Current time: 09-21-2014, 04:04 PM Hello There, Guest! (LoginRegister)


Post Reply 
ispCP Omega 1.0.5 Security Announcement II
Author Message
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #1
Exclamation ispCP Omega 1.0.5 Security Announcement II
Dear all,

Today we discovered another potential fault, this time in the ispCP Omega Engine. This security fix only affects installations where DEBUG is switched on in ispcp.conf. By default this functionality is disabled, if you have not enabled it then this security announcement does not affect you.

The details of the security fix are, on Database backup the password for the ispCP database user is revealed and logged in clear text without obfuscation.

To secure your installation, it is recommended to either set DEBUG to 0 or use the
patch attached to ticket 2411.

We apologise for any inconvenience caused.
(This post was last modified: 07-31-2010 12:21 AM by BioALIEN.)
07-30-2010 08:20 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Nuxwin
Unregistered

 
Post: #2
RE: ispCP Omega 1.0.5 Security Announcement II
Dear ispCP users ;

An Identical security hole was discovered today in these scripts:

engine/backup/ispcp-backup-all
engine/backup/ispcp-backup-ispcp

The patch attached to the ticket #2411 was updated today.

Also, it's recommended to remove all the /var/log/ispcp/* log after fixing this security hole by setting debug mode to 0, or by applying the patch. For versions prior to ispCP 1.0.5, it's strongly recommended to migrate and to apply the patch.

Note: For the last script, it's really more important because this time, it's the main SQL account login (eg. SQL root account) credentials that is stored in cleartext.

We apologize for any inconvenience caused.
07-30-2010 06:01 PM
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)