Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd June 2013, 21:07
almere almere is offline
ISPConfig Developer
 
Join Date: Nov 2012
Location: Netherlands, Rotterdam
Posts: 231
Thanks: 20
Thanked 39 Times in 34 Posts
Send a message via Skype™ to almere
Exclamation Critical bug. 10000% danger.

Hey, look here: http://bugtracker.ispconfig.org/inde...s&task_id=3014

I would say: shut you FTP service down, while we are fixing it.
Reply With Quote
Sponsored Links
  #2  
Old 23rd June 2013, 19:30
ItsDom ItsDom is offline
Member
 
Join Date: Dec 2012
Posts: 41
Thanks: 2
Thanked 5 Times in 5 Posts
Default

Do you have more info on your setup? What guide did you follow?

Also, are you sure it's not 1 of the following 2:

1. you set the ftp user root to / instead of /path/to/clients/clientx/webx/
2. you have Jailkit enabled, in which case, you will see etc, var, usr and the rest, except they're in fact copies put in there to allow Jailkit to work... (see http://www.howtoforge.com/forums/sho...1&postcount=13 for an explanation of how/why jailkit works like that)

Furthermore, you claim you and 3 programmers are "fixing it" - what is the problem, and how are you fixing it?
Reply With Quote
  #3  
Old 24th June 2013, 09:23
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,060
Thanks: 826
Thanked 5,395 Times in 4,239 Posts
Default

I checked it here on a clean ISPConfoig 3.0.5.2 install and I was not able to enter / as path for a FTP user when I'am logged in as a client.

My guess is that he was logged in as administrator and not as client or he used the remote api which allows path overriding as well as it runs with admin priveliges. A administrator has and shall have the right to override paths for FTP users to anything he wants. ISPConfig just ensures that when a client or reseller is editing a FTP path, that the path has to be inside the web in this case.

Please add detailed steps to your bugreport how you were able to change the path to / after you logged in as client (not admin).

Btw. If you thought that this was a critical bug, you should have contacted us (the ISPConfig developers and maintainers) first and ask them for a verification.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #4  
Old 24th June 2013, 09:35
almere almere is offline
ISPConfig Developer
 
Join Date: Nov 2012
Location: Netherlands, Rotterdam
Posts: 231
Thanks: 20
Thanked 39 Times in 34 Posts
Send a message via Skype™ to almere
Default

Hey Till,

I have viewd the log, he was logged in as a normal user, he could also NOT use the API.

Detailed staps are simple:
Reseller made a client -> client logged in -> client created a new FTP user -> client changed the password of the FTP user -> client logged in to the FTP and reported a bug to reseller -> reseller closed the FTP and reported the bug to me.

I'm still not able to reproduce it. But the bug exists.
Reply With Quote
  #5  
Old 24th June 2013, 09:57
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,060
Thanks: 826
Thanked 5,395 Times in 4,239 Posts
Default

I'am not able to reproduce it as well but I will review the code to ensure that there is really no issue.

Please go to System > CP users and check the user of this client. Does the user has the type user or does it has the type admin?

Please send me all lines from sys_datalog for this FTP user by email to dev [at] ispconfig [dot] org.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #6  
Old 24th June 2013, 10:07
almere almere is offline
ISPConfig Developer
 
Join Date: Nov 2012
Location: Netherlands, Rotterdam
Posts: 231
Thanks: 20
Thanked 39 Times in 34 Posts
Send a message via Skype™ to almere
Default

I'v just checked it and it's just a user, not an admin.
Code is good, we hade a conference about it, we were not able to find any bugs or holes ( back doors ).

I wil mail you the debug log, but there is also not much to see there.

Last edited by almere; 24th June 2013 at 10:10.
Reply With Quote
  #7  
Old 24th June 2013, 10:58
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,060
Thanks: 826
Thanked 5,395 Times in 4,239 Posts
 
Default

I checked the code of the ftp path verification and it is ok. I will add some additional checks just to be sure and close the task as nobody seems to be able to reproduce it. In case that you find a way to reproduce it reliably, feel free to reopen the task.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Server hangs, BUG: Bad page state in process lucani Installation/Configuration 1 6th September 2012 18:50
Bug when updating ftp accounts from reseller ddelbia General 1 1st July 2010 13:02
error: File /root/rpm/SOURCES/postfix-2.3.3-vda.patch: No such file or directory mxtdn Installation/Configuration 1 25th July 2009 09:20
Help needed error rpmbuild -ba postfix.spec mr_bo Installation/Configuration 2 15th May 2009 09:47
Step 11 Error:rpmbuild -ba postfix.spec tgxg00 Installation/Configuration 7 22nd April 2009 15:16


All times are GMT +2. The time now is 17:08.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.