Ticket #2410 (closed security issue: fixed)

Opened 4 years ago

Last modified 4 years ago

[Security Fail] A customer must not be able to connect to a database of another customer

Reported by: nuxwin Owned by: nuxwin
Priority: critical Milestone: ispCP ω 1.0.6
Component: Frontend (GUI) Version: ispCP ω 1.0.5
Severity: Easy Keywords:
Cc:

Description (last modified by nuxwin) (diff)

Currently, it's possible for a customer to pass an arbitrary database identifier to perform pma authentication from ispCP panel (script client/pma_auth.php or client/sql_auth.php for current stable release).

Note: This security hole was discovered after the complete rewrite of the PMA authentication script but also exists in the old script (client/sql_auth.php). This security hole affect the current release and all prior versions of ispCP that implement the PMA authentication from the panel.

Note: See http://isp-control.net/ispcp/ticket/2410#comment:9 for a quick fix.

Attachments

sql_auth.patch (1.1 KB) - added by benedikt 4 years ago.
patch file against ispCP Omega 1.0.5

Change History

comment:1 Changed 4 years ago by nuxwin

  • Summary changed from [SECURITY FAIL] A customer must not be able to connect to a database of another customer to [Security Fail] A customer must not be able to connect to a database of another customer

comment:2 Changed 4 years ago by nuxwin

  • Status changed from new to assigned

comment:3 Changed 4 years ago by nuxwin

  • Status changed from assigned to closed
  • Resolution set to fixed

Fixed in r3123

comment:4 Changed 4 years ago by nuxwin

  • Description modified (diff)

comment:5 Changed 4 years ago by nuxwin

To fix this security whole in current stable and older ispCP versions, you can change the following SQL statement (in client/sql_auth.php):

	$query = "
		SELECT
			`sqlu_name`, `sqlu_pass`
		FROM
			`sql_user`
		WHERE
			`sqlu_id` = ?
	";

by the following:

	$query = "
		SELECT
			`sqlu_name`, `sqlu_pass`
		FROM
			`sql_user`, `sql_database`, `domain`
		WHERE
			`sql_user`.`sqld_id` = `sql_database`.`sqld_id`
		AND
			`sql_user`.`sqlu_id` = ?
		AND
			`sql_database`.`domain_id` = `domain`.`domain_id`
		AND
			`domain`.`domain_admin_id` = ?
		;
	";

And also the following code part:

$rs = exec_query($sql, $query, $db_user_id);

by

$rs = exec_query($sql, $query, array($dbUserId, $_SESSION['user_id']));

Best Regards ;

comment:6 Changed 4 years ago by nuxwin

  • Description modified (diff)

comment:7 Changed 4 years ago by benedikt

please provide a patch against ispCP Omega 1.0.5

comment:8 Changed 4 years ago by nuxwin

Hello Benedikt

For ispCP 1.0.5 (current stable release) and older ispCP version, see http://isp-control.net/ispcp/ticket/2410#comment:5. You want a truly patch (*.diff) ?

comment:9 Changed 4 years ago by nuxwin

Arff my fix in comment 5 is wrong:

It's better:

To fix this security whole in current stable and older ispCP versions, you can change the following SQL statement (in client/sql_auth.php):

	$query = "
		SELECT
			`sqlu_name`, `sqlu_pass`
		FROM
			`sql_user`
		WHERE
			`sqlu_id` = ?
	";

by the following:

	$query = "
		SELECT
			`sqlu_name`, `sqlu_pass`
		FROM
			`sql_user`, `sql_database`, `domain`
		WHERE
			`sql_user`.`sqld_id` = `sql_database`.`sqld_id`
		AND
			`sql_user`.`sqlu_id` = ?
		AND
			`sql_database`.`domain_id` = `domain`.`domain_id`
		AND
			`domain`.`domain_admin_id` = ?
		;
	";

And also the following code part:

$rs = exec_query($sql, $query, $db_user_id);

by

$rs = exec_query($sql, $query, array($db_user_id, $_SESSION['user_id']));

Best Regards ;

comment:10 Changed 4 years ago by nuxwin

  • Description modified (diff)

comment:11 Changed 4 years ago by nuxwin

  • Description modified (diff)

comment:12 Changed 4 years ago by nuxwin

  • Description modified (diff)

comment:13 Changed 4 years ago by nuxwin

  • Description modified (diff)

Changed 4 years ago by benedikt

patch file against ispCP Omega 1.0.5

comment:14 Changed 4 years ago by benedikt

I added an attachment.

comment:15 Changed 4 years ago by nuxwin

Oh thank Benedikt.

comment:16 Changed 4 years ago by nuxwin

  • Description modified (diff)

comment:17 Changed 4 years ago by nuxwin

  • Description modified (diff)

comment:18 Changed 4 years ago by benedikt

  • Milestone changed from ispCP ω 1.0.7 to ispCP ω 1.0.6

comment:19 Changed 4 years ago by nuxwin

  • Version changed from ispCP ω trunk to ispCP ω 1.0.5
Note: See TracTickets for help on using tickets.