Client can activate SSL for IP * and overrides certificate of ISP-Config
Problem: Client can activate SSL for IP-Address "*" and generate or upload a certificate. This cert overrides the ISP-Config cert for the frontend since the vhost site configuration for the client website is added after the ISP-Config vhost in apache.
Also the client can activate SSL for multiple websites with IP-Address "*".
Recommendation: Check, if an IP-Address has been selected/assigned to the website. If not, reject SSL setting.
Environment:
- two servers with ISP-Config 3.0.4.1 and Debian 6.0.3
- no mirroring configured
- IP-Address of server1 configured in ISP-Config
- no IP-Address of server2 configured
- ISP-Config frontend configured with SSL
- server2 (w/o IP-Address) has been assigned to client