Current time: 05-25-2020, 08:31 PM Hello There, Guest! (LoginRegister)


Post Reply 
Correcion BUG en ISPCP
Author Message
kurgans Offline
Moderator
*****
Moderators

Posts: 1,565
Joined: Feb 2008
Reputation: 23
Post: #1
Correcion BUG en ISPCP
Dear ispCP Community,

on Friday, 23. Jul. Laurent Declerq discovered a security hole in the
client/sql_auth.php file.
This hole allows a client to access other customer's databases without
knowing the password. All released ispCP Omega versions are affected.

We strongly recommend to fix this hole to protect your clients' data.

You will find a patch for against ispCP 1.0.5 attached to ticket #2410
(http://isp-control.net/ispcp/ticket/2410).

Sorry for any inconvenience caused.

Best Regards,
Benedikt Heintel

ispCP Project Manager
(This post was last modified: 07-26-2010 10:51 PM by kurgans.)
07-26-2010 10:45 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Nuxwin
Unregistered

 
Post: #2
RE: Correcion BUG en ISPCP
Declercq, not declerq Wink
07-26-2010 11:27 PM
Quote this message in a reply
kurgans Offline
Moderator
*****
Moderators

Posts: 1,565
Joined: Feb 2008
Reputation: 23
Post: #3
RE: Correcion BUG en ISPCP
Fri, 30 Jul 20

Dear ispCP Community,

Today we discovered another fault, this time in the ispCP Omega Engine
if DEBUG is set to 1 in ispcp.conf. (System default is 0.)

On Database backup the password for the ispCP database user is shown and
logged in clear text, while logs are world readable.
It is recommended to fix this bug by either set DEBUG to 0 or use the
patch attached to ticket 2411.

You can find the related ticket here:
http://isp-control.net/ispcp/ticket/2411

We apologize for any inconvenience caused.
(This post was last modified: 07-30-2010 05:04 PM by kurgans.)
07-30-2010 05:03 PM
Visit this user's website Find all posts by this user Quote this message in a reply
kurgans Offline
Moderator
*****
Moderators

Posts: 1,565
Joined: Feb 2008
Reputation: 23
Post: #4
RE: Correcion BUG en ISPCP
today another critical security issue has been found. All ispCP Omega versions are effected.
It is possible to use the ispCP Client Backup Manager to restore forged backups and - in worst case - gain control over the server system.

We strongly recommend to fix the described security issue by disabling the backup restore routine. For this open the ispcp-dmn-mngr in /var/www/ispcp/engine/ and search for

sub dmn_restore_data {

add

exit 1;

directly in the next line.

We try to deliver a patch as fast as possible. You can follow the status in ticket: http://isp-control.net/ispcp/ticket/2440
08-30-2010 04:47 PM
Visit this user's website Find all posts by this user Quote this message in a reply
kurgans Offline
Moderator
*****
Moderators

Posts: 1,565
Joined: Feb 2008
Reputation: 23
Post: #5
RE: Correcion BUG en ISPCP
Dear Readers,

We have fixed the ispCP security issue discovered this week. For your
convenience we are releasing a patch against ispCP Omega 1.0.6 and will
also work with version 1.0.5.

It is strongly advised that you apply the attached patch. Remember to
delete the "exit 1;" command after "sub dmn_restore_data {".

After the patch has been applied successfully, run the backup manager to
change the permission of all backup folders and files to read only for
all users except the root user. To run the backup manager type the
following command in your server command line:

/var/www/ispcp/engine/backup/ispcp-backup-all yes

Please visit http://isp-control.net/ispcp/ticket/2440 for more information.
08-31-2010 09:15 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)