"Add new Webdav user" can chmod and chown entire server from client interface
Through the client interface, I was able to chmod and chown the root directory (/) of my server to web3:client9 and 770 using the "Add new Webdav user" by using ../../../../../../../../../../../../ as a path. This can probably be exploited in some way too.
Milestone changed to 126.96.36.199
The Issue has been fixed in SVN stable branch on April 4, Revison 3020.
Set the Webdav User Limit to 0 in Client settings to disable the ability that clients add new webdav users.
Copy the webdav_user_edit.php file that is attached to this post to the directory /usr/local/ispconfig/interface/web/sites/webdav_user_edit.php
The Bug is fixed in ISPConfig 188.8.131.52 which will be released on April 10.
To get the latest fixes from svn incl. the above bugfix, follow these instructions:
svn export svn://svn.ispconfig.org/ispconfig3/branches/ispconfig-3.0.4 cd ispconfig-3.0.4/install/ php update.php Attachment webdav_user_edit.php was removed during flyspray import.Edited