an external anti-virus on every uploaded files [*3].


Report a security vulnerability

In most cases, security reports are processed in few days only.



(*X) This solution is part of protection used to solve vulnerabilities classified by the OWASP Top Ten at range number X.