ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2018-01-11T07:17:59Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4894XSS vulnerability in global search2018-01-11T07:17:59ZTill BrehmXSS vulnerability in global searchThe output of the global search function is not filtered correctly.The output of the global search function is not filtered correctly.3.1.10Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4893Stored XSS issue in email name field2018-01-11T07:17:59ZTill BrehmStored XSS issue in email name fieldThere is a stored XSS problem in the email name field in ISPConfig 3 which allows an attacker to inject JS code into the database that gets displayed unfiltered in the ISPConfig dashboard of the client himself, the reseller that this cli...There is a stored XSS problem in the email name field in ISPConfig 3 which allows an attacker to inject JS code into the database that gets displayed unfiltered in the ISPConfig dashboard of the client himself, the reseller that this client belongs to and the admin.
Thank you very much to Fábián Patrik for reporting this issue.3.1.10Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4887Fcgi starter script is editable by client2017-12-16T17:26:57ZChris KesslerFcgi starter script is editable by client## short description
A client may modify his own fcgi starter script in /var/www/php-fcgi*/web and add shell commands resulting in the commands being executed as www-data
## correct behaviour
What should happen instead?
This should not...## short description
A client may modify his own fcgi starter script in /var/www/php-fcgi*/web and add shell commands resulting in the commands being executed as www-data
## correct behaviour
What should happen instead?
This should not be possible
## environment
Deb Jessie w/ apache2
All others untestes3.1.10https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4886Set strict permissions for CGI and fcgi starter files2017-12-16T17:20:07ZTill BrehmSet strict permissions for CGI and fcgi starter filesSet stricter permissions for CGI and fcgi starter files to avoid editing f these files by the web user.Set stricter permissions for CGI and fcgi starter files to avoid editing f these files by the web user.3.1.10https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4884server_ip_add not working by API2018-01-11T07:17:59ZWHOserver_ip_add not working by API## short description
Always getting "ip_error_wrong" (IP is correct).
Reason: $_POST['ip_type'] is empty (***) , but it is in the $params array
function check_server_ip($field_name, $field_value, $validator) {
if($_POST['ip_type'] == 'I...## short description
Always getting "ip_error_wrong" (IP is correct).
Reason: $_POST['ip_type'] is empty (***) , but it is in the $params array
function check_server_ip($field_name, $field_value, $validator) {
if($_POST['ip_type'] == 'IPv4') {
if(!filter_var($field_value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
return $this->get_error($validator['errmsg']);
}
} elseif ($_POST['ip_type'] == 'IPv6') {
if(!filter_var($field_value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
return $this->get_error($validator['errmsg']);
}
} else return $this->get_error($validator['errmsg']); (***)
}
## correct behaviour
-
## environment
Server OS: Debian
Server OS version: Stretch
ISPConfig version: 3.1.93.1.10https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4881option to limit access for remote-user to specified IP(s) / hostname(s)2018-01-11T07:51:50ZFlorian Schaaloption to limit access for remote-user to specified IP(s) / hostname(s)3.1.10https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4880Option to exclude sub/aliasdomains from LetsEncrypt2018-01-04T19:38:48ZMarius BurkardOption to exclude sub/aliasdomains from LetsEncryptBecause of the limit of possible domain names in a single lets encrypt cert it should be possible to exclude a alias domain or subdomain from letsencrypt.Because of the limit of possible domain names in a single lets encrypt cert it should be possible to exclude a alias domain or subdomain from letsencrypt.3.1.10https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4872Extend Apache and Nginx Excludes list2017-12-29T18:21:17ZTill BrehmExtend Apache and Nginx Excludes listBy Chris Kessler:
Apache, in newer releases, has changed the include strings in the configuration to allow 'include_once', the current configuration only filters 'include' and 'load_module', its the same bug i submitted some time ago. A...By Chris Kessler:
Apache, in newer releases, has changed the include strings in the configuration to allow 'include_once', the current configuration only filters 'include' and 'load_module', its the same bug i submitted some time ago. Another thing to watch, is that nginx now supports dynamic modules and nginx-based servers running 1.11.5 and later are vulnerable now as well. The catch on this bug, is that you must know how to compile an apache/nginx module AND that debian is still shipping nginx 1.6.2 in the repo's (at least that's what my servers have)3.1.10Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4448php disabled_functions fastcgi2017-12-13T15:07:07ZBrianphp disabled_functions fastcgiHi, why in ispconfig 3.1 is in php fastcgi wrapper (php-fcgi-starter.master) defined
`-d disabled_functions="" \ `
?
This overwrites all my settings for disabled_functions in php.ini and allow all disabled_functions.
Is reason for th...Hi, why in ispconfig 3.1 is in php fastcgi wrapper (php-fcgi-starter.master) defined
`-d disabled_functions="" \ `
?
This overwrites all my settings for disabled_functions in php.ini and allow all disabled_functions.
Is reason for this? Why is this set like this?3.1.10