diff --git a/SECURITY.md b/SECURITY.md index 06d1407229a..56e1da679ed 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -97,19 +97,19 @@ Scope is the web application (back office) and the APIs. ## Non-qualifying vulnerabilities for Bug bounty programs, but qualified for reporting * "Self" XSS -* Missing cookie flags * SSL/TLS best practices * Denial of Service attacks * Clickjacking/UI redressing -* Physical or social engineering attempts +* Physical or social engineering attempts or issues that require physical access to a victim’s computer/device * Presence of autocomplete attribute on web forms * Vulnerabilities affecting outdated browsers or platforms -* Issues that require physical access to a victim’s computer/device * Logout and other instances of low-severity Cross-Site Request Forgery +* Missing cookie flags * Missing security-related HTTP headers which do not lead directly to a vulnerability * Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated * Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC) * Reports on features flagged as "experimental" or "development" -* Software version disclosure when logged user is admin +* Software version or private IP disclosure when logged user is admin * Stack traces or path disclosure when logged user is admin +* Any vulnerabilities due to a configuration different than the one defined into chapter "Scope for qualified vulnerabilities". diff --git a/htdocs/accountancy/index.php b/htdocs/accountancy/index.php index 4f6c66ff7d5..80ed833b828 100644 --- a/htdocs/accountancy/index.php +++ b/htdocs/accountancy/index.php @@ -38,6 +38,7 @@ if ($user->socid > 0) // Initialize technical object to manage hooks. Note that conf->hooks_modules contains array of hooks $hookmanager->initHooks(array('accountancyindex')); + /* * Actions */ @@ -54,6 +55,7 @@ if (GETPOST('addbox')) // Add box (when submit is done from a form when ajax dis if ($result > 0) setEventMessages($langs->trans("BoxAdded"), null); } + /* * View */ diff --git a/htdocs/admin/system/filecheck.php b/htdocs/admin/system/filecheck.php index 88cf39b90a1..a3d54104a02 100644 --- a/htdocs/admin/system/filecheck.php +++ b/htdocs/admin/system/filecheck.php @@ -91,6 +91,7 @@ if (preg_match('/beta|alpha|rc/i', DOL_VERSION) || !empty($conf->global->MAIN_AL $enableremotecheck = true; print '
'; +print ''; print $langs->trans("MakeIntegrityAnalysisFrom").':
'; print ''."\n"; if (dol_is_file($xmlfile)) diff --git a/htdocs/core/class/html.formother.class.php b/htdocs/core/class/html.formother.class.php index 96c73deff7a..dc55d0931f7 100644 --- a/htdocs/core/class/html.formother.class.php +++ b/htdocs/core/class/html.formother.class.php @@ -1048,6 +1048,7 @@ class FormOther // Class Form must have been already loaded $selectboxlist .= ''."\n"; $selectboxlist .= ''; + $selectboxlist .= ''; $selectboxlist .= ''; $selectboxlist .= ''; $selectboxlist .= ''; diff --git a/htdocs/theme/eldy/manifest.json.php b/htdocs/theme/eldy/manifest.json.php index bc6262d1a92..d7f01b3375e 100644 --- a/htdocs/theme/eldy/manifest.json.php +++ b/htdocs/theme/eldy/manifest.json.php @@ -41,6 +41,8 @@ require_once __DIR__.'/../../main.inc.php'; $appli = constant('DOL_APPLICATION_TITLE'); if (!empty($conf->global->MAIN_APPLICATION_TITLE)) $appli = $conf->global->MAIN_APPLICATION_TITLE; +top_httphead('text/json'); + ?> { "name": "", diff --git a/htdocs/theme/md/manifest.json.php b/htdocs/theme/md/manifest.json.php index e3423149e30..33a5fcddb52 100644 --- a/htdocs/theme/md/manifest.json.php +++ b/htdocs/theme/md/manifest.json.php @@ -41,6 +41,8 @@ require_once __DIR__.'/../../main.inc.php'; $appli=constant('DOL_APPLICATION_TITLE'); if (!empty($conf->global->MAIN_APPLICATION_TITLE)) $appli=$conf->global->MAIN_APPLICATION_TITLE; +top_httphead('text/json'); + ?> { "name": "",