Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > General

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 12th July 2008, 04:37
pg001 pg001 is offline
Member
 
Join Date: Jan 2008
Posts: 67
Thanks: 8
Thanked 2 Times in 1 Post
Default Security Flaw: I Don't think this is normal...

I followed the debian etch perfect server set up and have an updated ISPConfig running well, version 2.2.24 that is. Now I saw something I don't like while doing an FTP access...

I have like 5 domains hosted on my server with usernames and sites:
web1_user => domain1.com
web2_user => domain2.com
web3_user => domain3.com

Now here's the problem, I accidentally inputed domain1.com on cuteFTP and web3_user (notice web3_user not web1_user) as the username and put the correct password. Supposed to be it should return an error because web3_user is not the owner of domain1.com and shouldn't allow me to login, but what happened was I was able to login meaning the login info (which is wrong) was accepted. But when I was already logged in, the files which was showing was files from domain3.com.

How do I solve this so that when I FTP access domain1.com, only web1_user is allowed, using domain2.com only web2_use is allowed, and so on...?

Is this a security flaw, bug or error?
Reply With Quote
Sponsored Links
  #2  
Old 12th July 2008, 05:18
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default

If your talking about the host address, then using domain1 instead of domain3, it's not a security problem or bug, it's because you are using a shared IP, so domain1 and domain3 point to the same server. All you are doing is pointing to which server to log into, it's the username/password that determine which files you have access to after you log in.
Reply With Quote
  #3  
Old 12th July 2008, 15:31
pg001 pg001 is offline
Member
 
Join Date: Jan 2008
Posts: 67
Thanks: 8
Thanked 2 Times in 1 Post
Default



You mean to say, if let's say mywebsite.com is hosted in my server with an ip 122.1.457.12 and the way to login via FTP to mywebsite.com is web1_user, I can also login to mywebsite.com using the username of myotherwebsite.com which is web2_user and vice versa? Isn't that ugly?

Is there a way so that only web1_user is allowed to login to mywebsite.com and not any other username else? And only web2_user will be allowed to login at myotherwebsite.com...
Reply With Quote
  #4  
Old 12th July 2008, 15:54
tal56 tal56 is offline
Member
 
Join Date: Oct 2007
Posts: 91
Thanks: 11
Thanked 2 Times in 2 Posts
Default

It's like that for any server. The server name "host" on cuteftp just tells it which server to log into. It dosent mean which files you can access. That is set by the username/password. So in your example the user web1_user can only access his sites files using his own password, no matter what "host" he puts in cuteftp. He can even put the server's IP address as a host instead if he wants to.

The only way you can get around this that I know is if each of your websites have their own static IP, but maybe someone else knows a different way.
Reply With Quote
  #5  
Old 12th July 2008, 21:31
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,426
Thanks: 812
Thanked 5,205 Times in 4,081 Posts
 
Default

As tal56 explained, this is the normal behaviour on a FTP server and not ISPConfig specific. Even if you have more then one IP, you can use all available IP's to connect to the server and use any valid username. Only the username and password are relevant to decide which website data you get.

By the way, its the same for most other protocols like ssh, pop3, smtp, and imap.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pop3 service alone is failed in "The Perfect Setup - Debian Sarge (3.1)" nandhu HOWTO-Related Questions 60 5th August 2008 15:15
add web site serr57 Installation/Configuration 18 13th April 2008 11:40
network issues now it says "401 The web site is blocked by administrator" Check General 3 26th February 2008 14:22
SE linux problem when security context is modified raj123 Technical 1 28th June 2006 08:57


All times are GMT +2. The time now is 09:16.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.