Jump to content


nurielmeni

Member Since 24 Feb 2013
Offline Last Active Jan 18 2015 09:48 PM
-----

Topics I've Started

Zurmo 2.5 Bugs

06 November 2013 - 12:43 PM

Hi, I have set up the eMail smtp and sent a test email succesfully, however when I try to send an eMail to a specific lead, it was not delivered (clicking the address from the lead and sending the message from the pop up window). The job manager did ran, I even ran it manualy.

This issue showed up on version 2.2.8 - 2.5.1

meni


Penetration and Security Issues

31 October 2013 - 12:24 PM

I have checked my Zurmo app with a penetration program, some erros and issues showed up, is it possible to fix them in the next relese?

Issue:

AUTOCOMPLETE attribute is not disabled in HTML FORM/INPUT element containing password type input. Passwords may be stored in browsers and retrieved.

Fix:

Turn off AUTOCOMPLETE attribute in form or individual input elements containing password by using AUTOCOMPLETE='OFF'

Issue: (Came up with many pages)

A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.

Fix:

Ensure that the HttpOnly flag is set for all cookies.

Issue: (Came up with many pages)

A cookie has been set without the secure flag, which means that the cookie can be accessed via unencrypted connections.

Fix:

Whenever a cookie contains sensitive information or is a session token, then it should always be passed using an encrypted tunnel. Ensure that the secure flag is set for cookies containing such sensitive information.

SQL injection may be possible

The page results were successfully manipulated using the boolean conditions [tavcrm.co.il' AND '1'='1' -- ] and [tavcrm.co.il' AND '1'='2' -- ] The parameter value being modified was NOT stripped from the HTML output for the purposes of the comparison Data was returned for the original parameter. The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter

Fix

Do not trust client side input, even if there is client side validation in place.
In general, type check all data on the server side. If the application uses JDBC, use PreparedStatement or CallableStatement, with parameters passed by '?' If the application uses ASP, use ADO Command Objects with strong type checking and parameterized queries. If database Stored Procedures can be used, use them. Do not concatenate strings into queries in the stored procedure, or use 'exec', 'exec immediate', or equivalent functionality! Do not create dynamic SQL queries using simple string concatenation. Escape all data received from the client. Apply a 'whitelist' of allowed characters, or a 'blacklist' of disallowed characters in user input. Apply the privilege of least privilege by using the least privileged database user possible. In particular, avoid using the 'sa' or 'db-owner' database users. This does not eliminate SQL injection, but minimizes its impact. Grant the minimum database access that is necessary for the application.

Parent Directory

It is possible to view the directory listing. Directory listing may reveal hidden scripts, include files , backup source files etc which be accessed to read sensitive information.

Fix

Disable directory browsing. If this is required, make sure the listed files does not induce risks.

Issue

Secure page can be cached in browser allowing the browser and proxies to cache content

Fix

The best way is to set HTTP header with: 'Pragma: No-cache' and 'Cache-control: No-cache'. Alternatively, this can be set in the HTML header by: <META HTTP-EQUIV='Pragma' CONTENT='no-cache'> <META HTTP-EQUIV='Cache-Control' CONTENT='no-cache'> but some browsers may have problem using this method.

Issue

The cache-control and pragma HTTPHeader have not been set properly allowing the browser and proxies to cache content

Fix

Whenever possible ensure the cache-control HTTPHeader is set with no-cache, no-store, must-revalidate, private, and the pragma HTTPHeader is set with no-cache.

Issue

A private IP such as 10.x.x.x, 172.x.x.x, 192.168.x.x has been found in the HTTP response body. This information might be helpful for further attacks ta

Fix

Remove the private IP address from the HTTP response body. For comments, use JSP/ASP comment instead of HTML/JavaScript comment which can be seen by client browsers.


Webforms in Hebrew

10 October 2013 - 11:44 AM

When I set the webform language to Hebrew it is rendered with some random characters, it is not displayed correctly on the page. is there a way to fix it?


Update the translation on installed system

28 August 2013 - 07:51 PM

Is there a procedure to go thrugh in order to update the translations into an installed system?


Right to Left language

29 April 2013 - 12:57 PM

Hi,

Any directions or known procedure to set the text direction to be RTL when selecting a language like Hebrew. I want the fields, textbox ect. to be rtl. any help?