HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   General (http://www.howtoforge.com/forums/forumdisplay.php?f=25)
-   -   Critical bug. 10000% danger. (http://www.howtoforge.com/forums/showthread.php?t=62325)

almere 22nd June 2013 21:07

Critical bug. 10000% danger.
 
Hey, look here: http://bugtracker.ispconfig.org/inde...s&task_id=3014

I would say: shut you FTP service down, while we are fixing it.

ItsDom 23rd June 2013 19:30

Do you have more info on your setup? What guide did you follow?

Also, are you sure it's not 1 of the following 2:

1. you set the ftp user root to / instead of /path/to/clients/clientx/webx/
2. you have Jailkit enabled, in which case, you will see etc, var, usr and the rest, except they're in fact copies put in there to allow Jailkit to work... (see http://www.howtoforge.com/forums/sho...1&postcount=13 for an explanation of how/why jailkit works like that)

Furthermore, you claim you and 3 programmers are "fixing it" - what is the problem, and how are you fixing it?

till 24th June 2013 09:23

I checked it here on a clean ISPConfoig 3.0.5.2 install and I was not able to enter / as path for a FTP user when I'am logged in as a client.

My guess is that he was logged in as administrator and not as client or he used the remote api which allows path overriding as well as it runs with admin priveliges. A administrator has and shall have the right to override paths for FTP users to anything he wants. ISPConfig just ensures that when a client or reseller is editing a FTP path, that the path has to be inside the web in this case.

Please add detailed steps to your bugreport how you were able to change the path to / after you logged in as client (not admin).

Btw. If you thought that this was a critical bug, you should have contacted us (the ISPConfig developers and maintainers) first and ask them for a verification.

almere 24th June 2013 09:35

Hey Till,

I have viewd the log, he was logged in as a normal user, he could also NOT use the API.

Detailed staps are simple:
Reseller made a client -> client logged in -> client created a new FTP user -> client changed the password of the FTP user -> client logged in to the FTP and reported a bug to reseller -> reseller closed the FTP and reported the bug to me.

I'm still not able to reproduce it. But the bug exists.

till 24th June 2013 09:57

I'am not able to reproduce it as well but I will review the code to ensure that there is really no issue.

Please go to System > CP users and check the user of this client. Does the user has the type user or does it has the type admin?

Please send me all lines from sys_datalog for this FTP user by email to dev [at] ispconfig [dot] org.

almere 24th June 2013 10:07

I'v just checked it and it's just a user, not an admin.
Code is good, we hade a conference about it, we were not able to find any bugs or holes ( back doors ).

I wil mail you the debug log, but there is also not much to see there.

till 24th June 2013 10:58

I checked the code of the ftp path verification and it is ok. I will add some additional checks just to be sure and close the task as nobody seems to be able to reproduce it. In case that you find a way to reproduce it reliably, feel free to reopen the task.


All times are GMT +2. The time now is 09:59.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.