ispCP Omega 1.0.5 Security Announcement II

[RatS]

Dear all,

Today we discovered another potential fault, this time in the ispCP Omega Engine. This security fix only affects installations where DEBUG is switched on in ispcp.conf. By default this functionality is disabled, if you have not enabled it then this security announcement does not affect you.

The details of the security fix are, on Database backup the password for the ispCP database user is revealed and logged in clear text without obfuscation.

To secure your installation, it is recommended to either set DEBUG to 0 or use the
patch attached to ticket 2411.

We apologise for any inconvenience caused.

[Nuxwin]

Dear ispCP users ;

An Identical security hole was discovered today in these scripts:

engine/backup/ispcp-backup-all
engine/backup/ispcp-backup-ispcp

The patch attached to the ticket #2411 was updated today.

Also, it's recommended to remove all the /var/log/ispcp/* log after fixing this security hole by setting debug mode to 0, or by applying the patch. For versions prior to ispCP 1.0.5, it's strongly recommended to migrate and to apply the patch.

Note: For the last script, it's really more important because this time, it's the main SQL account login (eg. SQL root account) credentials that is stored in cleartext.

We apologize for any inconvenience caused.