Plugin system with version upgrade.

[ivomendonca]

Hello .
Ispconfig is now beta testing the new release that will prevent users from getting the ispconfig password and hack the entire cloud.

This shoud be treated as top priority as a plugin or engine release not as a new version that needs ages to be tested.

Is not the first time that i say this, but ispconfig is adding alot of features but cant event respond to the gross bugs that are here for more than a year.

The problems in ispconfig are not the test time, is the teorical study that does not exist or i cant see it anywhere.

Resuming, using an engine that can be updated(patched) on a easy way is the only way to stop the continuous nasty bug creation on all versions until now.

[till]

I've never heard of the bug you are talking about. So I'am not sure where you added this, but it is definately not in the bugtracker and has not been reported to dev [at] ispconfig [dot] org as all bugs get closed in a short time in ISPConfig.

For example as 3.0.2.2 was realesed, all known bugs in the bugtracker were fixed at that moment.

So if you think that you found a bug, please send a description to dev [at] ispconfig [dot] org or make a bugreport in the bugtracker.

[ivomendonca]

the bug was reported by an user and you said that is resolved is this latest version(beta).

[till]

There had been no bug that allowed a user to hack the whole cloud. Otherwise we had released a patch update for the 3.0.2.x series.

ISPConfig uses a version numbering scheme where the third number is for releases that introduce a lot new features like 3.0.3 (beta) and the fourth number is for patch releases. So 3.0.2.2 is the second patch release for the 3.0.2 series and there had been no critical security bugs in that series otherwise we would have released a 3.0.2.3 patch relaese.

[ivomendonca]

what i have read is that a client using a php script the password will appear in the array.

I cant see that anywhere now, maybe a bad dream.

And my propose os to make plugin update to fix problems not entire system again.

[till]

Please post the exact thread you are referring to. I can assure you that all security related bugs get closed in a very short time. You can see that yourself in the bugtracker.

Also you should keep in mind that not every one who is posting to this forum is a Linux or security pro, so not every post where someone thought he found a critical security issue is really a security problem and some of these issues are also related to misconfigurations on a specific system and not even related to ISPConfig.

[till]

Quote:

Resuming, using an engine that can be updated(patched) on a easy way is the only way to stop the continuous nasty bug creation on all versions until now.

One additional note to this sentence. Where do you have a problem with the ispconfig update? It taks less then a minute and downloads all changes automatically. Just run:

ispconfig_update.sh

on the shell and the script will even inform you if your system is already up to date. Additionally, ISPConfig has a newsletter ere you can subscribe yourself to get informed on updates by email.

[ivomendonca]

Yes, i know how to update, im just saying that ispconf can use wget to update plugins with no need to go to ssh.

Thats why i use the "propose" word.

[ivomendonca]

I did not try this but, if it can be done will be like this.

Open http://yourdomain.com:8080

place a index.php and make a var_dump.

see if ispconfig $_session appears in your client site.

[till]

No client site has write access to these files.