ispCP Omega 1.0.3 Security Announcement

[RatS]

Sometimes not even the best testing help to find all remaining bugs in software and this time it's a security issue we overlooked in ispCP ω 1.0.3.

If you have already installed ispCP ω 1.0.3 on your server, get our security fix.
Just follow these instructions (as root):

Code:

# cd /var/www/ispcp/engine/setup
# wget -O- 'http://www.isp-control.net/ispcp/raw-attachment/ticket/2112/permission-fix.tar.gz' | tar -xzv
# ./set-gui-permissions.sh
# ./set-engine-permissions.sh

Else if you have not yet installed ispCP ω 1.0.3, please proceed to our downloads page and download the latest released version of ispCP ω 1.0.3-1. An update is strongly recommended, because all prior versions of ispCP ω contain this security hole.
Beside the security fix ispCP ω 1.0.3-1 eliminates those situations, where it was not possible to install ispCP Omega for some reason.

ispCP ω 1.0.3-1 does not implement any new features or bugfixes. There is no need to install ispCP ω 1.0.3-1 on a running ispCP ω 1.0.3. (Please don't forget the security fix!)

ispCP Omega is an open source solution to all your web hosting needs. You can download the latest stable release from the downloads section. Before you download ispCP, please browse through our comprehensive ispCP documentation section and review the System Requirements, Installing ispCP, Frequently Asked Questions and HowTo's.

[RatS]

Despite I announced that the security fix will only work on ispCP Omega 1.0.3, it might be working with ispCP Omega 1.0.0 RC6 and later too. We did not tested it!

[RatS]

To provide some more info about the security hole:

Due to the standard permission settings it is possible to read the ispCP key files, the mysql password (in ispcp.conf) and to decode all customer passwords in the database. Access to the system (ssh, ftp) is required.