Current time: 11-16-2024, 10:46 PM Hello There, Guest! (LoginRegister)


Post Reply 
ispCP Omega 1.0.3 Security Announcement
Author Message
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #1
Exclamation ispCP Omega 1.0.3 Security Announcement
Sometimes not even the best testing help to find all remaining bugs in software and this time it's a security issue we overlooked in ispCP ω 1.0.3.

If you have already installed ispCP ω 1.0.3 on your server, get our security fix.
Just follow these instructions (as root):

Code:
# cd /var/www/ispcp/engine/setup
# wget -O- 'http://www.isp-control.net/ispcp/raw-attachment/ticket/2112/permission-fix.tar.gz' | tar -xzv
# ./set-gui-permissions.sh
# ./set-engine-permissions.sh

Else if you have not yet installed ispCP ω 1.0.3, please proceed to our downloads page and download the latest released version of ispCP ω 1.0.3-1. An update is strongly recommended, because all prior versions of ispCP ω contain this security hole.
Beside the security fix ispCP ω 1.0.3-1 eliminates those situations, where it was not possible to install ispCP Omega for some reason.

ispCP ω 1.0.3-1 does not implement any new features or bugfixes. There is no need to install ispCP ω 1.0.3-1 on a running ispCP ω 1.0.3. (Please don't forget the security fix!)

ispCP Omega is an open source solution to all your web hosting needs. You can download the latest stable release from the downloads section. Before you download ispCP, please browse through our comprehensive ispCP documentation section and review the System Requirements, Installing ispCP, Frequently Asked Questions and HowTo's.
12-24-2009 11:32 AM
Visit this user's website Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #2
RE: ispCP Omega 1.0.3 Security Announcement
Despite I announced that the security fix will only work on ispCP Omega 1.0.3, it might be working with ispCP Omega 1.0.0 RC6 and later too. We did not tested it!
12-24-2009 11:36 AM
Visit this user's website Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #3
RE: ispCP Omega 1.0.3 Security Announcement
To provide some more info about the security hole:

Due to the standard permission settings it is possible to read the ispCP key files, the mysql password (in ispcp.conf) and to decode all customer passwords in the database. Access to the system (ssh, ftp) is required.
(This post was last modified: 12-24-2009 07:25 PM by RatS.)
12-24-2009 07:25 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)