ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2021-02-02T20:57:39Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5578security issue when creating ssh users2021-02-02T20:57:39ZKiss Károlysecurity issue when creating ssh users## short description
When creating ssh users with jailkit, it takes a while to create the jail. The user is first created, the shell is disabled
and the password locked. However these actions are done sequentially using separate commands...## short description
When creating ssh users with jailkit, it takes a while to create the jail. The user is first created, the shell is disabled
and the password locked. However these actions are done sequentially using separate commands. This leaves a very short time
for attackers to access the server's OS with a valid user and password. It is very hard to exploit but during a security audit our system has been accessed this way, so it is possible.
## correct behaviour
The newly created ssh user should be created with disabled login until the jail is created and login should be enabled after the shell is set to jk_chrootsh.
## environment
Server OS: debian
Server OS version: buster
ISPConfig version: 3.1dev
## proposed fix
add --disable-login to the adduser command and enable
## log entries
```
Apr 1 17:27:02 ispcwebtest02 useradd[14214]: new user: name=c6crash, UID=10033, GID=10033, home=/var/www/clients/client15/web33, shell=/bin/bash
Apr 1 17:27:02 ispcwebtest02 usermod[14229]: change user 'c6crash' shell from '/bin/bash' to '/bin/false'
Apr 1 17:27:02 ispcwebtest02 usermod[14229]: lock user 'c6crash' password
Apr 1 17:27:56 ispcwebtest02 usermod[21527]: change user 'c6crash' home from '/var/www/clients/client15/web33' to '/var/www/clients/client15/web33/./home/c6crash'
Apr 1 17:27:56 ispcwebtest02 usermod[21534]: change user 'c6crash' shell from '/bin/false' to '/usr/sbin/jk_chrootsh'
Apr 1 17:27:56 ispcwebtest02 usermod[21539]: change user 'web33' home from '/var/www/clients/client15/web33' to '/var/www/clients/client15/web33/./home/web33'
Apr 1 17:27:56 ispcwebtest02 usermod[21557]: unlock user 'c6crash' password
```3.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5574Incorrect Template - mysql-virtual_outgoing_bcc.cf and .cf.master2020-06-10T21:33:49ZMatt WrightIncorrect Template - mysql-virtual_outgoing_bcc.cf and .cf.masterHi,
I have updated to ISPConfig-3.1.0.tar.gz - Stable Release.
Afterwards I was having problems with mysql-virtual_outgoing_bcc.cf trying to connect to SQL at loopback. My installation doesn't have any local SQL servers which would ac...Hi,
I have updated to ISPConfig-3.1.0.tar.gz - Stable Release.
Afterwards I was having problems with mysql-virtual_outgoing_bcc.cf trying to connect to SQL at loopback. My installation doesn't have any local SQL servers which would account for the failure.
Looking at the install template files within the .gz distribution file it would appear loopback is hard coded instead of using hosts = {mysql_server_database] variable.
in install/tpl folder
cat mysql-virtual_outgoing_bcc.cf
user = {mysql_server_ispconfig_user}
password = {mysql_server_ispconfig_password}
dbname = {mysql_server_database}
table = mail_user
select_field = sender_cc
where_field = email
additional_conditions = and postfix = 'y' and disabledeliver = 'n' and disables$
hosts = **127.0.0.1**
cat mysql-virtual_outgoing_bcc.cf.master
user = {mysql_server_ispconfig_user}
password = {mysql_server_ispconfig_password}
dbname = {mysql_server_database}
table = mail_user
select_field = sender_cc
where_field = email
additional_conditions = and postfix = 'y' and disabledeliver = 'n' and disablesmtp = 'n' and sender_cc != ''
hosts = **127.0.0.1**
cat mysql-virtual_mailboxes.cf.master
user = {mysql_server_ispconfig_user}
password = {mysql_server_ispconfig_password}
dbname = {mysql_server_database}
table = mail_user
select_field = CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/')
where_field = login
additional_conditions = and postfix = 'y' and server_id = {server_id}
hosts = **{mysql_server_ip}**https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5559Add CAA records via API2020-06-09T17:17:44ZcwispyAdd CAA records via APICan you please add the functions to remote.d/dns.php file and also the Remote User page under system settings? I have added the below to my test server and updated the table directly in the database to confirm its working, but it would b...Can you please add the functions to remote.d/dns.php file and also the Remote User page under system settings? I have added the below to my test server and updated the table directly in the database to confirm its working, but it would be good to have it added to the core.
//* Get record details
public function dns_caa_get($session_id, $primary_id) {
return $this->dns_rr_get($session_id, $primary_id, 'CAA');
}
//* Add a record
public function dns_caa_add($session_id, $client_id, $params, $update_serial=false) {
return $this->dns_rr_add($session_id, $client_id, $params, $update_serial, 'CAA');
}
//* Update a record
public function dns_caa_update($session_id, $client_id, $primary_id, $params, $update_serial=false) {
return $this->dns_rr_update($session_id, $client_id, $primary_id, $params, $update_serial, 'CAA');
}
//* Delete a record
public function dns_caa_delete($session_id, $primary_id, $update_serial=false) {
return $this->dns_rr_delete($session_id, $primary_id, $update_serial, 'CAA');
}3.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5554Log an error when database backup fails.2020-05-28T17:46:02ZTill BrehmLog an error when database backup fails.Log an error when database backup fails e.g. due to a wrong mysql root password.Log an error when database backup fails e.g. due to a wrong mysql root password.3.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5548Changing password rspamd does not change through server config2022-03-01T13:28:35ZDannyChanging password rspamd does not change through server config## short description
trying to change the access password of rspamd GUI through the ISPConfig admin interface. Enabling debug and checking the debuglog after running server.sh gives back no error. Looking at the worker-controller.inc it ...## short description
trying to change the access password of rspamd GUI through the ISPConfig admin interface. Enabling debug and checking the debuglog after running server.sh gives back no error. Looking at the worker-controller.inc it indeed did not change.
## correct behaviour
Changing the access password of the GUI
## environment
Server OS: Ubuntu
Server OS version: 18.04.4 LTS (Bionic Beaver)
ISPConfig version: 3.1.15p3
## log entries
```
28.02.2020-12:02 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
28.02.2020-12:02 - DEBUG - Found 2 changes, starting update process.
28.02.2020-12:02 - DEBUG - Replicated from master: **QUERY
28.02.2020-12:02 - DEBUG - Calling function 'server_ip' from plugin 'apache2_plugin' raised by event 'server_update'.
28.02.2020-12:02 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
28.02.2020-12:02 - DEBUG - Writing the conf file: /etc/apache2/sites-available/ispconfig.conf
28.02.2020-12:02 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
28.02.2020-12:02 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
28.02.2020-12:02 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
28.02.2020-12:02 - DEBUG - Network configuration disabled in server settings.
28.02.2020-12:02 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
28.02.2020-12:02 - DEBUG - safe_exec cmd: which 'dovecot' 2> /dev/null - return code: 0
28.02.2020-12:02 - DEBUG - Processed datalog_id 5757
28.02.2020-12:02 - DEBUG - Replicated from master: **QUERY
28.02.2020-12:02 - DEBUG - Calling function 'server_ip' from plugin 'apache2_plugin' raised by event 'server_update'.
28.02.2020-12:02 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
28.02.2020-12:02 - DEBUG - Writing the conf file: /etc/apache2/sites-available/ispconfig.conf
28.02.2020-12:02 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
28.02.2020-12:02 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
28.02.2020-12:02 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
28.02.2020-12:02 - DEBUG - Network configuration disabled in server settings.
28.02.2020-12:02 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
28.02.2020-12:02 - DEBUG - safe_exec cmd: which 'dovecot' 2> /dev/null - return code: 0
28.02.2020-12:02 - DEBUG - Processed datalog_id 5758
28.02.2020-12:02 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
28.02.2020-12:02 - DEBUG - Restarting httpd: systemctl restart apache2.service
28.02.2020-12:02 - DEBUG - Calling function 'restartPostfix' from module 'mail_module'.
28.02.2020-12:02 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished.
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5545Password reset form doesn't load correct language file2020-03-02T09:37:14ZSuhajdaPassword reset form doesn't load correct language fileThe login form uses the global language settings:
`$app->load_language_file('web/login/lib/lang/'.$conf["language"].'.lng');`
But the password reset form (password_reset.php) tries to load the language file based on the session:
`includ...The login form uses the global language settings:
`$app->load_language_file('web/login/lib/lang/'.$conf["language"].'.lng');`
But the password reset form (password_reset.php) tries to load the language file based on the session:
`include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'.lng';`
Since there is no session yet (because the user is not logged in yet) the password reset form is always English. At least this is what I think is the problem. :)
It would be nice that the password reset form loads the correct language file from the global settings as the login form does.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5539IDN encode domains in Rspamd config file names2020-07-23T13:48:27ZTill BrehmIDN encode domains in Rspamd config file namesIDN encode domains in Rspamd config file names.
https://forum.howtoforge.de/threads/rspamd-user-filter-warning-action-aborted-file-is-a-symlink.12001/#post-59459IDN encode domains in Rspamd config file names.
https://forum.howtoforge.de/threads/rspamd-user-filter-warning-action-aborted-file-is-a-symlink.12001/#post-594593.2Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5533spamfilter users form don't allow amavis catchall pattern2022-08-17T14:19:03ZCarlosspamfilter users form don't allow amavis catchall pattern## What is happening and what is wrong with that?
In the web interface, in spamfilter users form, if in the email pattern i write the amavis catchall "@." pattern (see [https://docs.iredmail.org/amavisd.sql.db.html#lookup_sql_dsn](https:...## What is happening and what is wrong with that?
In the web interface, in spamfilter users form, if in the email pattern i write the amavis catchall "@." pattern (see [https://docs.iredmail.org/amavisd.sql.db.html#lookup_sql_dsn](https://docs.iredmail.org/amavisd.sql.db.html#lookup_sql_dsn)) it is modified on save and replaced by "@"
## What should happen instead?
It should allow to store the catchall pattern
## environment
Server OS: debian
Server OS version: buster
ISPConfig version: 3.1.15p2
## proposed fix
I think we can check if $domain is the amavis pattern "@." to the second line of the method "_idn_encode_decode" on the file "interface/lib/classes/functions.inc.php"
like this
```
private function _idn_encode_decode($domain, $encode = true) {
if($domain == '') return '';
if($domain == '@.') return $domain; //amavis catchall pattern
if(preg_match('/^[0-9\.]+$/', $domain)) return $domain; // may be an ip address - anyway does not need to bee encoded
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5523Can't delete Q&A; CSRF attempt blocked2020-03-02T09:37:57ZThomCan't delete Q&A; CSRF attempt blockedWhen trying to delete a Q&A, I get the error "CSRF attempt blocked", and the Q&A isn't deleted.
ISPConfig version: 3.1.15p2When trying to delete a Q&A, I get the error "CSRF attempt blocked", and the Q&A isn't deleted.
ISPConfig version: 3.1.15p2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5521Allow IPv6 Addresses for xfer and notify in DNS Module2020-08-10T17:59:28ZPatrick OmlandAllow IPv6 Addresses for xfer and notify in DNS ModuleIn the DNS module for Allow-Transfer, Notify etc. both IPv6 and IPv4 addresses should be allowed.In the DNS module for Allow-Transfer, Notify etc. both IPv6 and IPv4 addresses should be allowed.3.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5515API client_template_additional_get always return just one template2020-01-17T14:06:37ZWHOAPI client_template_additional_get always return just one template## short description
When two additional client templates are assigned the function client_template_additional_get has alsways just one entry in result.
## correct behaviour
I would expect all assigned ids in the result array
## enviro...## short description
When two additional client templates are assigned the function client_template_additional_get has alsways just one entry in result.
## correct behaviour
I would expect all assigned ids in the result array
## environment
Server OS: Debian
Server OS version: (wheezy/trusty/centos6/...)
ISPConfig version: 3.1.15p23.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5513Rsapmd user configuration always add header and rewrite subject regardless of...2020-08-12T13:34:55ZFiftyzRsapmd user configuration always add header and rewrite subject regardless of SPAM tag method configured## wrong behaviour
Rsapmd user configuration generated always include `add header` and `rewrite subject` regardless of SPAM tag method configured in ISPConfig spamfilter policy.
## correct behaviour
Rsapmd user configuration generated s...## wrong behaviour
Rsapmd user configuration generated always include `add header` and `rewrite subject` regardless of SPAM tag method configured in ISPConfig spamfilter policy.
## correct behaviour
Rsapmd user configuration generated should include "add header" or/and "rewrite subject" based on SPAM tag method configured in ISPConfig spamfilter policy.
## problem
The problem is causated by the code in `rspamd_plugin::user_settings_update()` from `/server/plugins-available/rspamd_plugin.inc.php`:
```
class rspamd_plugin {
# (...)
function user_settings_update($event_name, $data) {
# (...)
$tpl->setVar('rspamd_spam_tag_method', floatval($policy['rspamd_spam_tag_method']));
# (...)
}
}
```
## proposed fix
`rspamd_spam_tag_method` is a string not a float, so it should be set like this:
```
class rspamd_plugin {
# (...)
function user_settings_update($event_name, $data) {
# (...)
$tpl->setVar('rspamd_spam_tag_method', $policy['rspamd_spam_tag_method']);
# (...)
}
}
```https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5495Backup Stats menu item shown in user view, even if function is not available ...2020-07-13T20:38:58ZZakBackup Stats menu item shown in user view, even if function is not available to user### Feature Request
Remove `Backups Stats` from Statistic menu if option is not available to the user.### Feature Request
Remove `Backups Stats` from Statistic menu if option is not available to the user.3.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5480Add conf-custom support for security_settings.ini2020-05-28T14:53:37ZTill BrehmAdd conf-custom support for security_settings.iniAdd conf-custom support for security_settings.iniAdd conf-custom support for security_settings.ini3.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5479Lost password form and mail not shown localized2020-06-07T12:45:58ZGeorg MarxLost password form and mail not shown localized## short description
Lost password form and password reset emails are always in english. Default language setting in ISPConfig is not considered.
Open ispconfig-admin:8080/login/password_reset.php page in Browser. Language is always set...## short description
Lost password form and password reset emails are always in english. Default language setting in ISPConfig is not considered.
Open ispconfig-admin:8080/login/password_reset.php page in Browser. Language is always set to english.
## correct behaviour
Show form and emails in default language as defined in ISPConfig.
## environment
* Lost password function must be active in ISPConfig.
* Default language is not english
## proposed fix
Change in file interface/web/login/password_reset.php in line 46
```
include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$app->functions->check_language($_SESSION['s']['language']).'.lng';
```
to
```
include ISPC_ROOT_PATH.'/web/login/lib/lang/'.$app->functions->check_language($conf['language']).'.lng';
```3.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5477Incomplete translation ./interface/web/mail/lib/lang/de_mail_user.lng2020-06-08T09:49:02ZZakIncomplete translation ./interface/web/mail/lib/lang/de_mail_user.lng```
--- ./interface/web/mail/lib/lang/de_mail_user.lng_ 2019-09-05 16:38:08.226559943 +0200
+++ ./interface/web/mail/lib/lang/de_mail_user.lng 2019-12-06 10:16:38.192786309 +0100
@@ -57,9 +57,9 @@
$wb['weekly_backup_txt'] = 'woechentlic...```
--- ./interface/web/mail/lib/lang/de_mail_user.lng_ 2019-09-05 16:38:08.226559943 +0200
+++ ./interface/web/mail/lib/lang/de_mail_user.lng 2019-12-06 10:16:38.192786309 +0100
@@ -57,9 +57,9 @@
$wb['weekly_backup_txt'] = 'woechentlich';
$wb['monthly_backup_txt'] = 'monatlich';
$wb['cc_note_txt'] = '(Mehrere E-Mail-Adressen mit Kommas trennen)';
-$wb['autoresponder_start_date_is_required'] = 'Start date must be set when Autoresponder is enabled.';
-$wb['sender_cc_txt'] = 'Send outgoing BCC to';
-$wb['sender_cc_error_isemail'] = 'The -Send outgoing copy to- field does not contain a valid email address';
-$wb['sender_cc_note_txt'] = '(Separate multiple email addresses with commas)';
+$wb['autoresponder_start_date_is_required'] = 'Startdatum muss angegeben werden.';
+$wb['sender_cc_txt'] = 'Kopie ausgehender Emails senden an (BCC)';
+$wb['sender_cc_error_isemail'] = '-Kopie ausgehender Emails senden an- Feld enthält keine gültige Emailadresse';
+$wb['sender_cc_note_txt'] = '(Mehrere E-Mail-Adressen mit Kommas trennen)';
$wb['password_click_to_set_txt'] = 'Click to set';
?>
```3.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5468allow axfr range instead of only ipaddress2020-08-30T16:18:47Zcommentatorallow axfr range instead of only ipaddresswould be nice if we can add an axfr range instead of only ipaddresses.
See also https://www.howtoforge.com/community/threads/axfr-range.82959/#post-395710would be nice if we can add an axfr range instead of only ipaddresses.
See also https://www.howtoforge.com/community/threads/axfr-range.82959/#post-395710https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5466Enable logging for acme.sh2020-07-23T16:59:59ZTill BrehmEnable logging for acme.shEnable logging for acme.sh when SSL certs get genarated in ISPConfig.Enable logging for acme.sh when SSL certs get genarated in ISPConfig.3.2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5464Use unique id for additional php selection in website2020-07-27T10:05:39ZMarius BurkardUse unique id for additional php selection in websiteWe should use an internal unique id for storing website to php version relations instead of using a fixes string. It would solve the issues like #5210 and would also make handling easier.
See also https://www.howtoforge.com/community/th...We should use an internal unique id for storing website to php version relations instead of using a fixes string. It would solve the issues like #5210 and would also make handling easier.
See also https://www.howtoforge.com/community/threads/php-version-in-additional-php-versions.82961/3.2Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5463Allow short form for wildcard DNS records2020-09-15T13:06:22ZTomAllow short form for wildcard DNS records## short description
I would like to add a TXT record with name '*' and a value of 'some nice text' to the kovoks.nl domain.
This is rejected as 'invalid name'.
## correct behaviour
This is allowed according to the RFC.
## Workaround
...## short description
I would like to add a TXT record with name '*' and a value of 'some nice text' to the kovoks.nl domain.
This is rejected as 'invalid name'.
## correct behaviour
This is allowed according to the RFC.
## Workaround
Use '*.kovoks.nl.' as name. This is accepted.3.2