"Add new Webdav user" can chmod and chown entire server from client interface
Through the client interface, I was able to chmod and chown the root directory (/) of my server to web3:client9 and 770 using the "Add new Webdav user" by using ../../../../../../../../../../../../ as a path. This can probably be exploited in some way too.
The Issue has been fixed in SVN stable branch on April 4, Revison 3020.
Set the Webdav User Limit to 0 in Client settings to disable the ability that clients add new webdav users.
Copy the webdav_user_edit.php file that is attached to this post to the directory /usr/local/ispconfig/interface/web/sites/webdav_user_edit.php
The Bug is fixed in ISPConfig 184.108.40.206 which will be released on April 10.
To get the latest fixes from svn incl. the above bugfix, follow these instructions:
svn export svn://svn.ispconfig.org/ispconfig3/branches/ispconfig-3.0.4 cd ispconfig-3.0.4/install/ php update.php Attachment webdav_user_edit.php was removed during flyspray import.