ISPConfig 3 issueshttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues2017-06-20T22:34:24Zhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3557ispconfig 3.0.5.4p5 authenticated user local root vulnerability2017-06-20T22:34:24ZChris Kesslerispconfig 3.0.5.4p5 authenticated user local root vulnerabilityInsecure default permissions of an amavisd configuration file can ne used to gain access to the ISPConfig database. This can lead to a authenticated local root vulnerability.
The attacker needs shell access or the ability to run scrip...Insecure default permissions of an amavisd configuration file can ne used to gain access to the ISPConfig database. This can lead to a authenticated local root vulnerability.
The attacker needs shell access or the ability to run scripts on the server that runs the amavis daemon for this attack.3.0.5.4p6Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3536Redirect variable in capp.php script not sanitized correctly.2017-06-20T22:34:24ZTill BrehmRedirect variable in capp.php script not sanitized correctly.A XSS vulnerability has been found in the ISPConfig 3 module changer script. The vulnerability requires a valid user login to ISPConfig, unauthenticated users are not affected.
Vulnerable versions:
All recent ISPConfig 3 releases....A XSS vulnerability has been found in the ISPConfig 3 module changer script. The vulnerability requires a valid user login to ISPConfig, unauthenticated users are not affected.
Vulnerable versions:
All recent ISPConfig 3 releases.
Fix:
A patch for ISPConfig 3.0.5.4p5 is available trough the ISPConfig patch tool.
Patch Installation:
Run the command:
ispconfig_patch
as root user on the shell and enter:
3054_capp
as patch code. The patch tool will download the patch from
ispconfig.org and apply it.
Credits:
We thank Alain Homewood for informing us about this issue.
Alain Homewood
PwC New Zealand
http://www.pwc.co.nz/services/assurance-services/pwc-security/3.0.5.4p6https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3296Wrong perms on protected statistics folder2017-06-20T22:34:25ZAntonio Gutiérrez -Dapda-Wrong perms on protected statistics folderHi!
On create web statistics username and password, the files .htaccess and .htpasswd_stats are created with wrong perms.
-rwxr-x--x 1 root root 128 ago 13 01:06 .htaccess
-rwxr-x--x 1 root root 40 ago 12 12:11 .htpas...Hi!
On create web statistics username and password, the files .htaccess and .htpasswd_stats are created with wrong perms.
-rwxr-x--x 1 root root 128 ago 13 01:06 .htaccess
-rwxr-x--x 1 root root 40 ago 12 12:11 .htpasswd_stats
With this perms, www-data (apache) can't read this files.
On 3.0.5.4p1 works well.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3258ISPConfig 3 Local root vulnerability2017-06-20T22:34:25ZChris KesslerISPConfig 3 Local root vulnerabilityHello,
There exists a local root vulnerability leveraged by authenticated admin users of the panel.
This affects version 3.0.54p1
Please email admin@freeshells.org for further details.
Public exploit is planned for release 8/...Hello,
There exists a local root vulnerability leveraged by authenticated admin users of the panel.
This affects version 3.0.54p1
Please email admin@freeshells.org for further details.
Public exploit is planned for release 8/2/143.0.5.4p2https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3162Email Templates not saving2017-06-20T22:34:25ZZapEmail Templates not savingEmail Templates not savingEmail Templates not savinghttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3023APS permissions bug2017-06-25T10:54:05ZTimAPS permissions bugIt's now possible to install the APS package to that website of somebody else because of the bug in the code:
/interface/web/sites/aps_install_package.php
// Get domain list
$domains = array();
$domain_for_user = '';
if(!$adminf...It's now possible to install the APS package to that website of somebody else because of the bug in the code:
/interface/web/sites/aps_install_package.php
// Get domain list
$domains = array();
$domain_for_user = '';
if(!$adminflag) $domain_for_user = "AND (sys_userid = '".$app->db->quote($_SESSION['s']['user']['userid'])."'
OR sys_groupid = '".$app->db->quote($_SESSION['s']['user']['userid'])."' )";
Must be:
// Get domain list
$domains = array();
$domain_for_user = '';
if(!$adminflag) $domain_for_user = "AND (sys_userid = '".$app->db->quote($_SESSION['s']['user']['userid'])."'
OR sys_groupid = '".$app->db->quote($_SESSION['s']['user']['default_group'])."' )";3.0.5.4https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/3020Shell User Options - ERROR You have no permission for this domain.2017-06-25T10:54:05ZdoekiaShell User Options - ERROR You have no permission for this domain.Submit changes in the Shell User Options or switch back to Shell User Tab failed.
The bug is the same as #3089 on the Shell User panel.
Revamping the patch as with Patch ID: 3053_ftpuser fixes the issue.Submit changes in the Shell User Options or switch back to Shell User Tab failed.
The bug is the same as #3089 on the Shell User panel.
Revamping the patch as with Patch ID: 3053_ftpuser fixes the issue.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2869SSL Key File insecure after replacement2017-06-25T10:54:05ZTorben NehmerSSL Key File insecure after replacementWhen adding keys, the file permissions are now ok, however, when replacing the private key with another, newer key, the backup file's permissions are still insecure:
root@nathan:/var/www/clients/client1/web43/ssl# ls -l
insgesamt 12
...When adding keys, the file permissions are now ok, however, when replacing the private key with another, newer key, the backup file's permissions are still insecure:
root@nathan:/var/www/clients/client1/web43/ssl# ls -l
insgesamt 12
-rw-r--r-- 1 root root 2086 Okt 7 22:03 isp.nehmer.net.crt
-r-------- 1 root root 3294 Okt 7 22:03 isp.nehmer.net.key
-rw-r--r-- 1 root root 3243 Okt 7 22:03 isp.nehmer.net.key~3.0.5.4https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2709Insecure permissions on SSL Key Files2017-06-25T10:54:05ZTorben NehmerInsecure permissions on SSL Key FilesSSL Key Files uploaded via the Web Interfaces have insecure permissions, they are word readable. Instead, they should be restricted to root. The Keys have been uploaded by pasting *both* key and certificate into the web interface and use...SSL Key Files uploaded via the Web Interfaces have insecure permissions, they are word readable. Instead, they should be restricted to root. The Keys have been uploaded by pasting *both* key and certificate into the web interface and use the "Save Certificate" option. The Key file has not been created by ISPConfig (i.e. existing key/cert pairs).
Using current ISPConfig with Debian Wheezy, installed as per the "Perfect Server Setup" on Howtoforge.
The result:
root@isp:/var/www# ls */ssl -la
foo.bar/ssl:
insgesamt 16
drwxr-xr-x 2 root root 4096 Jun 18 13:52 .
drwxr-xr-x 9 root root 4096 Jun 18 13:47 ..
-rw-r--r-- 1 root root 2086 Jun 18 13:52 foo.bar.crt
-rw-r--r-- 1 root root 3294 Jun 18 13:52 foo.bar.key
foo.baz/ssl:
insgesamt 16
drwxr-xr-x 2 root root 4096 Jun 14 22:00 .
drwxr-xr-x 9 root root 4096 Jun 14 21:59 ..
-rw-r--r-- 1 root root 2084 Jun 14 22:00 foo.baz.crt
-rw-r--r-- 1 root root 3294 Jun 14 22:00 foo.baz.key
If you need more information, please let me know.3.0.5.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2481DNS-Error on recordpage after Upgrade from 3.0.4.6 to 3.0.5.12017-06-25T10:54:05ZMarc HofmannDNS-Error on recordpage after Upgrade from 3.0.4.6 to 3.0.5.1After Upgrading it is not possible to enter the recordpage of the DNS-Screen of an allready existing DNS-Domain. Getting error-msg: ERROR Also notify: Please use an IP address. Works fine beforeAfter Upgrading it is not possible to enter the recordpage of the DNS-Screen of an allready existing DNS-Domain. Getting error-msg: ERROR Also notify: Please use an IP address. Works fine beforehttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2434Login to ispconfig failed after updating from 3.0.3.3 to 3.0.5 on debian lenny2017-06-25T10:54:05ZJeromeLogin to ispconfig failed after updating from 3.0.3.3 to 3.0.5 on debian lennyHi,
I have a Debian lenny ISP CONFIG server in 3.0.3.3 version.
I just start the update which works fine.
But, now, I can't login to my ispconfig panel since I always have a "Username or Password wrong".
When I type my login/...Hi,
I have a Debian lenny ISP CONFIG server in 3.0.3.3 version.
I just start the update which works fine.
But, now, I can't login to my ispconfig panel since I always have a "Username or Password wrong".
When I type my login/password, the request seems very long and after about 15 seconds, I get the message.
I see no erros in apache logs.
I can give you full access to the server if you need to have a look (it's an old production server which is no longer used :-)3.0.5.1Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2390Wrong ISPConfig DB management behavior when in master/slave configuration2017-06-25T10:54:05ZLukas CernyWrong ISPConfig DB management behavior when in master/slave configurationDB users and databases are created on master and also on slave ISPConfig server even tough DB service on slave ISPConfig is disabled. I would expect that DBses will be created only on master server.
Slave ISPConfig server is on the ma...DB users and databases are created on master and also on slave ISPConfig server even tough DB service on slave ISPConfig is disabled. I would expect that DBses will be created only on master server.
Slave ISPConfig server is on the master ISPConfig configured in the following way:
Enabled services: DNS
Is mirror of server: (master ISPConfig)
Active: Yes
Both instances was configured exactly as described in this howto: http://www.howtoforge.com/how-to-run-your-own-dns-servers-primary-and-secondary-with-ispconfig-3-debian-squeezehttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2119Apache log files are in directory owned by web user2017-06-25T10:54:05ZMarc SchützApache log files are in directory owned by web userThe apache log files are placed in a directory in /var/log/ispconfig/httpd whose owner/group is set to web*:client*. Although the logfiles themselves are owned by root:root (well, except error.log, which belongs to the web user, too), th...The apache log files are placed in a directory in /var/log/ispconfig/httpd whose owner/group is set to web*:client*. Although the logfiles themselves are owned by root:root (well, except error.log, which belongs to the web user, too), they can still be deleted and replaced by the user. This might be undesirable from an auditing point of view.
This also opens up the system to various kinds of symlink attacks, as the log files are written to by vlogger (run as root). vlogger _does_ check for symlinks, but its reaction to finding one is simply to die, which makes Apache restart it. This could potentially lead to a high load. More importantly, the check is done in a non-atomic manner, making it circumventable with some effort.
AFAICS, the directory ownership as well as the ownership of error.log can simply be changed to root:root, without breaking any important functionality, thereby evading the above-mentioned problems easily.3.0.5Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2080Autoresponder does not work2017-06-25T10:54:05ZNecdet TenekeciAutoresponder does not workAutoresponder feature doesn't work on one of my servers. ISP Config version is 3.0.4.2 and OS is Ubuntu 10.10Autoresponder feature doesn't work on one of my servers. ISP Config version is 3.0.4.2 and OS is Ubuntu 10.10https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2079unsafe manipulation of client files allows privilege elevation2017-06-25T10:54:05ZSergey Vlasovunsafe manipulation of client files allows privilege elevationapache2_plugin.inc.php handles client files in unsafe ways in lots of places.
1) The toplevel web site directory is protected only if (optional) jailkit is used; without jailkit any of the default subdirectories (cgi-bin, ssl, tmp, we...apache2_plugin.inc.php handles client files in unsafe ways in lots of places.
1) The toplevel web site directory is protected only if (optional) jailkit is used; without jailkit any of the default subdirectories (cgi-bin, ssl, tmp, web) can be replaced by symlinks, which then will be used at least as targets for chown and chmod.
2) Even with jailkit exploiting a race is possible (at least if set_folder_permissions_on_update is enabled, which is the default):
$this->_exec('chown '.$username.':'.$groupname.' '.escapeshellcmd($data['new']['document_root']));
// ... lots of operations, including a potentially very long "chown -R .../web"
if($tmp['number'] > 0 || $tmp2['number'] > 0) {
$this->_exec('chmod 755 '.escapeshellcmd($data['new']['document_root']));
$this->_exec('chown root:root '.escapeshellcmd($data['new']['document_root']));
}
3) SSL key generation may be vulnerable to symlinks in ssl/ (prevented in trunk by "chown root:root .../ssl").
4) web/stats/.htaccess, .htpasswd_stats and any .htaccess and .htpasswd files managed by the folder protection feature can be replaced by symlinks, then the symlink target will be overwritten as root (and then even chowned to the web site user, so that it could write more "appropriate" content there).
5) webdav handling has the same issues with symlinks (the webdav/ directory is owned by the web user).
6) _patchVhostWebdav() inserts filenames directly into the Apache config, but filenames may contain special characters (even including '\n').
7) Because the fastcgi starter _directory_ is owned by the web user (unavoidable due to suexec restrictions), the starter script file might also be replaced by an evil symlink (e.g., by a PHP script with some way to bypass the open_basedir protection), then this file will be overwritten as root.
8) "chown -R" and "chmod -R" commands done on user-writable directories may be unsafe depending on the filesystem layout - they can be exploited to get access to any file on the same filesystem for which the web user has just the +x permission on the containing directory (this is enough to create a hardlink to the file, no permissions to access the file itself is needed).
Enough for now, most likely there are more bugs there...3.0.5Till BrehmTill Brehmhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2039Spaces in time definition of CRON lead to non-functional cron file2017-06-25T10:54:05ZMarius BurkardSpaces in time definition of CRON lead to non-functional cron fileSpaces need to be deleted before cron save, because they are ignored on validation but lead to a non-functional cron file.
Storing minute / hour / etc. values like "1, 23, 26" (with spaces) is allowed in validation and interface but lea...Spaces need to be deleted before cron save, because they are ignored on validation but lead to a non-functional cron file.
Storing minute / hour / etc. values like "1, 23, 26" (with spaces) is allowed in validation and interface but leads to a completely blocked crontab file and to non-functional cron jobs of the whole client.3.0.5Marius BurkardMarius Burkardhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/2023Receller creates things with our own prefix for users not using user prefix.2017-06-25T10:54:05ZRodrigo Moglia (Interatia)Receller creates things with our own prefix for users not using user prefix.Confirmed on ISPConfig Version: 3.0.4.5 this resource stops to works.
On database creation act system using receller prefix dot final client prefix.Confirmed on ISPConfig Version: 3.0.4.5 this resource stops to works.
On database creation act system using receller prefix dot final client prefix.https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1812SOAP API wont work2017-06-25T10:54:05ZXaver MaierhoferSOAP API wont workhttp://www.howtoforge.com/forums/showthread.php?p=270826
Problem found: Empty lines in db_mysql -> if i remove this lines it work againhttp://www.howtoforge.com/forums/showthread.php?p=270826
Problem found: Empty lines in db_mysql -> if i remove this lines it work againhttps://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1774fetchmail repeated retrieval of emails2017-06-25T10:54:06ZRalf Schlatterbeckfetchmail repeated retrieval of emailsAfter upgrade (from 3.0.3.X to 3.0.4.2) we had an issue of a fetchmail setting that cause repeated retrieval (more than 20.000 mails) of the same emails.
The offending account had
- Delete emails after retrieval: *NOT* set
- Retri...After upgrade (from 3.0.3.X to 3.0.4.2) we had an issue of a fetchmail setting that cause repeated retrieval (more than 20.000 mails) of the same emails.
The offending account had
- Delete emails after retrieval: *NOT* set
- Retrieve all emails (incl. read mails): set
This combination should be made illegal and on upgrade an appropriate action should be taken if the combination is encountered.
I have not found out why this combination did not cause problems in the past, it surfaced only after upgrade to 3.0.4.23.0.4.3https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/1722Domain Rename Causes Vhost error2017-06-25T10:54:06ZBuddy RDomain Rename Causes Vhost errorAfter upgrading my ISPconfig 3 install to 3.0.4 (and now to 3.0.4.1), I have a problem after I change a domain name of a Website. After changing the domain name, the vhost does not change appropriately or something and the web server thr...After upgrading my ISPconfig 3 install to 3.0.4 (and now to 3.0.4.1), I have a problem after I change a domain name of a Website. After changing the domain name, the vhost does not change appropriately or something and the web server throws an error because /etc/init.d/apache2 won't load correctly due an error about not finding the vhost file in /etc/apache2/sites-enabled.
I then have to go in and manually delete the old vhost file associated with the domain name before I changed it - and then apache2 comes back, but I still have to rename the symlink on the server.
Before the upgrade, when I edited a domain name of a website, everything worked fine.3.0.4.2