From ec5a81e9166abfbcded5c95a68aa49416b1c6f96 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 23 Dec 2020 12:04:42 +0100 Subject: [PATCH 1/3] Enable missing module --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index e9bf08af57b..dfeb209bfc3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -403,7 +403,7 @@ script: php step5.php 12.0.0 13.0.0 > $TRAVIS_BUILD_DIR/upgrade12001300-3.log # Enable modules not enabled into original dump - php upgrade2.php 0.0.0 0.0.0 MAIN_MODULE_API,MAIN_MODULE_SUPPLIERPROPOSAL,MAIN_MODULE_WEBSITE,MAIN_MODULE_TICKET,MAIN_MODULE_ACCOUNTING,MAIN_MODULE_MRP > $TRAVIS_BUILD_DIR/enablemodule.log + php upgrade2.php 0.0.0 0.0.0 MAIN_MODULE_API,MAIN_MODULE_PRODUCTBATCH,MAIN_MODULE_SUPPLIERPROPOSAL,MAIN_MODULE_WEBSITE,MAIN_MODULE_TICKET,MAIN_MODULE_ACCOUNTING,MAIN_MODULE_MRP > $TRAVIS_BUILD_DIR/enablemodule.log php upgrade2.php 0.0.0 0.0.0 MAIN_MODULE_RECEPTION,MAIN_MODULE_RECRUITMENT > $TRAVIS_BUILD_DIR/enablemodule.log echo $? cd - From bf606ede126f150c78b8c0415c9615d9369e2326 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 23 Dec 2020 13:17:40 +0100 Subject: [PATCH 2/3] Enhance remote ip detection --- htdocs/core/lib/functions.lib.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php index 713da28996e..92114b7c094 100644 --- a/htdocs/core/lib/functions.lib.php +++ b/htdocs/core/lib/functions.lib.php @@ -2887,12 +2887,16 @@ function getUserRemoteIP() { if (empty($_SERVER['HTTP_X_FORWARDED_FOR']) || preg_match('/[^0-9\.\:,\[\]]/', $_SERVER['HTTP_X_FORWARDED_FOR'])) { if (empty($_SERVER['HTTP_CLIENT_IP']) || preg_match('/[^0-9\.\:,\[\]]/', $_SERVER['HTTP_CLIENT_IP'])) { - $ip = (empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR']); + if (empty($_SERVER["HTTP_CF_CONNECTING_IP"])) { + $ip = (empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR']); // value may have been forged by client + } else { + $ip = $_SERVER["HTTP_CF_CONNECTING_IP"]; // value here may have been forged by client + } } else { - $ip = $_SERVER['HTTP_CLIENT_IP']; // value is clean here + $ip = $_SERVER['HTTP_CLIENT_IP']; // value is clean here but may have been forged by proxy } } else { - $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; // value is clean here + $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; // value is clean here but may have been forged by proxy } return $ip; } From b5731290c77e7815341b8e094ba6f906b2bc8f21 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Wed, 23 Dec 2020 13:32:44 +0100 Subject: [PATCH 3/3] Fix scope --- SECURITY.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index bcc1bd7d9e0..6dc6e0f33b5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -60,18 +60,19 @@ ONLY vulnerabilities discovered, when the following setup on test platform is us * ONLY security reports on modules provided by default and with the "stable" status are valid (troubles into "experimental", "developement" or external modules are not valid vulnerabilities). * The root of web server must link to htdocs and the documents directory must be outside of the web server root (this is the default when using the default installer but may differs with external installer). * The web server setup must be done so only the documents directory is in write mode. The root directory called htdocs must be readonly. -* CSRF attacks are accepted for all when using a POST URL, but when using GET URL, they are validated only for creating or updating data resctricted to the admin user. +* CSRF attacks are accepted when using a POST URL, but when using GET URL, they are validated only for creating, updating or deleting data resctricted from pages restricted to admin users. * Ability for a high level user to edit web site pages into the CMS by including HTML or Javascript is an expected feature. Vulnerabilities into the website module are validated only if HTML or Javascript injection can be done by a non allowed user. Scope is the web application (back office) and the APIs. ## Qualifying vulnerabilities for Bug bounty programs + * Remote code execution (RCE) * Local files access and manipulation (LFI, RFI, XXE, SSRF, XSPA) * Code injections (HTML, JS, SQL, PHP, ...) * Cross-Site Scripting (XSS) -* Cross-Site Requests Forgery (CSRF) with real security impact +* Cross-Site Requests Forgery (CSRF) with real security impact (when using GET URLs, CSRF are qualified only for creating, updating or deleting data from pages restricted to admin users) * Open redirect * Broken authentication & session management * Insecure direct object references @@ -83,6 +84,7 @@ Scope is the web application (back office) and the APIs. ## Non-qualifying vulnerabilities for Bug bounty programs, but qualified for reporting + * "Self" XSS * SSL/TLS best practices * Denial of Service attacks