ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2020-10-20T12:31:02Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5839Add ciphers for TLSv1 and TLSv1.1 to Postfix2020-10-20T12:31:02ZThomAdd ciphers for TLSv1 and TLSv1.1 to PostfixTLSv1 and TLSv1.1 are added, but without any working ciphers. These ciphers have to be added to the postfix config.
Related to #5770TLSv1 and TLSv1.1 are added, but without any working ciphers. These ciphers have to be added to the postfix config.
Related to #57703.2.1Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5350Insufficient escaping of whitespace in FTP user paths2019-07-23T20:31:18ZWHOInsufficient escaping of whitespace in FTP user pathsUnder "Web pages" => "Web access" => "FTP user" => Edit or create new => "Options" => "Directory
If you store e.g. /var/www/clients/client23/web167/ /root/TEST the folder TEST with the user rights of the FTP account will be created in /...Under "Web pages" => "Web access" => "FTP user" => Edit or create new => "Options" => "Directory
If you store e.g. /var/www/clients/client23/web167/ /root/TEST the folder TEST with the user rights of the FTP account will be created in /root/. What is even worse is that the permissions of existing folders are overwritten.
Scope: A valid client login with active website module and the permission to add FTP users in client limits is required to access the FTP user path setting.
Note: The original report has been translated to English by ISPConfig developers and the scope information has been added.3.1.14p2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5102Authenticated client local code inclusion issue2018-08-17T16:53:18ZTill BrehmAuthenticated client local code inclusion issueA security vulnerability has been found which allows a client to execute code under the permissions of the ispconfig user.
The following two requirements must be met for this:
- The attacker must have a valid ISPConfig login (Client, R...A security vulnerability has been found which allows a client to execute code under the permissions of the ispconfig user.
The following two requirements must be met for this:
- The attacker must have a valid ISPConfig login (Client, Reseller or Admin - username and password).
- The attacker must be able to create a website on the same server where the ISPConfig interface is hosted or he must have any other kind of local file system access that allows him to upload files to the server were the ISPConfig interface is hosted on.
Thank you very much to **Rio Sherri - 0x09AL** for finding and reporting this issue.
We highly recommend installing this update immediately.3.1.13https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4869Authenticated local root vulnerability2017-12-07T06:18:19ZChris KesslerAuthenticated local root vulnerabilityThere is an authenticated privilege escalation vulnerability in ispconfig 3.
An authenticated user or admin may inject arbitrary characters while creating a cron job resulting in a crontab being executed as the root user.
This ...There is an authenticated privilege escalation vulnerability in ispconfig 3.
An authenticated user or admin may inject arbitrary characters while creating a cron job resulting in a crontab being executed as the root user.
This has been tested and known to be working from the api.
CVE has been requested and is in progress.3.1.9https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/4684Insufficient privilege check in sites module2017-06-29T16:02:15ZTill BrehmInsufficient privilege check in sites moduleA user that is logged into ISPConfig is able to view contact details of other users due to an insufficient privilege check in a file.A user that is logged into ISPConfig is able to view contact details of other users due to an insufficient privilege check in a file.3.1.5Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3812Insufficient validation of PHP version selector2017-06-06T11:19:33ZTill BrehmInsufficient validation of PHP version selectorThe return value of the PHP version selector is not checked correctly in the website form.
Thank you to Timo Boldt https://git.ispconfig.org/u/timo.boldt for reporting this issue!The return value of the PHP version selector is not checked correctly in the website form.
Thank you to Timo Boldt https://git.ispconfig.org/u/timo.boldt for reporting this issue!3.0.5.4p9Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3748Added db users are not reflected in the dropdown menu of the database creatio...2017-06-06T11:19:33ZzennyAdded db users are not reflected in the dropdown menu of the database creation formHi,
I am on a Debian Wheezy with PHP 5.4.45 and ISPConfig 3.0.5p8. The issue is added db users to an existing client (Sites>Database Users> Add) do not appear in the dropdown menu of db creation form (Sites > Databases), which prevent...Hi,
I am on a Debian Wheezy with PHP 5.4.45 and ISPConfig 3.0.5p8. The issue is added db users to an existing client (Sites>Database Users> Add) do not appear in the dropdown menu of db creation form (Sites > Databases), which prevents in creating databases assigned to a specific user of a client.
1. It is not a mysql root password issue as I can access (mysql -u root -p) and dump (mysqldump -u root -p database > database.sql) from the command line.
2. Tried to debug by disabling the ispconfig cron job, but /usr/local/ispconfig/server/server.sh runs without any hitches (outputs 'finished' in the command line).
3. Also checked the mysql.log, ispconfig.log and ispconfig cron.log, nothing reported.
Any inputs appreciated! Thanks.
/zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3151BIG RFI FAILLE ON ISPCONFIG.HU2017-06-06T11:19:33ZAnonymousBIG RFI FAILLE ON ISPCONFIG.HUHi !
So i have find a big rfi issue on www.ispconfig.hu ! with this faille anyone can deface your website !
link ==> http://ispconfig.hu/index.php?page=http://google.com
Cordialy
AnonymHi !
So i have find a big rfi issue on www.ispconfig.hu ! with this faille anyone can deface your website !
link ==> http://ispconfig.hu/index.php?page=http://google.com
Cordialy
Anonymhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2910php code injection over cgi-bin2017-06-06T11:19:33ZFilip Krejciphp code injection over cgi-binHi,
We are facing attack throught code injection on cgi-bin...
We have default ISPConfig configuration done with tutorial on howtoforge.
http://someserver.com/cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin%...Hi,
We are facing attack throught code injection on cgi-bin...
We have default ISPConfig configuration done with tutorial on howtoforge.
http://someserver.com/cgi-bin/php?-d+allow_url_include%3Don+-d+safe_mode%3Doff+-d+suhosin%2Esimulation%3Don+-d+disable_functions%3D%22%22+-d+open_basedir%3Dnone+-d+auto_prepend_file%3Dphp%3A%2F%2Finput+-d+cgi%2Eforce_redirect%3D0+-d+cgi%2Eredirect_status_env%3D0+-n
The workaround is to remove from apache config.
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
Filiphttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2779Clients are able to create users for sites which they do not own2017-06-06T11:19:33ZTill BrehmClients are able to create users for sites which they do not ownISPConfig 3 Security Advisory 2013/08/08
---------------------------------------------------------------------
Summary
A security issue has been found in the sites module which allows customers to create website users
for website...ISPConfig 3 Security Advisory 2013/08/08
---------------------------------------------------------------------
Summary
A security issue has been found in the sites module which allows customers to create website users
for websites which they do not own from within the ISPConfig interface. This issue requires a valid
ISPConfig client login and the manipulation of http variables. If a client would try to create a
login for a different site, his actions are recorded in the sys_datalog and can be tracked down
by the administrator even if he deletes this login again.
Affected versions
All ISPConfig 3 versions < 3.0.5.3
Mitigation
A hotfix for ISPConfig 3.0.5.2 is available at ispconfig.org:
http://www.ispconfig.org/downloads/ispconfig-hotfix-2013-08-08.zip
This hotfix needs to be applied only to servers with an ISPConfig interface; you do not need to apply this patch on slave servers without an ISPConfig interface.
Installation instructions for the hotfix:
Login to your server as root and execute the following commands:
wget http://www.ispconfig.org/downloads/ispconfig-hotfix-2013-08-08.zip
unzip ispconfig-hotfix-2013-08-08.zip
cd ispconfig-hotfix-2013-08-08/
chmod +x ispconfig-hotfix.sh
./ispconfig-hotfix.sh
Additionally to the hotfix, ISPConfig 3.0.5.3 will be released tomorrow
(August 09. 2013) which fixes this issue as well.
Credit:
ISPConfig was notified of this issue by researcher Tim Mishutin ( ISPConfig forum user: Almere )
from SecureHoster (www.securehoster.nl).3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1988SQL Injection Vulnerability2017-06-06T11:19:33Zbandie92SQL Injection VulnerabilityIn file interface/lib/classes/listform.inc.php on line 155:
$_SESSION['search'][$list_name][$search_prefix.$field] = $_REQUEST[$search_prefix.$field];
and below on line 184:
$sql_where .= " $field ".$i['op']." '".$i['prefix'].$_...In file interface/lib/classes/listform.inc.php on line 155:
$_SESSION['search'][$list_name][$search_prefix.$field] = $_REQUEST[$search_prefix.$field];
and below on line 184:
$sql_where .= " $field ".$i['op']." '".$i['prefix'].$_SESSION['search'][$list_name][$search_prefix.$field].$i['suffix']."' and";
without input sanitization may causes function getSearchSQL() returning injected sql WHERE substring!
I put simple workaround under line 155:
if(preg_match("/['\\\\]/", $_SESSION['search'][$list_name][$search_prefix.$field]))
$_SESSION['search'][$list_name][$search_prefix.$field] = '';3.0.4.5Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1931"Add new Webdav user" can chmod and chown entire server from client interface2017-06-06T11:19:33Zhakong"Add new Webdav user" can chmod and chown entire server from client interfaceThrough the client interface, I was able to chmod and chown the root directory (/) of my server to web3:client9 and 770 using the "Add new Webdav user" by using ../../../../../../../../../../../../ as a path.
This can probably be exploi...Through the client interface, I was able to chmod and chown the root directory (/) of my server to web3:client9 and 770 using the "Add new Webdav user" by using ../../../../../../../../../../../../ as a path.
This can probably be exploited in some way too.3.0.4.4https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1648unexpected character(s) starting with '`'2017-06-06T11:19:33ZAdriánunexpected character(s) starting with '`'Using ispconfig 3.0.4, dovecot and the sieve filters, when a new filter is created, the following line is written in the sieve file:
`test -e "$DEFAULT/.folder.subfolder" && exit 1 || exit 0`
note that "folder" and "subfolder" are ...Using ispconfig 3.0.4, dovecot and the sieve filters, when a new filter is created, the following line is written in the sieve file:
`test -e "$DEFAULT/.folder.subfolder" && exit 1 || exit 0`
note that "folder" and "subfolder" are just generic names.
Sieve returns this error, extracted from .sieve.log:
unexpected character(s) starting with '`'
Commenting that line, I still have problems with:
unexpected character(s) starting with '$'.
related to line:
if ( $RETURNCODE != 1 )
Regards,
AdrianFabio FantoniFabio Fantonihttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1647Database get's deleted if an upgrade fails2017-06-06T11:19:33ZGhost UserDatabase get's deleted if an upgrade failsWhen upgrading ISPConfig from < 3.0.3 there is a full db update. The update script creates a backup of the current database, but it gets saved in the install/ dir, which is deleted right after update.php has run. If update.php fails, the...When upgrading ISPConfig from < 3.0.3 there is a full db update. The update script creates a backup of the current database, but it gets saved in the install/ dir, which is deleted right after update.php has run. If update.php fails, the db is deleted, install/ as well, and you now have a server without dbispconfig database .. AND NO BACKUP!
Let's move the existing_db.sql out of the install dir?https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1533creating a jailkit user fails2017-06-06T11:19:33ZJustin Albstmeijercreating a jailkit user failsWhen creating a jailkit user, I cannot login.
If I check the /etc/passwd entries the user has not been given the correct shell.
web283:x:5123:5043::/var/clients/client30/web123/./home/web123:/bin/false
random.com:x:5123:5043::/var/c...When creating a jailkit user, I cannot login.
If I check the /etc/passwd entries the user has not been given the correct shell.
web283:x:5123:5043::/var/clients/client30/web123/./home/web123:/bin/false
random.com:x:5123:5043::/var/clients/client12/web123/./home/random.com:/bin/false
created two more accounts with the same result.
here the create log of the initial creation
17.08.2011-12:14 - DEBUG - Found 1 changes, starting update process.
17.08.2011-12:14 - DEBUG - Replicated from master: REPLACE INTO shell_user (`shell_user_id`,`sys_userid`,`sys_groupid`,`sys_perm_user`,`sys_perm_group`,`sys_perm_other`,`server_id`,`parent_domain_id`,`username`,`password`,`quota_size`,`active`,`puser`,`pgroup`,`shell`,`dir`,`chroot`) VALUES ('179','32','32','riud','riud','','10','283','random.com','$1$it2Sirq4$Ymomt.K6123456twxOCXL.','-1','y','web123','client12','/bin/bash','/var/clients/client12/web123','jailkit')
17.08.2011-12:14 - DEBUG - Calling function 'insert' from plugin 'shelluser_base_plugin' raised by event 'shell_user_insert'.
17.08.2011-12:14 - DEBUG - Executed command: useradd -d /var/clients/client12/web123 -g client12 -o -p \$1\$it2Sirq4\$Ymomt.K6123456twxOCXL. -s /bin/bash -u 5123 random.com
17.08.2011-12:14 - DEBUG - Added shelluser: random.com
17.08.2011-12:14 - DEBUG - Disabling shelluser temporarily: usermod -s /bin/false -L random.com
17.08.2011-12:14 - DEBUG - Calling function 'insert' from plugin 'shelluser_jailkit_plugin' raised by event 'shell_user_insert'.
17.08.2011-12:14 - DEBUG - Added jailkit chroot with command: /usr/local/ispconfig/server/scripts/create_jailkit_chroot.sh /var/clients/client12/web123 'basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh'
17.08.2011-12:14 - DEBUG - Added programs to jailkit chroot with command: /usr/local/ispconfig/server/scripts/create_jailkit_programs.sh /var/clients/client12/web123 '/usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico'
17.08.2011-12:14 - DEBUG - Added bashrc scrpt : /var/clients/client12/web123/etc/bash.bashrc
17.08.2011-12:14 - DEBUG - Added jailkit user to chroot with command: /usr/local/ispconfig/server/scripts/create_jailkit_user.sh random.com /var/clients/client12/web123 /home/random.com /bin/bash web123 /home/web123
17.08.2011-12:14 - DEBUG - Added created jailkit user home in : /var/clients/client12/web123/home/random.com
17.08.2011-12:14 - DEBUG - Added created jailkit parent user home in : /var/clients/client12/web123/home/web123
17.08.2011-12:14 - DEBUG - Jailkit Plugin -> insert username:random.com
17.08.2011-12:14 - DEBUG - Processed datalog_id 21819
17.08.2011-12:14 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
17.08.2011-12:15 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
edit the account, in this case by changing the quote of the shell user, the sheel gets fixed and I can log in.
web123:x:5123:5043::/var/clients/client12/web123/./home/web123:/bin/false
jonkers.com:x:5123:5043::/var/clients/client12/web123/./home/jonkers.com:/usr/sbin/jk_chrootsh
here the log of the quota change.
17.08.2011-16:32 - DEBUG - Replicated from master: REPLACE INTO shell_user (`shell_user_id`,`sys_userid`,`sys_groupid`,`sys_perm_user`,`sys_perm_group`,`sys_perm_other`,`server_id`,`parent_domain_id`,`username`,`password`,`quota_size`,`active`,`puser`,`pgroup`,`shell`,`dir`,`chroot`) VALUES ('179','32','32','riud','riud','','10','123','random.com','$1$it2Sirq4$Ymomt.K6123456twxOCXL.','1','y','web123','client12','/bin/bash','/var/clients/client12/web123','jailkit')
17.08.2011-16:32 - DEBUG - Calling function 'update' from plugin 'shelluser_base_plugin' raised by event 'shell_user_update'.
17.08.2011-16:32 - DEBUG - Executed command: usermod --home /var/clients/client12/web123 --gid client12 --password \$1\$it2Sirq4\$Ymomt.K6123456twxOCXL. --login random.com random.com
17.08.2011-16:32 - DEBUG - Updated shelluser: random.com
17.08.2011-16:32 - DEBUG - Calling function 'update' from plugin 'shelluser_jailkit_plugin' raised by event 'shell_user_update'.
17.08.2011-16:32 - DEBUG - Added jailkit chroot with command: /usr/local/ispconfig/server/scripts/create_jailkit_chroot.sh /var/clients/client12/web123 'basicshell editors extendedshell netutils ssh sftp scp groups jk_lsh'
17.08.2011-16:32 - DEBUG - Added programs to jailkit chroot with command: /usr/local/ispconfig/server/scripts/create_jailkit_programs.sh /var/clients/client12/web123 '/usr/bin/groups /usr/bin/id /usr/bin/dircolors /usr/bin/lesspipe /usr/bin/basename /usr/bin/dirname /usr/bin/nano /usr/bin/pico'
17.08.2011-16:32 - DEBUG - Added bashrc scrpt : /var/clients/client12/web123/etc/bash.bashrc
17.08.2011-16:32 - DEBUG - Added jailkit user to chroot with command: /usr/local/ispconfig/server/scripts/create_jailkit_user.sh random.com /var/clients/client12/web123 /home/random.com /bin/bash web123 /home/web123
17.08.2011-16:32 - DEBUG - Added created jailkit user home in : /var/clients/client12/web123/home/random.com
17.08.2011-16:32 - DEBUG - Added created jailkit parent user home in : /var/clients/client12/web123/home/web123
17.08.2011-16:32 - DEBUG - Jailkit Plugin -> update username:random.com
17.08.2011-16:32 - DEBUG - Processed datalog_id 21824
17.08.2011-16:32 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
I have seen this issue with previous versions too.3.0.4https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1199Postfix Domain/Hostname configuration2017-06-06T11:19:33ZMathiasPostfix Domain/Hostname configurationAfter ISPconfig setup the main.cf of Postfix looks like:
mynetworks = 127.0.0.0/8 [::1]/128
mydomain = xxx.de
myhostname = xxx.de
mydestination = xxx.de, localhost, localhost.localdomain
But it should be:
mynetworks = 127.0.0.0/8...After ISPconfig setup the main.cf of Postfix looks like:
mynetworks = 127.0.0.0/8 [::1]/128
mydomain = xxx.de
myhostname = xxx.de
mydestination = xxx.de, localhost, localhost.localdomain
But it should be:
mynetworks = 127.0.0.0/8 [::1]/128
mydomain = xxx.de
myhostname = mx.xxx.de
mydestination = $myhostname, localhost, localhost.$mydomain
Otherwise Postfix bounces the mails and give additional warning:
warning: do not list domain xxx.de in BOTH mydestination and virtual_mailbox_domainshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1150Mirror server FTP issues2017-06-06T11:19:33ZLauris NeimanisMirror server FTP issuesI have multi server setup. Server A - master and B - mirror of master. I'm sharing /var/www with GlusterFS. Apache vhosts working fine from both servers, bet I have issues with FTP. All is working great on server A, bet on server B I can...I have multi server setup. Server A - master and B - mirror of master. I'm sharing /var/www with GlusterFS. Apache vhosts working fine from both servers, bet I have issues with FTP. All is working great on server A, bet on server B I can't login. I did research and found that /etc/pure-ftpd/db/mysql.conf is causing problems. After changing server_id = '1' in config file to id = '2' I was able to login via FTP on server B.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1144Mirror server ISPConfig install2017-06-06T11:19:33ZLauris NeimanisMirror server ISPConfig installI used this guide http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3. But I did not share /var/lib/mysql with GlusterFS. Instead I used MySQL master-master replication that replicates all databases except 'mysql' and ' inf...I used this guide http://www.howtoforge.com/perfect-server-debian-lenny-ispconfig3. But I did not share /var/lib/mysql with GlusterFS. Instead I used MySQL master-master replication that replicates all databases except 'mysql' and ' information_schema'. When I installed ISPConfig on the second server. The installer changed MySQL user's 'ispconfig' password on first server so I was unable to login in to ISPConfig web interface. Then I changed MySQL ispconfig user password on first server from file in first server (/usr/local/ispconfig/interface/lib/config.inc.php). Then I was able to login.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1037Error in Installer r17282017-06-06T11:19:33ZTorsten WidmannError in Installer r1728During installation following error was shown:
Warning: Invalid argument supplied for foreach() in /tmp/trunk/install/lib/installer_base.lib.php on line 304
SVN Trunk r1728During installation following error was shown:
Warning: Invalid argument supplied for foreach() in /tmp/trunk/install/lib/installer_base.lib.php on line 304
SVN Trunk r1728https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/818Mail Relay Problem2017-06-06T11:19:33ZAlexander RehbeinMail Relay ProblemBack to my reported Problem that I'm not able to send mails via mailcient like outlook, thunderbird, ... Perhaps I've found the Problem. I have installed ISPConfig 3.0.1.6 on Debian Lenny. In The Database there is no Table mail_relay_rec...Back to my reported Problem that I'm not able to send mails via mailcient like outlook, thunderbird, ... Perhaps I've found the Problem. I have installed ISPConfig 3.0.1.6 on Debian Lenny. In The Database there is no Table mail_relay_recipients but in the Postfix configs there is the mysql-virtual_relayrecipientmaps.cf config in this config is the following content:
user = XXX
password = XXX
dbname = XXX
table = mail_relay_recipients
select_field = access
where_field = source
additional_conditions = and active = 'y' and server_id = 1
hosts = 127.0.0.1
i have replaced the user, password, dbname date with XXX. First why is this missing? Second how can I fix this? Third where can I configure the data for this table in the frontend?