Dev version errors

Discussion in 'General' started by Tommahawk, May 28, 2007.

  1. Tommahawk

    Tommahawk New Member


    Undefined index: s in admispconfig/ispconfig/lib/ on line 53

    $s = $HTTP_GET_VARS["s"];
    if(isset($HTTP_POST_VARS["s"])) $s = $HTTP_POST_VARS["s"];

    probably should be

    if(isset($HTTP_POST_VARS["s"])) {
    $s = $HTTP_POST_VARS["s"];
    $s = addslashes($s);
    $session = "s=$s";
    } line 195 could read

    if (!isset($s)) $go_api->auth->check_user();
    elseif (empty($s)) $go_api->auth->check_user();
    elseif ($s == "") $go_api->auth->check_user();
    else $go_api->auth->check_session();


    Undefined index: reseller in admispconfig/ispconfig/web/login.php on line 59

    The above error has something to do with design of the reseller account, I do not know for certain if it is applicable as their are no designs in the design folder, the code refers design/reseller_images/login_'.$reseller.'.png' the whole code should be be enclosed in

    if (isset($_REQUEST["reseller"])) {


    $filename = '/path/to/foo.txt';

    if (file_exists($filename)) {

    or both
    Last edited: May 28, 2007
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It looks as you modified the error reporting level in the ISPConfig PHP. Please undo these changes.
  3. Tommahawk

    Tommahawk New Member<username>&passwort=<passwort>

    being able to do the above from the browser address bar and successfully login is a security flaw. It atleast means that a brute force attack can be run on ISPConfig server
    Last edited: May 29, 2007
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I dont think that get variables are a security flaw in general and the above function has been explicitely implemented as requested by users. I agree with you that there should be added a brute force detection which denies logins for x minutes after x login failures.
  5. Tommahawk

    Tommahawk New Member

  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Post requests can be used for brute force attacks as well as get requets, there is no difference in this point. The only to secure the login against these attacks is to log all login attempts and then allow just x attempts in a defined timespan.

    The only security waekness with get requests is that they might be cached by a browser, but ISPConfig itself does not use the get requests at all for logins, it just allows it so this problem can not occur in default installations.

    I have put the request for a brute force login detection in the bugtracker.

Share This Page