ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2017-06-20T22:34:24Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2174Auto subdomains are ignored when checking if domain is unique2017-06-20T22:34:24ZMarius BurkardAuto subdomains are ignored when checking if domain is uniqueThe unique check on saving domains/subdomains/aliasdomains ignores the auto subdomain.
If a domain mydomain.com with auto subdomain www is existing a subdomain www.mydomain.com could be created.The unique check on saving domains/subdomains/aliasdomains ignores the auto subdomain.
If a domain mydomain.com with auto subdomain www is existing a subdomain www.mydomain.com could be created.3.0.5Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2169Domain module does not check for valid selection2017-06-20T22:34:24ZMarius BurkardDomain module does not check for valid selectionIf the domain module is active, the domain list is only used for displaying the select boxes.
If you change the select value inside the html source (e.g. using firebug) you can add any domain you want, not just the ones from the domain ...If the domain module is active, the domain list is only used for displaying the select boxes.
If you change the select value inside the html source (e.g. using firebug) you can add any domain you want, not just the ones from the domain list.3.0.5Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2119Apache log files are in directory owned by web user2017-06-25T10:54:05ZMarc SchützApache log files are in directory owned by web userThe apache log files are placed in a directory in /var/log/ispconfig/httpd whose owner/group is set to web*:client*. Although the logfiles themselves are owned by root:root (well, except error.log, which belongs to the web user, too), th...The apache log files are placed in a directory in /var/log/ispconfig/httpd whose owner/group is set to web*:client*. Although the logfiles themselves are owned by root:root (well, except error.log, which belongs to the web user, too), they can still be deleted and replaced by the user. This might be undesirable from an auditing point of view.
This also opens up the system to various kinds of symlink attacks, as the log files are written to by vlogger (run as root). vlogger _does_ check for symlinks, but its reaction to finding one is simply to die, which makes Apache restart it. This could potentially lead to a high load. More importantly, the check is done in a non-atomic manner, making it circumventable with some effort.
AFAICS, the directory ownership as well as the ownership of error.log can simply be changed to root:root, without breaking any important functionality, thereby evading the above-mentioned problems easily.3.0.5Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2079unsafe manipulation of client files allows privilege elevation2017-06-25T10:54:05ZSergey Vlasovunsafe manipulation of client files allows privilege elevationapache2_plugin.inc.php handles client files in unsafe ways in lots of places.
1) The toplevel web site directory is protected only if (optional) jailkit is used; without jailkit any of the default subdirectories (cgi-bin, ssl, tmp, we...apache2_plugin.inc.php handles client files in unsafe ways in lots of places.
1) The toplevel web site directory is protected only if (optional) jailkit is used; without jailkit any of the default subdirectories (cgi-bin, ssl, tmp, web) can be replaced by symlinks, which then will be used at least as targets for chown and chmod.
2) Even with jailkit exploiting a race is possible (at least if set_folder_permissions_on_update is enabled, which is the default):
$this->_exec('chown '.$username.':'.$groupname.' '.escapeshellcmd($data['new']['document_root']));
// ... lots of operations, including a potentially very long "chown -R .../web"
if($tmp['number'] > 0 || $tmp2['number'] > 0) {
$this->_exec('chmod 755 '.escapeshellcmd($data['new']['document_root']));
$this->_exec('chown root:root '.escapeshellcmd($data['new']['document_root']));
}
3) SSL key generation may be vulnerable to symlinks in ssl/ (prevented in trunk by "chown root:root .../ssl").
4) web/stats/.htaccess, .htpasswd_stats and any .htaccess and .htpasswd files managed by the folder protection feature can be replaced by symlinks, then the symlink target will be overwritten as root (and then even chowned to the web site user, so that it could write more "appropriate" content there).
5) webdav handling has the same issues with symlinks (the webdav/ directory is owned by the web user).
6) _patchVhostWebdav() inserts filenames directly into the Apache config, but filenames may contain special characters (even including '\n').
7) Because the fastcgi starter _directory_ is owned by the web user (unavoidable due to suexec restrictions), the starter script file might also be replaced by an evil symlink (e.g., by a PHP script with some way to bypass the open_basedir protection), then this file will be overwritten as root.
8) "chown -R" and "chmod -R" commands done on user-writable directories may be unsafe depending on the filesystem layout - they can be exploited to get access to any file on the same filesystem for which the web user has just the +x permission on the containing directory (this is enough to create a hardlink to the file, no permissions to access the file itself is needed).
Enough for now, most likely there are more bugs there...3.0.5Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2039Spaces in time definition of CRON lead to non-functional cron file2017-06-25T10:54:05ZMarius BurkardSpaces in time definition of CRON lead to non-functional cron fileSpaces need to be deleted before cron save, because they are ignored on validation but lead to a non-functional cron file.
Storing minute / hour / etc. values like "1, 23, 26" (with spaces) is allowed in validation and interface but lea...Spaces need to be deleted before cron save, because they are ignored on validation but lead to a non-functional cron file.
Storing minute / hour / etc. values like "1, 23, 26" (with spaces) is allowed in validation and interface but leads to a completely blocked crontab file and to non-functional cron jobs of the whole client.3.0.5Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1847App installer2017-06-25T10:54:05ZTill BrehmApp installerAdd a APP installer for applications like Joomla, Typo3, Wordpress etc.Add a APP installer for applications like Joomla, Typo3, Wordpress etc.3.0.5Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1845Extend Traffic quota system2017-06-25T10:54:05ZTill BrehmExtend Traffic quota system- Extend the traffoc quota system so that it can send warnings to the cliend and / or administrator.
- Sort traffic quota statistics by domain.
- Add a row at the end of the list which sums up all traffic of a column.
--------------...- Extend the traffoc quota system so that it can send warnings to the cliend and / or administrator.
- Sort traffic quota statistics by domain.
- Add a row at the end of the list which sums up all traffic of a column.
-------------------------------------------------------------------------------------------------------------------------------------
- This feature is sponsored by Hans-Jürgen Praschl, EDV& Datenservice, www.praschl.eu
-------------------------------------------------------------------------------------------------------------------------------------3.0.5Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2432Problem when changing a mysql user password2017-11-10T15:23:48ZTill BrehmProblem when changing a mysql user passwordhttp://www.howtoforge.de/forum/entwicklerforum-15/3-0-5-mysql-userpasswort-aendern-6588/http://www.howtoforge.de/forum/entwicklerforum-15/3-0-5-mysql-userpasswort-aendern-6588/3.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2431Check if php-fpm uses a wrong document root in websites2017-11-10T15:23:48ZTill BrehmCheck if php-fpm uses a wrong document root in websiteshttp://www.howtoforge.de/forum/entwicklerforum-15/php-fpm-apache-fehler-6589/http://www.howtoforge.de/forum/entwicklerforum-15/php-fpm-apache-fehler-6589/3.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2428System -> Apps & Addons -> Updates: no functionality2017-11-10T15:23:48ZMKSystem -> Apps & Addons -> Updates: no functionalityClicking on it doesn't do anything. If it only shows up if packages are installed, I'd hide it since the user expects something to happen.
Version: 3.0.5 RC2Clicking on it doesn't do anything. If it only shows up if packages are installed, I'd hide it since the user expects something to happen.
Version: 3.0.5 RC23.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2427custom app vhost conf not taken2017-11-10T15:23:48ZMKcustom app vhost conf not takenCustomized apache app vhost in conf-custom is not taken. Works for other things like vhost.conf.master however.
Version: 3.0.5 RC2Customized apache app vhost in conf-custom is not taken. Works for other things like vhost.conf.master however.
Version: 3.0.5 RC23.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2425Delete Addon Package: Invalid ID2017-11-10T15:23:48ZMKDelete Addon Package: Invalid IDClicking the delete button in the list of available addons throws: Invalid ID
Version: 3.0.5 RC2Clicking the delete button in the list of available addons throws: Invalid ID
Version: 3.0.5 RC23.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2423apache cant read .htpasswd_stats2017-11-10T15:23:48ZThomasapache cant read .htpasswd_statsHi tryd today to open my /stats and could not log into the folder.
In logfile I only got:
user admin: authentication failure for "/stats/": Password Mismatch
I figured out, that the problem relies someware on the permissions is...Hi tryd today to open my /stats and could not log into the folder.
In logfile I only got:
user admin: authentication failure for "/stats/": Password Mismatch
I figured out, that the problem relies someware on the permissions ispconfig set.
When I copy the .htpasswd_stats to /tmp and change the path in the .htaccess file I can log into the page.
Will it not be better to configure a speciel path for all htpasswd files (for all websites) and do the setup in the apache vhost file with the directory directive for more security.
<--
Make sure that the AuthUserFile is stored outside the document tree of the web-server. Do not put it in the directory that it protects. Otherwise, clients may be able to download the AuthUserFile.
--->
https://httpd.apache.org/docs/2.2/mod/mod_authn_file.html
Version I use is 3.0.5 RC23.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2422RC2 :: APS Installer :: APP installed to incorrect location when installed to...2017-11-10T15:23:50ZalunRC2 :: APS Installer :: APP installed to incorrect location when installed to site alias[issue]
Create website (web10) for client (client2) - testsite.com
Create alias for testsite.com - testsite.servernameblah.com
In APS Installer, install APP (e.g. wordpress or other), choose ALIAS "testsite.servernameblah.com" f...[issue]
Create website (web10) for client (client2) - testsite.com
Create alias for testsite.com - testsite.servernameblah.com
In APS Installer, install APP (e.g. wordpress or other), choose ALIAS "testsite.servernameblah.com" for 'Install location'
APP files are installed in incorrect location '/var/www/client0/web11/web' NOT in the expected location '/var/www/client2/web10/web'
'/var/www/client0/web11/web' files are orphaned, inaccessible and not deleted when APP is removed
[expected behaviour]
APP files should be installed to correct client+site location
[suggested fix]
Fix APS Installer to install in correct location OR remove aliases from 'Install location' drop down.
Regards,
Alun.3.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2419OpenSUSE 12.2: no group called "list"2017-11-10T15:23:50ZFalko Timmef.timme@timmehosting.deOpenSUSE 12.2: no group called "list"Got that error during installation because there is no group called "list"; there is a group called "mailman", however.
Email Address []:
PHP Warning: chgrp(): Unable to find gid for list in /tmp/ispconfig-3.0.5/install/lib/installe...Got that error during installation because there is no group called "list"; there is a group called "mailman", however.
Email Address []:
PHP Warning: chgrp(): Unable to find gid for list in /tmp/ispconfig-3.0.5/install/lib/installer_base.lib.php on line 579
Configuring Jailkit3.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2418Changing DB user password does not make it to mysql2017-11-10T15:23:50ZalunChanging DB user password does not make it to mysqlCreate new DB user with password; Create new DB; Assign DB user to DB; - All OK
Edit DB user and change password; password not changed in mysql, can no longer access DB or phpmyadmin, must delete DB user and start again.Create new DB user with password; Create new DB; Assign DB user to DB; - All OK
Edit DB user and change password; password not changed in mysql, can no longer access DB or phpmyadmin, must delete DB user and start again.3.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2417Reseller changing to client if "username" is clicked2017-11-10T15:23:50ZalunReseller changing to client if "username" is clickedCreate new reseller, then on 'Edit Reseller'.
The entire row is clickable link e.g. (ID, Company name, Username, Country) to edit this specific item.
Clicking on ID, Company name or Country link takes you to "Reseller" edit page - all ...Create new reseller, then on 'Edit Reseller'.
The entire row is clickable link e.g. (ID, Company name, Username, Country) to edit this specific item.
Clicking on ID, Company name or Country link takes you to "Reseller" edit page - all OK.
However, clicking on Username link takes you to "Client" edit page, saving this will change the Reseller to a Client! Which is rather confusing and inconsistent.
Regards,
Alun.3.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2416App installation causes changes PHP setting to FastCGI2017-11-10T15:23:50ZalunApp installation causes changes PHP setting to FastCGI3.0.5 RC2 on Apache / Ubuntu 12.04 64bit
If I create a site and set to use PHP-FPM, site configure and using PHP-FPM successfully, I then install an app using the app installer (e.g. Wordpress), the PHP setting is changed to FastCGI, ...3.0.5 RC2 on Apache / Ubuntu 12.04 64bit
If I create a site and set to use PHP-FPM, site configure and using PHP-FPM successfully, I then install an app using the app installer (e.g. Wordpress), the PHP setting is changed to FastCGI, thus site no longer uses PHP-FPM. I must then re-edit the site and reconfigure back to PHP-FPM.3.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2414OpenVZ: Bind mounts in /etc/fstab after reboot?2017-11-10T15:23:50ZFalko Timmef.timme@timmehosting.deOpenVZ: Bind mounts in /etc/fstab after reboot?We need to check if the bind mounts stay in /etc/fstab even after a reboot in an OpenVZ container.We need to check if the bind mounts stay in /etc/fstab even after a reboot in an OpenVZ container.3.0.5https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2412Check for missing translation strings in monitor2017-11-10T15:23:50ZTill BrehmCheck for missing translation strings in monitorhttp://www.howtoforge.de/forum/33962-post6.htmlhttp://www.howtoforge.de/forum/33962-post6.html3.0.5