Jump to content


Noime

Member Since 17 Feb 2018
Offline Last Active Nov 15 2018 12:44 AM
-----

#15310 Error while trying to search an existing account

Posted by Noime on 15 November 2018 - 12:12 AM

That's a really old bug with X2. It has to do with how some GROUP-BY statements are constructed by the framework, and the problem can raise its head at all different locations.

 

I silenced the problem by activating some backward-compatibility-options for the mysql daemon. My mysqld.cnf for mysql-version 5.7 has the following lines in the [mysqld] section :

#
# this is to silence X2 group-by errors
#
sql_mode = STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

Older mysql versions don't know "sql_mode", but instead have just "mode". In that case the line must look like this. From memory, must be tested.

mode = "STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION"



#15278 secure X2 with fail2ban - anyone ?

Posted by Noime on 08 November 2018 - 01:31 AM

Thanks Peter !

 

No, no : I don't intend to ban on the notifications. I definitely wasn't clear on this. My two lines are meant to suppress the notification lines in the apache logs. There is, for a single user, one line per second added to the log. That's huge ! It not only bloats the log, it makes fail2ban scan loads of data that are good. I chose to suppress the line on apache-level instead of with an ignoreregex in fail2ban.

 

Protecting against brute force login attempts would be nice, but I don't see a 403 on wrong login. But I maybe try to hack up a new repeat-offender filter that checks for repeated login attempts.

 

Even better would be if one could rename the login page. If we had this, any attempt to reach index.php/site/login could be regarded as a hacking event.




#14904 GDPR Compliance (EU regulation)

Posted by Noime on 05 June 2018 - 03:11 AM

The quick answer, as far as I understand GDPR, is : No, X2CRM is not compliant.

 

The long answer, again to my understanding, is that companies need to be compliant.

 

Compliance is not a software feature, but software can make it easier or harder to comply to GDPR.

 

Maybe others have a different point of view, and I'd be happy to hear theirs.

 

Noime




#14846 Error 500: serialized data

Posted by Noime on 03 May 2018 - 04:48 AM

Late to the party ...

 

Had exactly this same issue, turned out to be a missing php-module. mbstring in my case, which was hinted in protected/runtime/errors.log