lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Minor security fixes

Browse Source
This commit is contained in:
Laurent Destailleur 2020-09-24 16:19:24 +02:00
parent 43783008c1
commit f066da1811
6 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
SECURITY.md
View File

@ -97,19 +97,19 @@ Scope is the web application (back office) and the APIs.
## Non-qualifying vulnerabilities for Bug bounty programs, but qualified for reporting
* "Self" XSS
* Missing cookie flags
* SSL/TLS best practices
* Denial of Service attacks
* Clickjacking/UI redressing
* Physical or social engineering attempts
* Physical or social engineering attempts or issues that require physical access to a victims computer/device
* Presence of autocomplete attribute on web forms
* Vulnerabilities affecting outdated browsers or platforms
* Issues that require physical access to a victims computer/device
* Logout and other instances of low-severity Cross-Site Request Forgery
* Missing cookie flags
* Missing security-related HTTP headers which do not lead directly to a vulnerability
* Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
* Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
* Reports on features flagged as "experimental" or "development"
* Software version disclosure when logged user is admin
* Software version or private IP disclosure when logged user is admin
* Stack traces or path disclosure when logged user is admin
* Any vulnerabilities due to a configuration different than the one defined into chapter "Scope for qualified vulnerabilities".

2
htdocs/accountancy/index.php
View File

@ -38,6 +38,7 @@ if ($user->socid > 0)
// Initialize technical object to manage hooks. Note that conf->hooks_modules contains array of hooks
$hookmanager->initHooks(array('accountancyindex'));
/*
* Actions
*/
@ -54,6 +55,7 @@ if (GETPOST('addbox')) // Add box (when submit is done from a form when ajax dis
if ($result > 0) setEventMessages($langs->trans("BoxAdded"), null);
}
/*
* View
*/

1
htdocs/admin/system/filecheck.php
View File

@ -91,6 +91,7 @@ if (preg_match('/beta|alpha|rc/i', DOL_VERSION) || !empty($conf->global->MAIN_AL
$enableremotecheck = true;
print '<form name="check" action="'.$_SERVER["PHP_SELF"].'">';
print '<input type="hidden" name="token" value="'.newToken().'">';
print $langs->trans("MakeIntegrityAnalysisFrom").':<br>';
print '<!-- for a local check target=local&xmlshortfile=... -->'."\n";
if (dol_is_file($xmlfile))

1
htdocs/core/class/html.formother.class.php
View File

@ -1048,6 +1048,7 @@ class FormOther
// Class Form must have been already loaded
$selectboxlist .= '<!-- Form with select box list -->'."\n";
$selectboxlist .= '<form id="addbox" name="addbox" method="POST" action="'.$_SERVER["PHP_SELF"].'">';
$selectboxlist .= '<input type="hidden" name="token" value="'.newToken().'">';
$selectboxlist .= '<input type="hidden" name="addbox" value="addbox">';
$selectboxlist .= '<input type="hidden" name="userid" value="'.$user->id.'">';
$selectboxlist .= '<input type="hidden" name="areacode" value="'.$areacode.'">';

2
htdocs/theme/eldy/manifest.json.php
View File

@ -41,6 +41,8 @@ require_once __DIR__.'/../../main.inc.php';
$appli = constant('DOL_APPLICATION_TITLE');
if (!empty($conf->global->MAIN_APPLICATION_TITLE)) $appli = $conf->global->MAIN_APPLICATION_TITLE;
top_httphead('text/json');
?>
{
"name": "<?php echo $appli; ?>",

2
htdocs/theme/md/manifest.json.php
View File

@ -41,6 +41,8 @@ require_once __DIR__.'/../../main.inc.php';
$appli=constant('DOL_APPLICATION_TITLE');
if (!empty($conf->global->MAIN_APPLICATION_TITLE)) $appli=$conf->global->MAIN_APPLICATION_TITLE;
top_httphead('text/json');
?>
{
"name": "<?php echo $appli; ?>",