1 security issue, 2 interesting proposals...

[danf.1979]

1) Please check:
config.lib.php, Line 535
It displays the user password on the logfile...

2) I think it would be a great idea to have an option to include open_basedir in clients vhosts.

From php.ini:
; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file.
For what I understand it could prevent a malicious script to read file contents outside the directory configured for the client in the vhost. Great!

3) Change index.php to be first by default in:
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm

Hey Till, I'm sorry for not sending yet the cms manager, but I have been doing some homework, and I will modify plenty code before sending it.

Cheers!

[till]

Quote:

Originally Posted by danf.1979

1) Please check:
config.lib.php, Line 535
It displays the user password on the logfile...

It is not the user password, it is the password of the mysqldb of the user. But thats noot good either.

Hotfix:

Replace line 535 with this line:

Code:

exec("mysqldump -h $db_server -u $db_user -p$db_password -c --add-drop-table --add-locks --all --quick --lock-tables $new_db >/root/ispconfig/scripts/$new_db.sql");

Quote:

2) I think it would be a great idea to have an option to include open_basedir in clients vhosts.

From php.ini:
; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file.
For what I understand it could prevent a malicious script to read file contents outside the directory configured for the client in the vhost. Great!

ISPConfig uses already OpenBasedir in the vhosts. Currently it is used together with the safemode switch. It might be a good idea to make 2 checkboxes, one for safemode and one for open_basedir.

Quote:

3) Change index.php to be first by default in:
DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm

I think thats a question of taste. Personally i like it that index.html comes before index.php.

Quote:

Hey Till, I'm sorry for not sending yet the cms manager, but I have been doing some homework, and I will modify plenty code before sending it.

Send me the files when you are finished

[danf.1979]

I think you meant something like this?

Code:

$mod->log->caselog("mysqldump -h $db_server -u $db_user -p[hidden_pass] -c --add-drop-table --add-locks --all --quick --lock-tables $new_db >/root/ispconfig/scripts/$new_db.sql", $this->FILE, __LINE__);

?

[till]

Quote:

Originally Posted by danf.1979

I think you meant something like this?

Code:

$mod->log->caselog("mysqldump -h $db_server -u $db_user -p[hidden_pass] -c --add-drop-table --add-locks --all --quick --lock-tables $new_db >/root/ispconfig/scripts/$new_db.sql", $this->FILE, __LINE__);

?

No, i meant that what i posted.

$mod->log->caselog(...) is not a simple logging function, it executes the statement and logs it incl. failures.

[danf.1979]

Oh, Ok... I didn't know that. Thanks for the info.