FTP Backup manager

[ncoc.nl]

Hi everyone,

Because of the mirror issues as written in http://www.howtoforge.com/forums/showthread.php?t=52341 I started a new little project based on Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Debian Etch.
The installation instruction are for Debian Etch but works also for Debian Lenny.

I created a web interface for the FTP Backup server so phpmyadmin is not needed anymore, the interface and ftpserver is tested for several days and seems bug free.

Follow the installation instuctions written by Falko but use the MySQL.txt file provided in the zip to populate the MySQL database.

Change the MySQL password in inc_connect.php and upload the php files into the root of the webserver (/var/www)

when connecting the webserver shows a loginscreen:

Username: ftp-admin
Password: ftp-admin

You can change the admin password when logged on.

remark: the delete option deletes the user without question!

[edit]
The files are modified and the zip is updated
[/edit]

[Ben]

Looks cool.

But one thing you should check is for some vulnerabilities, e.g. XSS, SQL Injection create_FTP_user.php, just as an example, as the script is lacking input validation and output masking, a.o..

[ncoc.nl]

I agree, I did protect granted.php for a MySQL injection but I forgot the other files
Tonight I'll modify the other files and upload the zip again.

Ronald

[Ben]

But don't forget about Cross Site Scripting and others, as well

[ncoc.nl]

Ben,

In basic if not logged on there is no possibilty to run one of the other scripts, validation is done at the beginning of every script:

session_start();
if(!session_is_registered(User)){
header("location:login.php");
}

then the MySQL injection is checked:

$User = stripslashes($User);
$Password = stripslashes($Password);
$User = mysql_real_escape_string($User);
$Password = mysql_real_escape_string($Password);

and the password is encrypted:

$encrypted_Password=md5($Password);

at last the session is registered:

session_register("User");
session_register("Password");

Did I miss something or better, is there something that can make the script better?
Please advise!

Regards,
Ronald

[ncoc.nl]

The files are modified and more secure, thanks to Ben for his advice.

The zip in the first post is updated

[ncoc.nl]

Added a installation manual for Debian Lenny (see first post)

[Ben]

Quote:

In basic if not logged on there is no possibilty to run one of the other scripts, validation is done at the beginning of every script:

Every trustfull user might be untrustfull or used by a victim when logged in A and surfing B while beeing the victim of a XSS Attack combined with CSRF to attack A...