1 security issue, 2 interesting proposals...

Discussion in 'Developers' Forum' started by danf.1979, Mar 22, 2006.

  1. danf.1979

    danf.1979 ISPConfig Developer

    1) Please check:
    config.lib.php, Line 535
    It displays the user password on the logfile...

    2) I think it would be a great idea to have an option to include open_basedir in clients vhosts.

    From php.ini:
    ; open_basedir, if set, limits all file operations to the defined directory
    ; and below. This directive makes most sense if used in a per-directory
    ; or per-virtualhost web server configuration file.
    For what I understand it could prevent a malicious script to read file contents outside the directory configured for the client in the vhost. Great!

    3) Change index.php to be first by default in:
    DirectoryIndex index.html index.htm index.php index.php5 index.php4 index.php3 index.shtml index.cgi index.pl index.jsp Default.htm default.htm

    Hey Till, I'm sorry for not sending yet the cms manager, but I have been doing some homework, and I will modify plenty code before sending it.

    Cheers!
     
  2. till

    till Super Moderator

    It is not the user password, it is the password of the mysqldb of the user. But thats noot good either.

    Hotfix:

    Replace line 535 with this line:

    Code:
    exec("mysqldump -h $db_server -u $db_user -p$db_password -c --add-drop-table --add-locks --all --quick --lock-tables $new_db >/root/ispconfig/scripts/$new_db.sql");
    ISPConfig uses already OpenBasedir in the vhosts. Currently it is used together with the safemode switch. It might be a good idea to make 2 checkboxes, one for safemode and one for open_basedir.

    I think thats a question of taste. Personally i like it that index.html comes before index.php.

    Send me the files when you are finished :)
     
  3. danf.1979

    danf.1979 ISPConfig Developer

    I think you meant something like this?
    Code:
    $mod->log->caselog("mysqldump -h $db_server -u $db_user -p[hidden_pass] -c --add-drop-table --add-locks --all --quick --lock-tables $new_db >/root/ispconfig/scripts/$new_db.sql", $this->FILE, __LINE__);
    
    ?
     
  4. till

    till Super Moderator

    No, i meant that what i posted.

    $mod->log->caselog(...) is not a simple logging function, it executes the statement and logs it incl. failures.
     
  5. danf.1979

    danf.1979 ISPConfig Developer

    Oh, Ok... I didn't know that. Thanks for the info.
    :)
     

Share This Page