Security in TestLink 1.7.4

The release related discussions, plans and questions.

Security in TestLink 1.7.4

Postby amitm » Sat Jun 21, 2008 6:48 pm

Hello,

Is it safe to use TestLink 1.7.4 over the Internet? I mean, if I put critical requirements/ cases in TestLink and access it without VPN from my home, what are the chances that data will remain secure?

Rgds,
Amit M
amitm
TestLink user
 
Posts: 5
Joined: Sat Jun 21, 2008 6:46 pm

Postby havlatm » Wed Jun 25, 2008 11:51 am

We implement robust security features. All input data are verified against danger characters and more. So, go ahead.

There are additional recommendation:
1. Use https protocol for access.
2. Don't share testlink URL on internet.
3. Setup backup script to run every day.
4. Configure all directories for temporary files (write access required) to non-default path. (gui/templates_c/, logs/, upload/)
5. Disable write access for code directories. I recommend to use linux/apache.

These recommendation are not mandatory, but highly decrease chance of attack.
havlatm
Member of TestLink Community
 
Posts: 940
Joined: Mon Oct 31, 2005 1:24 am
Location: Czech

Security in TestLink 1.7.4

Postby amitm » Wed Jun 25, 2008 12:03 pm

Thanks for the answer. The points mentioned are good.

Best Regards,
Amit M
amitm
TestLink user
 
Posts: 5
Joined: Sat Jun 21, 2008 6:46 pm

Re: But...

Postby marcmir » Mon Jun 29, 2009 7:47 pm

marcmir wrote:
marcmir wrote:How about this article => http ://www.securityfocus.com/bid/32173/references ?

TestLink doesn't seem so safe after reading this.


Just adding more info.
All discussion details are in the links below:

http ://www.securityfocus.com/bid/32173/info , http ://www.securityfocus.com/bid/32173/discuss , http ://www.securityfocus.com/bid/32173/exploit , and http ://www.securityfocus.com/bid/32173/solution .

I am very concerned about this particular issue.
Thanks for anyone can help/suggest any thing!


PLEASE IGNORE THIS MESSAGE !

See in URL http ://www.securityfocus.com/bid/32173/info the text: "Not Vulnerable: TestLink TestLink 1.8 RC1".

And also see in URL http ://www.securityfocus.com/bid/32173/discuss the text: "Versions prior to TestLink 1.8 RC1 are vulnerable.".

Sorry for the confusion.

Admin edit: I disabled links to the unreliable site and removed two repeating texts.
marcmir
TestLink user
 
Posts: 1
Joined: Mon Jun 29, 2009 7:34 pm

Postby havlatm » Mon Jul 20, 2009 10:15 pm

to be clear: securityfocus . com lies.

Unfortunately we have not force affect some automatics reports. They have robot for parsing changelog only. It generates record in the case that it find certain terms. However any closer investigation is out of their interest.

On the other hand there is a few reports, that point minor security problem in earlier 1.7 RCs. Attacker needs a valid login anyway to exploit this issue. External attacker cannot get in if admin disable free create account.

This problem is already solved of course. In addition we had arranged extra security testing.
havlatm
Member of TestLink Community
 
Posts: 940
Joined: Mon Oct 31, 2005 1:24 am
Location: Czech


Return to TestLink 1.7 (Closed)



Who is online

Users browsing this forum: No registered users and 2 guests