ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2017-06-06T11:19:33Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2779Clients are able to create users for sites which they do not own2017-06-06T11:19:33ZTill BrehmClients are able to create users for sites which they do not ownISPConfig 3 Security Advisory 2013/08/08
---------------------------------------------------------------------
Summary
A security issue has been found in the sites module which allows customers to create website users
for website...ISPConfig 3 Security Advisory 2013/08/08
---------------------------------------------------------------------
Summary
A security issue has been found in the sites module which allows customers to create website users
for websites which they do not own from within the ISPConfig interface. This issue requires a valid
ISPConfig client login and the manipulation of http variables. If a client would try to create a
login for a different site, his actions are recorded in the sys_datalog and can be tracked down
by the administrator even if he deletes this login again.
Affected versions
All ISPConfig 3 versions < 3.0.5.3
Mitigation
A hotfix for ISPConfig 3.0.5.2 is available at ispconfig.org:
http://www.ispconfig.org/downloads/ispconfig-hotfix-2013-08-08.zip
This hotfix needs to be applied only to servers with an ISPConfig interface; you do not need to apply this patch on slave servers without an ISPConfig interface.
Installation instructions for the hotfix:
Login to your server as root and execute the following commands:
wget http://www.ispconfig.org/downloads/ispconfig-hotfix-2013-08-08.zip
unzip ispconfig-hotfix-2013-08-08.zip
cd ispconfig-hotfix-2013-08-08/
chmod +x ispconfig-hotfix.sh
./ispconfig-hotfix.sh
Additionally to the hotfix, ISPConfig 3.0.5.3 will be released tomorrow
(August 09. 2013) which fixes this issue as well.
Credit:
ISPConfig was notified of this issue by researcher Tim Mishutin ( ISPConfig forum user: Almere )
from SecureHoster (www.securehoster.nl).3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2776Filters check2017-08-10T20:14:18ZTimFilters checkIf you change the value of the filter ( inspect element chrome, and than change the value of the select box ) to "-1", you will get the mysql error what meanse bad validation of the incoming data...
Solution:
file: /usr/local/ispco...If you change the value of the filter ( inspect element chrome, and than change the value of the select box ) to "-1", you will get the mysql error what meanse bad validation of the incoming data...
Solution:
file: /usr/local/ispconfig/interface/lib/classes/listform.inc.php
Function: getPagingSQL
After code ( line ~197 ):
if(!empty($_POST['search_limit']) AND $app->functions->intval($_POST['search_limit'])){
$_SESSION['search']['limit'] = $app->functions->intval($_POST['search_limit']);
}
Add:
if(preg_match('{^[0-9]$}',$_SESSION['search']['limit'])){
$_SESSION['search']['limit'] = 15;
}3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2771Make Update and Installation compatible with PHP 5.52017-08-10T20:14:20ZFalko Timmef.timme@timmehosting.deMake Update and Installation compatible with PHP 5.5During Update:
PHP Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /tmp/ispconfig-3.0.5/install/lib/mysql.lib.php on line 78During Update:
PHP Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /tmp/ispconfig-3.0.5/install/lib/mysql.lib.php on line 783.0.5.3Falko Timmef.timme@timmehosting.deFalko Timmef.timme@timmehosting.dehttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2759PHP 5.5 installer deprecated message2017-08-10T20:14:20ZFrankPHP 5.5 installer deprecated messageDebian 7.0 with PHP 5.5
I get a deprecated message while running install.php.
PHP Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /test/ispconfig3_inst...Debian 7.0 with PHP 5.5
I get a deprecated message while running install.php.
PHP Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in /test/ispconfig3_install/install/lib/mysql.lib.php on line 783.0.5.3Falko Timmef.timme@timmehosting.deFalko Timmef.timme@timmehosting.dehttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2754Empty sql backups2017-08-10T20:14:20ZTill BrehmEmpty sql backupsReported by email:
"Hey,
Just checked one of our servers and found that the sql backup files were empty, running the backup manually prints the following error:
mysqldump: Got error: 1045: Access denied for user 'root'@'localhos...Reported by email:
"Hey,
Just checked one of our servers and found that the sql backup files were empty, running the backup manually prints the following error:
mysqldump: Got error: 1045: Access denied for user 'root'@'localhost' (using password: YES) when trying to connect
echo'ing the command out shows that the escapeshellcmd is escaping characters in the password which is causing for the password to be changed. To sanitize the password we only should need to ensure that any terminating quotes are escaped.
addcslashes should work for our this :)"3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2749ISPConfig admin user can't create Full cron jobs2017-08-10T20:14:20ZFrank Abel Cancio BelloISPConfig admin user can't create Full cron jobsHi all,
In the UI not exist a way to change the "Max. type of cron jobs" for the admin user and the default value is set to chrooted. Due to, the admin user can't create Full cron jobs, I just can create chrooted cron jobs.
In the ...Hi all,
In the UI not exist a way to change the "Max. type of cron jobs" for the admin user and the default value is set to chrooted. Due to, the admin user can't create Full cron jobs, I just can create chrooted cron jobs.
In the mean time that this problem get solved, could you pointing me where I can change that value in the database?
Thanks in advance
Frank3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2744Default servers and client template2018-12-15T18:15:05ZErnest DanDefault servers and client templateClient templates do not have any default server option.
Those options still show when creating or editing an user, but can not be modified as long as a client-template is used.
This dramatically reduce the usefulness of client-template...Client templates do not have any default server option.
Those options still show when creating or editing an user, but can not be modified as long as a client-template is used.
This dramatically reduce the usefulness of client-templates in a multi-server environment.
It would be nice to either be able to set the user's default servers despite using a client-template or be able to define them in the client-template.3.0.5.3Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2741FTP user home directories not created on website top level2017-08-10T20:14:20ZMarius BurkardFTP user home directories not created on website top levelWhen creating or changing a ftp user, it's home directory is not created if it is a directory in the website's document root.
This is due to the website protection that protects the document root.When creating or changing a ftp user, it's home directory is not created if it is a directory in the website's document root.
This is due to the website protection that protects the document root.3.0.5.3Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2734Undefinied variable error in cron_daily.php2017-08-10T20:14:20ZTorben NehmerUndefinied variable error in cron_daily.phpWith every execution of cron_daily.php I get this error in ISPConfigs Cron Log:
PHP Notice: Undefined variable: append in /usr/local/ispconfig/server/cron_daily.php on line 267With every execution of cron_daily.php I get this error in ISPConfigs Cron Log:
PHP Notice: Undefined variable: append in /usr/local/ispconfig/server/cron_daily.php on line 2673.0.5.3Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2725getphpfastcgi in sites/ajax_get_json.php does not honor client_id2017-11-10T15:23:27ZKlaus Röckeleingetphpfastcgi in sites/ajax_get_json.php does not honor client_ida client can use all configured additional php versions for a specific server in his website settings. Even if the additional PHP versions are restricted to specific clients.
At some point(Line 73 in my original file) in sites/ajax_ge...a client can use all configured additional php versions for a specific server in his website settings. Even if the additional PHP versions are restricted to specific clients.
At some point(Line 73 in my original file) in sites/ajax_get_json.php it says:
$php_records = $app->db->queryAllRecords("SELECT * FROM server_php WHERE php_fastcgi_binary != '' AND php_fastcgi_ini_dir != '' AND server_id = $server_id");
(same behavior for $php_type == 'php-fpm)
This statement selects all additional php versions for the selected webserver and does not make use of field client_id in server_php table.
If there are more than one additional php versions with the same name, the last entry in the table will be used.3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2724Error when using filters2017-11-10T15:23:27ZMatt DinsdaleError when using filtersIm getting this error when selecting a filter on the iptables. its also happened on one or two others. occurs when i try filter to just show a server from the list
#0 db->query(SELECT server_ip.* FROM server_ip LEFT JOIN server as s O...Im getting this error when selecting a filter on the iptables. its also happened on one or two others. occurs when i try filter to just show a server from the list
#0 db->query(SELECT server_ip.* FROM server_ip LEFT JOIN server as s ON server_ip.server_id = s.server_id WHERE server_id like '%2%' ORDER BY s.server_name, s.server_name, ip_address LIMIT 0, 15) called at [/usr/local/ispconfig/interface/lib/classes/db_mysql.inc.php:158] #1 db->queryAllRecords(SELECT server_ip.* FROM server_ip LEFT JOIN server as s ON server_ip.server_id = s.server_id WHERE server_id like '%2%' ORDER BY s.server_name, s.server_name, ip_address LIMIT 0, 15) called at [/usr/local/ispconfig/interface/lib/classes/listform_actions.inc.php:88] #2 listform_actions->onLoad() called at [/usr/local/ispconfig/interface/web/admin/server_ip_list.php:51]3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2717Add debian wheezy to Linux list in ispconfig2018-12-15T18:15:05ZTill BrehmAdd debian wheezy to Linux list in ispconfigAdd debian wheezy to Linux list in ispconfig so its not reported as Debian unknown version in the monitor.Add debian wheezy to Linux list in ispconfig so its not reported as Debian unknown version in the monitor.3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2714PHP 5.5 compatibility2017-11-10T15:23:28ZTimo HeissenbüttelPHP 5.5 compatibilitySince updating to PHP 5.5 i'll get deprecated messages while running server.sh manually:
/usr/local/ispconfig/server/server.sh
/usr/bin/fail2ban-client
/sbin/iptables
/sbin/ip6tables
PHP Deprecated: preg_replace(): The /e modifier ...Since updating to PHP 5.5 i'll get deprecated messages while running server.sh manually:
/usr/local/ispconfig/server/server.sh
/usr/bin/fail2ban-client
/sbin/iptables
/sbin/ip6tables
PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /usr/local/ispconfig/server/lib/classes/tpl.inc.php on line 933
PHP Deprecated: preg_replace(): The /e modifier is deprecated, use preg_replace_callback instead in /usr/local/ispconfig/server/lib/classes/tpl.inc.php on line 933
finished.3.0.5.3Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2712IPv6 Display field in Site configuration too short2017-11-10T15:23:28ZTorben NehmerIPv6 Display field in Site configuration too shortThe display/edit field in the site configuration for IPv6 adresses is too short, you cannot see the full IP:
http://www.nehmer.net/~torben/screenshots/2013-06-19%2015.06.46.png
This isn't even a long address:
2001:xxx:xxxx::xx:x...The display/edit field in the site configuration for IPv6 adresses is too short, you cannot see the full IP:
http://www.nehmer.net/~torben/screenshots/2013-06-19%2015.06.46.png
This isn't even a long address:
2001:xxx:xxxx::xx:xx
But even that one gets hidden before the end.
This is only a display problem.
(BTW: in the IP dropdowns it would be great if the owner of the IP adress is listed as well.)3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2709Insecure permissions on SSL Key Files2017-06-25T10:54:05ZTorben NehmerInsecure permissions on SSL Key FilesSSL Key Files uploaded via the Web Interfaces have insecure permissions, they are word readable. Instead, they should be restricted to root. The Keys have been uploaded by pasting *both* key and certificate into the web interface and use...SSL Key Files uploaded via the Web Interfaces have insecure permissions, they are word readable. Instead, they should be restricted to root. The Keys have been uploaded by pasting *both* key and certificate into the web interface and use the "Save Certificate" option. The Key file has not been created by ISPConfig (i.e. existing key/cert pairs).
Using current ISPConfig with Debian Wheezy, installed as per the "Perfect Server Setup" on Howtoforge.
The result:
root@isp:/var/www# ls */ssl -la
foo.bar/ssl:
insgesamt 16
drwxr-xr-x 2 root root 4096 Jun 18 13:52 .
drwxr-xr-x 9 root root 4096 Jun 18 13:47 ..
-rw-r--r-- 1 root root 2086 Jun 18 13:52 foo.bar.crt
-rw-r--r-- 1 root root 3294 Jun 18 13:52 foo.bar.key
foo.baz/ssl:
insgesamt 16
drwxr-xr-x 2 root root 4096 Jun 14 22:00 .
drwxr-xr-x 9 root root 4096 Jun 14 21:59 ..
-rw-r--r-- 1 root root 2084 Jun 14 22:00 foo.baz.crt
-rw-r--r-- 1 root root 3294 Jun 14 22:00 foo.baz.key
If you need more information, please let me know.3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2706Cron filter SQL error2017-11-10T15:23:30ZFrankCron filter SQL errorWhen I filter on the cron tab for a Website I got an error with an empty table.
#0 db->query(SELECT cron.* FROM cron LEFT JOIN web_domain as wd ON cron.parent_domain_id = wd.domain_id WHERE parent_domain_id = '17' ORDER BY wd.domain ...When I filter on the cron tab for a Website I got an error with an empty table.
#0 db->query(SELECT cron.* FROM cron LEFT JOIN web_domain as wd ON cron.parent_domain_id = wd.domain_id WHERE parent_domain_id = '17' ORDER BY wd.domain LIMIT 0, 15) called at [/usr/local/ispconfig/interface/lib/classes/db_mysql.inc.php:158]
#1 db->queryAllRecords(SELECT cron.* FROM cron LEFT JOIN web_domain as wd ON cron.parent_domain_id = wd.domain_id WHERE parent_domain_id = '17' ORDER BY wd.domain LIMIT 0, 15) called at [/usr/local/ispconfig/interface/lib/classes/listform_actions.inc.php:88]
#2 listform_actions->onLoad() called at [/usr/local/ispconfig/interface/web/sites/cron_list.php:20]3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2700sql error, sorting websites after servers, after selected a server2017-11-10T15:23:30ZSøren Resselsql error, sorting websites after servers, after selected a serverHello,
If a show all websites, and then select a webserver on server list, and then choose sort servers, ISPConfig show's me following error.
#0 db->query(SELECT web_domain.* FROM web_domain LEFT JOIN server as s ON web_domain.serv...Hello,
If a show all websites, and then select a webserver on server list, and then choose sort servers, ISPConfig show's me following error.
#0 db->query(SELECT web_domain.* FROM web_domain LEFT JOIN server as s ON web_domain.server_id = s.server_id WHERE type = 'vhost' AND parent_domain_id = '0' and server_id = '14' ORDER BY s.server_name, domain LIMIT 0, 15) called at [/usr/local/ispconfig/interface/lib/classes/db_mysql.inc.php:158] #1 db->queryAllRecords(SELECT web_domain.* FROM web_domain LEFT JOIN server as s ON web_domain.server_id = s.server_id WHERE type = 'vhost' AND parent_domain_id = '0' and server_id = '14' ORDER BY s.server_name, domain LIMIT 0, 15) called at [/usr/local/ispconfig/interface/lib/classes/listform_actions.inc.php:88] #2 listform_actions->onLoad() called at [/usr/local/ispconfig/interface/web/sites/web_domain_list.php:57]3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2694To be researched: switching a site to another client may break the site under...2017-11-10T15:23:30ZTill BrehmTo be researched: switching a site to another client may break the site under some circumstancesBugreport
"If you create a domain without a client assigned and later assign the client to the domain, the website doesn’t work anymore and you need to delete it and recreate it (and restore the backup)."Bugreport
"If you create a domain without a client assigned and later assign the client to the domain, the website doesn’t work anymore and you need to delete it and recreate it (and restore the backup)."3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2692Add a new variable "has_items" in nav.php when a menu contians menu items2018-12-15T18:15:05ZTill BrehmAdd a new variable "has_items" in nav.php when a menu contians menu itemsAdd a new variable "has_items" in nav.php when a menu contians menu items
http://www.howtoforge.de/forum/feature-requests-14/optimierung-der-templates-6969/Add a new variable "has_items" in nav.php when a menu contians menu items
http://www.howtoforge.de/forum/feature-requests-14/optimierung-der-templates-6969/3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2690Chrome: Strict MIME type checking2017-11-10T15:23:30ZMKChrome: Strict MIME type checkingLogin page doesn't display on newest chrome:
Refused to execute script from 'https://xxx/js/scrigo.js.php' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.Login page doesn't display on newest chrome:
Refused to execute script from 'https://xxx/js/scrigo.js.php' because its MIME type ('text/html') is not executable, and strict MIME type checking is enabled.3.0.5.3Marius BurkardMarius Burkard