#1  
Old 7th May 2006, 21:11
Piega Piega is offline
Junior Member
 
Join Date: Nov 2005
Posts: 3
Thanks: 0
Thanked 1 Time in 1 Post
Default ISPConfig exploit

Read this!

http://www.milw0rm.com/exploits/1762
The Following User Says Thank You to Piega For This Useful Post:
edumaster (1st September 2008)
Sponsored Links
  #2  
Old 8th May 2006, 00:49
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,475
Thanks: 813
Thanked 5,255 Times in 4,121 Posts
Default

Hi Piega,

thank you for posting the information about the exploit.

First, i think this exploit will not affect any ISPConfig installation.

Explanation:

The Exploit tries to reach the file session.inc.php in a browser.
This is impossible because the file is not inside the web root.

The web root in every ISPConfig installation is:

/home/admispconfig/ispconfig/web/

The session.inc.php is located in:

/home/admispconfig/ispconfig/lib/session.inc.php


You can try this with your ISPCOnfig installation:

https://www.yourdomain.com:81/lib/session.inc.php

You will get an 404 page not found error.

Nevertheless, we will add some code to the session.inc.php file
to prevent remote code inclusions even when the file is copied
inside the web root.

If you feel insecure until we release the update, you may add this
line as second line to the session.inc.php file:

if(isset($_REQUEST["go_info"])) die();



Please send security related informations about ISPConfig first to
dev [at] ispconfig [dot] org and give the development team some time
to review them and relaese a patch if nescessary before you post them
to the forum.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
  #3  
Old 8th May 2006, 21:38
webstergd webstergd is offline
Member
 
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts
Default hey

I am going to agree with you guys on this one. I dont see how this exploit could work. I just played around with it to see if I can get anything. But, I could not get into my servers using this exploit. This is mostly because in the recent versions the filters are good and this file isn't in server space.

In sum, I studied and tested this exploit and I am going to say it doesnt work on the recent versions.

P.S. Falko or Till, message me if you want some of my friends to try to this exploit.
  #4  
Old 8th May 2006, 23:44
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Quote:
Originally Posted by webstergd
P.S. Falko or Till, message me if you want some of my friends to try to this exploit.
We've tested it, it doesn't work.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
  #5  
Old 9th May 2006, 14:48
djtremors djtremors is offline
Senior Member
 
Join Date: Apr 2006
Location: Sydney
Posts: 278
Thanks: 0
Thanked 12 Times in 10 Posts
Default

Since everything works from index.php, wouldn't be easier to add a simple

define( "_VALID_ISPC", 1 );

to the index.php and then every module or file etc would have something like

defined( '_VALID_ISPC' ) or die( 'Direct Access to this location is not allowed.' );

would this kind is protection help? I should stop direct access to files and only allow it included from index.php
  #6  
Old 9th May 2006, 16:51
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Quote:
Originally Posted by djtremors
Since everything works from index.php
That's wrong, not everything works from index.php. It's a frameset, and in the frameset other files are loaded.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
  #7  
Old 10th May 2006, 03:56
djtremors djtremors is offline
Senior Member
 
Join Date: Apr 2006
Location: Sydney
Posts: 278
Thanks: 0
Thanked 12 Times in 10 Posts
Default

ok fairys muff, but then in that case that direct accessed file would have the same tests because they really should be doing it anyway.
So only files that are dirctly accessed are allowed and any others are all blocked if they weren't loaded from index.php or any of the other directly accessed frameset files.
  #8  
Old 18th May 2006, 14:00
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,475
Thanks: 813
Thanked 5,255 Times in 4,121 Posts
 
Default

All files that shall not be called directly are not in the web root, so calling them is not possible. Also register_globals is off in ISPConfig, which also prevents the attack described in the exploit. Nevertheless I agree with you that securing these files in the PHP source is a good idea and I will add some "direct call" detection code.

I've added already some additional tests to session.inc.php
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
The Following User Says Thank You to till For This Useful Post:
butlimous (18th February 2008)
Closed Thread

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot access ispconfig site Nu2Linux Installation/Configuration 13 3rd January 2009 15:29
FC4 Setup DNS and ISPCONFIG issues The General Installation/Configuration 7 15th May 2006 09:45
SP-Server Setup - Ubuntu 5.10 "Breezy Badger" - Page 6 (changes) LuisC-SM HOWTO-Related Questions 0 21st April 2006 15:16
Users and websites aren't created Glorfindel Installation/Configuration 9 23rd February 2006 04:20
42goISP vs. ISPConfig nveid General 1 16th January 2006 09:07


All times are GMT +2. The time now is 20:34.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.