#1  
Old 27th April 2011, 14:10
ncoc.nl ncoc.nl is offline
Member
 
Join Date: Feb 2011
Posts: 36
Thanks: 3
Thanked 17 Times in 11 Posts
Lightbulb FTP Backup manager

Hi everyone,

Because of the mirror issues as written in http://www.howtoforge.com/forums/showthread.php?t=52341 I started a new little project based on Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Debian Etch.
The installation instruction are for Debian Etch but works also for Debian Lenny.

I created a web interface for the FTP Backup server so phpmyadmin is not needed anymore, the interface and ftpserver is tested for several days and seems bug free.

Follow the installation instuctions written by Falko but use the MySQL.txt file provided in the zip to populate the MySQL database.

Change the MySQL password in inc_connect.php and upload the php files into the root of the webserver (/var/www)

when connecting the webserver shows a loginscreen:

Username: ftp-admin
Password: ftp-admin

You can change the admin password when logged on.

remark: the delete option deletes the user without question!

[edit]
The files are modified and the zip is updated
[/edit]
Attached Images
   
Attached Images
File Type: pdf Virtual Hosting With PureFTPd And MySQL On Debian Lenny.pdf (27.8 KB, 159 views)
Attached Files
File Type: zip FTPBU-manager_v0.2.zip (16.2 KB, 157 views)

Last edited by ncoc.nl; 4th May 2011 at 01:16. Reason: Added installation manual
Reply With Quote
The Following User Says Thank You to ncoc.nl For This Useful Post:
falko (28th April 2011)
Sponsored Links
  #2  
Old 27th April 2011, 14:27
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

Looks cool.

But one thing you should check is for some vulnerabilities, e.g. XSS, SQL Injection create_FTP_user.php, just as an example, as the script is lacking input validation and output masking, a.o..
Reply With Quote
  #3  
Old 27th April 2011, 14:42
ncoc.nl ncoc.nl is offline
Member
 
Join Date: Feb 2011
Posts: 36
Thanks: 3
Thanked 17 Times in 11 Posts
Default

I agree, I did protect granted.php for a MySQL injection but I forgot the other files
Tonight I'll modify the other files and upload the zip again.

Ronald
Reply With Quote
  #4  
Old 27th April 2011, 16:47
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
Default

But don't forget about Cross Site Scripting and others, as well
Reply With Quote
The Following User Says Thank You to Ben For This Useful Post:
ncoc.nl (28th April 2011)
  #5  
Old 27th April 2011, 17:48
ncoc.nl ncoc.nl is offline
Member
 
Join Date: Feb 2011
Posts: 36
Thanks: 3
Thanked 17 Times in 11 Posts
Default

Ben,

In basic if not logged on there is no possibilty to run one of the other scripts, validation is done at the beginning of every script:

session_start();
if(!session_is_registered(User)){
header("location:login.php");
}

then the MySQL injection is checked:

$User = stripslashes($User);
$Password = stripslashes($Password);
$User = mysql_real_escape_string($User);
$Password = mysql_real_escape_string($Password);

and the password is encrypted:

$encrypted_Password=md5($Password);

at last the session is registered:

session_register("User");
session_register("Password");

Did I miss something or better, is there something that can make the script better?
Please advise!

Regards,
Ronald
Reply With Quote
  #6  
Old 28th April 2011, 01:25
ncoc.nl ncoc.nl is offline
Member
 
Join Date: Feb 2011
Posts: 36
Thanks: 3
Thanked 17 Times in 11 Posts
Exclamation

The files are modified and more secure, thanks to Ben for his advice.

The zip in the first post is updated
Reply With Quote
  #7  
Old 4th May 2011, 01:14
ncoc.nl ncoc.nl is offline
Member
 
Join Date: Feb 2011
Posts: 36
Thanks: 3
Thanked 17 Times in 11 Posts
Default

Added a installation manual for Debian Lenny (see first post)
Reply With Quote
  #8  
Old 4th May 2011, 14:56
Ben Ben is offline
Moderator
 
Join Date: Jul 2006
Posts: 1,029
Thanks: 7
Thanked 62 Times in 56 Posts
 
Default

Quote:
In basic if not logged on there is no possibilty to run one of the other scripts, validation is done at the beginning of every script:
Every trustfull user might be untrustfull or used by a victim when logged in A and surfing B while beeing the victim of a XSS Attack combined with CSRF to attack A...
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Troubleshooting FTP bswinnerton Installation/Configuration 4 10th October 2008 19:34
proFTPd passive mode problems bisbell Server Operation 8 6th August 2008 21:12
Question about Virtual Hosting With Proftpd And MySQL (Incl. Quota) On Debian Etch ikkem HOWTO-Related Questions 30 26th February 2008 19:38
FTP Error joshabts Installation/Configuration 3 4th November 2006 16:19
Website users? ctroyp General 25 6th January 2006 18:02


All times are GMT +2. The time now is 11:09.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.