Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Developers' Forum

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd March 2006, 06:35
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default 1 security issue, 2 interesting proposals...

1) Please check:
config.lib.php, Line 535
It displays the user password on the logfile...

2) I think it would be a great idea to have an option to include open_basedir in clients vhosts.

From php.ini:
; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file.
For what I understand it could prevent a malicious script to read file contents outside the directory configured for the client in the vhost. Great!

3) Change index.php to be first by default in:
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm

Hey Till, I'm sorry for not sending yet the cms manager, but I have been doing some homework, and I will modify plenty code before sending it.

Cheers!
Reply With Quote
Sponsored Links
  #2  
Old 22nd March 2006, 08:38
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,009
Thanks: 840
Thanked 5,651 Times in 4,461 Posts
Default

Quote:
Originally Posted by danf.1979
1) Please check:
config.lib.php, Line 535
It displays the user password on the logfile...
It is not the user password, it is the password of the mysqldb of the user. But thats noot good either.

Hotfix:

Replace line 535 with this line:

Code:
exec("mysqldump -h $db_server -u $db_user -p$db_password -c --add-drop-table --add-locks --all --quick --lock-tables $new_db >/root/ispconfig/scripts/$new_db.sql");
Quote:
2) I think it would be a great idea to have an option to include open_basedir in clients vhosts.

From php.ini:
; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file.
For what I understand it could prevent a malicious script to read file contents outside the directory configured for the client in the vhost. Great!
ISPConfig uses already OpenBasedir in the vhosts. Currently it is used together with the safemode switch. It might be a good idea to make 2 checkboxes, one for safemode and one for open_basedir.

Quote:
3) Change index.php to be first by default in:
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm
I think thats a question of taste. Personally i like it that index.html comes before index.php.

Quote:
Hey Till, I'm sorry for not sending yet the cms manager, but I have been doing some homework, and I will modify plenty code before sending it.
Send me the files when you are finished
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 22nd March 2006, 18:33
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
Default

I think you meant something like this?
Code:
$mod->log->caselog("mysqldump -h $db_server -u $db_user -p[hidden_pass] -c --add-drop-table --add-locks --all --quick --lock-tables $new_db >/root/ispconfig/scripts/$new_db.sql", $this->FILE, __LINE__);
?
Reply With Quote
  #4  
Old 22nd March 2006, 18:38
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 37,009
Thanks: 840
Thanked 5,651 Times in 4,461 Posts
Default

Quote:
Originally Posted by danf.1979
I think you meant something like this?
Code:
$mod->log->caselog("mysqldump -h $db_server -u $db_user -p[hidden_pass] -c --add-drop-table --add-locks --all --quick --lock-tables $new_db >/root/ispconfig/scripts/$new_db.sql", $this->FILE, __LINE__);
?
No, i meant that what i posted.

$mod->log->caselog(...) is not a simple logging function, it executes the statement and logs it incl. failures.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 22nd March 2006, 18:41
danf.1979 danf.1979 is offline
Senior Member
 
Join Date: Dec 2005
Location: Chile
Posts: 247
Thanks: 4
Thanked 3 Times in 2 Posts
Send a message via MSN to danf.1979
 
Default

Oh, Ok... I didn't know that. Thanks for the info.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Outlook 2003 issue with courier-pop3 RotHorseKid Installation/Configuration 6 7th December 2005 21:35
ProFTPD potential security hole domino Server Operation 3 19th August 2005 04:25


All times are GMT +2. The time now is 14:23.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.