3 年之前 · 6c37836b3e
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -90,9 +90,8 @@ Scope is the web application (back office) and the APIs.
 
				 * Clickjacking/UI redressing
			
 
				 * Physical or social engineering attempts or issues that require physical access to a victim’s computer/device
			
 
				 * Presence of autocomplete attribute on web forms
			
 
				-* Vulnerabilities affecting outdated browsers or platforms
			
 
				+* Vulnerabilities affecting outdated browsers or platforms, or vulnerabilities inside browsers themself.
			
 
				 * Logout and other instances of low-severity Cross-Site Request Forgery
			
 
				-* Missing cookie flags
			
 
				 * Missing security-related HTTP headers which do not lead directly to a vulnerability
			
 
				 * Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
			
 
				 * Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC)
			
--- a/htdocs/admin/system/security.php
+++ b/htdocs/admin/system/security.php
@@ -340,8 +340,66 @@ if (empty($out)) {
 
				 }
			
 
				 
			
 
				 print '<br>';
			
 
				+
			
 
				+
			
 
				+// Modules/Applications
			
 
				+
			
 
				+print '<br>';
			
 
				+print '<br>';
			
 
				+print '<br>';
			
 
				+print load_fiche_titre($langs->trans("Modules"), '', 'folder');
			
 
				+
			
 
				+// Module log
			
 
				+print '<strong>'.$langs->trans("Syslog").'</strong>: ';
			
 
				+$test = empty($conf->syslog->enabled);
			
 
				+if ($test) {
			
 
				+	print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
			
 
				+} else {
			
 
				+	if ($conf->global->SYSLOG_LEVEL > LOG_NOTICE) {
			
 
				+		print img_picto('', 'warning').' '.$langs->trans("ModuleActivatedWithTooHighLogLevel", $langs->transnoentities("Syslog"));
			
 
				+	} else {
			
 
				+		print img_picto('', 'tick.png').' '.$langs->trans("ModuleSyslogActivatedButLevelNotTooVerbose", $langs->transnoentities("Syslog"), $conf->global->SYSLOG_LEVEL);
			
 
				+	}
			
 
				+	//print ' '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php'.'">XDebug admin page</a>';
			
 
				+}
			
 
				+print '<br>';
			
 
				+
			
 
				+// Module debugbar
			
 
				+print '<strong>'.$langs->trans("DebugBar").'</strong>: ';
			
 
				+$test = empty($conf->debugbar->enabled);
			
 
				+if ($test) {
			
 
				+	print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
			
 
				+} else {
			
 
				+	print img_picto('', 'error').' '.$langs->trans("ModuleActivatedDoNotUseInProduction", $langs->transnoentities("DebugBar"));
			
 
				+	//print ' '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php'.'">XDebug admin page</a>';
			
 
				+}
			
 
				+print '<br>';
			
 
				+
			
 
				+
			
 
				+// APIs
			
 
				+
			
 
				 print '<br>';
			
 
				 print '<br>';
			
 
				+print '<br>';
			
 
				+print load_fiche_titre($langs->trans("API"), '', 'folder');
			
 
				+
			
 
				+if (empty($conf->api->enabled) && empty($conf->webservices->enabled)) {
			
 
				+	print $langs->trans("APIsAreNotEnabled");
			
 
				+} else {
			
 
				+	if (!empty($conf->webservices->enabled)) {
			
 
				+		print $langs->trans('YouEnableDeprecatedWSAPIsUseRESTAPIsInstead')."<br>\n";
			
 
				+		print '<br>';
			
 
				+	}
			
 
				+	if (!empty($conf->api->enabled)) {
			
 
				+		print '<strong>API_ENDPOINT_RULES</strong> = '.(empty($conf->global->API_ENDPOINT_RULES) ? '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Example").': endpoint1:1,endpoint2:1,...)</span>' : $conf->global->API_ENDPOINT_RULES)."<br>\n";
			
 
				+		print '<br>';
			
 
				+	}
			
 
				+}
			
 
				+
			
 
				+
			
 
				+print '<br><br>';
			
 
				+
			
 
				+
			
 
				 print '<br>';
			
 
				 
			
 
				 
			
@@ -384,6 +442,10 @@ print '<br>';
 
				 print '<strong>MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES</strong> = '.(empty($conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES) ? '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': 1)</span>' : $conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES)."<br>";
			
 
				 print '<br>';
			
 
				 
			
 
				+print '<strong>MAIN_SECURITY_CSRF_WITH_TOKEN</strong> = '.(empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN) ? '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Recommended").': 1)</span>' : $conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)."<br>";
			
 
				+print '<br>';
			
 
				+
			
 
				+
			
 
				 print '<strong>MAIN_EXEC_USE_POPEN</strong> = ';
			
 
				 if (empty($conf->global->MAIN_EXEC_USE_POPEN)) {
			
 
				 	print '<span class="opacitymedium">'.$langs->trans("Undefined").'</span>';
			
@@ -404,64 +466,6 @@ print "<br>";
 
				 print '<br>';
			
 
				 
			
 
				 
			
 
				-
			
 
				-// Modules/Applications
			
 
				-
			
 
				-print '<br>';
			
 
				-print '<br>';
			
 
				-print '<br>';
			
 
				-print load_fiche_titre($langs->trans("Modules"), '', 'folder');
			
 
				-
			
 
				-// Module log
			
 
				-print '<strong>'.$langs->trans("Syslog").'</strong>: ';
			
 
				-$test = empty($conf->syslog->enabled);
			
 
				-if ($test) {
			
 
				-	print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
			
 
				-} else {
			
 
				-	if ($conf->global->SYSLOG_LEVEL > LOG_NOTICE) {
			
 
				-		print img_picto('', 'warning').' '.$langs->trans("ModuleActivatedWithTooHighLogLevel", $langs->transnoentities("Syslog"));
			
 
				-	} else {
			
 
				-		print img_picto('', 'tick.png').' '.$langs->trans("ModuleSyslogActivatedButLevelNotTooVerbose", $langs->transnoentities("Syslog"), $conf->global->SYSLOG_LEVEL);
			
 
				-	}
			
 
				-	//print ' '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php'.'">XDebug admin page</a>';
			
 
				-}
			
 
				-print '<br>';
			
 
				-
			
 
				-// Module debugbar
			
 
				-print '<strong>'.$langs->trans("DebugBar").'</strong>: ';
			
 
				-$test = empty($conf->debugbar->enabled);
			
 
				-if ($test) {
			
 
				-	print img_picto('', 'tick.png').' '.$langs->trans("NotInstalled").' - '.$langs->trans("NotRiskOfLeakWithThis");
			
 
				-} else {
			
 
				-	print img_picto('', 'error').' '.$langs->trans("ModuleActivatedDoNotUseInProduction", $langs->transnoentities("DebugBar"));
			
 
				-	//print ' '.$langs->trans("MoreInformation").' <a href="'.DOL_URL_ROOT.'/admin/system/xdebug.php'.'">XDebug admin page</a>';
			
 
				-}
			
 
				-print '<br>';
			
 
				-
			
 
				-
			
 
				-// APIs
			
 
				-
			
 
				-print '<br>';
			
 
				-print '<br>';
			
 
				-print '<br>';
			
 
				-print load_fiche_titre($langs->trans("API"), '', 'folder');
			
 
				-
			
 
				-if (empty($conf->api->enabled) && empty($conf->webservices->enabled)) {
			
 
				-	print $langs->trans("APIsAreNotEnabled");
			
 
				-} else {
			
 
				-	if (!empty($conf->webservices->enabled)) {
			
 
				-		print $langs->trans('YouEnableDeprecatedWSAPIsUseRESTAPIsInstead')."<br>\n";
			
 
				-		print '<br>';
			
 
				-	}
			
 
				-	if (!empty($conf->api->enabled)) {
			
 
				-		print '<strong>API_ENDPOINT_RULES</strong> = '.(empty($conf->global->API_ENDPOINT_RULES) ? '<span class="opacitymedium">'.$langs->trans("Undefined").' &nbsp; ('.$langs->trans("Example").': endpoint1:1,endpoint2:1,...)</span>' : $conf->global->API_ENDPOINT_RULES)."<br>\n";
			
 
				-		print '<br>';
			
 
				-	}
			
 
				-}
			
 
				-
			
 
				-
			
 
				-print '<br><br>';
			
 
				-
			
 
				 // End of page
			
 
				 llxFooter();
			
 
				 $db->close();