Hello,
Is it safe to use TestLink 1.7.4 over the Internet? I mean, if I put critical requirements/ cases in TestLink and access it without VPN from my home, what are the chances that data will remain secure?
Rgds,
Amit M
Security in TestLink 1.7.4
We implement robust security features. All input data are verified against danger characters and more. So, go ahead.
There are additional recommendation:
1. Use https protocol for access.
2. Don't share testlink URL on internet.
3. Setup backup script to run every day.
4. Configure all directories for temporary files (write access required) to non-default path. (gui/templates_c/, logs/, upload/)
5. Disable write access for code directories. I recommend to use linux/apache.
These recommendation are not mandatory, but highly decrease chance of attack.
There are additional recommendation:
1. Use https protocol for access.
2. Don't share testlink URL on internet.
3. Setup backup script to run every day.
4. Configure all directories for temporary files (write access required) to non-default path. (gui/templates_c/, logs/, upload/)
5. Disable write access for code directories. I recommend to use linux/apache.
These recommendation are not mandatory, but highly decrease chance of attack.
Security in TestLink 1.7.4
Thanks for the answer. The points mentioned are good.
Best Regards,
Amit M
Best Regards,
Amit M
Re: But...
PLEASE IGNORE THIS MESSAGE !marcmir wrote:Just adding more info.marcmir wrote:How about this article => http ://www.securityfocus.com/bid/32173/references ?
TestLink doesn't seem so safe after reading this.
All discussion details are in the links below:
http ://www.securityfocus.com/bid/32173/info , http ://www.securityfocus.com/bid/32173/discuss , http ://www.securityfocus.com/bid/32173/exploit , and http ://www.securityfocus.com/bid/32173/solution .
I am very concerned about this particular issue.
Thanks for anyone can help/suggest any thing!
See in URL http ://www.securityfocus.com/bid/32173/info the text: "Not Vulnerable: TestLink TestLink 1.8 RC1".
And also see in URL http ://www.securityfocus.com/bid/32173/discuss the text: "Versions prior to TestLink 1.8 RC1 are vulnerable.".
Sorry for the confusion.
Admin edit: I disabled links to the unreliable site and removed two repeating texts.
to be clear: securityfocus . com lies.
Unfortunately we have not force affect some automatics reports. They have robot for parsing changelog only. It generates record in the case that it find certain terms. However any closer investigation is out of their interest.
On the other hand there is a few reports, that point minor security problem in earlier 1.7 RCs. Attacker needs a valid login anyway to exploit this issue. External attacker cannot get in if admin disable free create account.
This problem is already solved of course. In addition we had arranged extra security testing.
Unfortunately we have not force affect some automatics reports. They have robot for parsing changelog only. It generates record in the case that it find certain terms. However any closer investigation is out of their interest.
On the other hand there is a few reports, that point minor security problem in earlier 1.7 RCs. Attacker needs a valid login anyway to exploit this issue. External attacker cannot get in if admin disable free create account.
This problem is already solved of course. In addition we had arranged extra security testing.