Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
I
ISPConfig 3
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 484
    • Issues 484
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 23
    • Merge Requests 23
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • ISPConfig
  • ISPConfig 3
  • Issues
  • #2779

Closed
Open
Opened Aug 08, 2013 by Till Brehm@tbrehmOwner

Clients are able to create users for sites which they do not own

ISPConfig 3 Security Advisory 2013/08/08

Summary

A security issue has been found in the sites module which allows customers to create website users for websites which they do not own from within the ISPConfig interface. This issue requires a valid ISPConfig client login and the manipulation of http variables. If a client would try to create a login for a different site, his actions are recorded in the sys_datalog and can be tracked down by the administrator even if he deletes this login again.

Affected versions

All ISPConfig 3 versions < 3.0.5.3

Mitigation

A hotfix for ISPConfig 3.0.5.2 is available at ispconfig.org:

http://www.ispconfig.org/downloads/ispconfig-hotfix-2013-08-08.zip

This hotfix needs to be applied only to servers with an ISPConfig interface; you do not need to apply this patch on slave servers without an ISPConfig interface.

Installation instructions for the hotfix:

Login to your server as root and execute the following commands:

wget http://www.ispconfig.org/downloads/ispconfig-hotfix-2013-08-08.zip unzip ispconfig-hotfix-2013-08-08.zip cd ispconfig-hotfix-2013-08-08/ chmod +x ispconfig-hotfix.sh ./ispconfig-hotfix.sh

Additionally to the hotfix, ISPConfig 3.0.5.3 will be released tomorrow (August 09. 2013) which fixes this issue as well.

Credit:

ISPConfig was notified of this issue by researcher Tim Mishutin ( ISPConfig forum user: Almere ) from SecureHoster (www.securehoster.nl).

Assignee
Assign to
3.0.5.3
Milestone
3.0.5.3
Assign milestone
Time tracking
None
Due date
None
Reference: ispconfig/ispconfig3#2779