FTP Backup manager

Discussion in 'Tips/Tricks/Mods' started by ncoc.nl, Apr 27, 2011.

  1. ncoc.nl

    ncoc.nl Member

    Hi everyone,

    Because of the mirror issues as written in http://www.howtoforge.com/forums/showthread.php?t=52341 I started a new little project based on Virtual Hosting With PureFTPd And MySQL (Incl. Quota And Bandwidth Management) On Debian Etch.
    The installation instruction are for Debian Etch but works also for Debian Lenny.

    I created a web interface for the FTP Backup server so phpmyadmin is not needed anymore, the interface and ftpserver is tested for several days and seems bug free.

    Follow the installation instuctions written by Falko but use the MySQL.txt file provided in the zip to populate the MySQL database.

    Change the MySQL password in inc_connect.php and upload the php files into the root of the webserver (/var/www)

    when connecting the webserver shows a loginscreen:

    Username: ftp-admin
    Password: ftp-admin

    You can change the admin password when logged on.

    remark: the delete option deletes the user without question!

    The files are modified and the zip is updated

    Attached Files:

    Last edited: May 4, 2011
  2. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Looks cool.

    But one thing you should check is for some vulnerabilities, e.g. XSS, SQL Injection create_FTP_user.php, just as an example, as the script is lacking input validation and output masking, a.o..
  3. ncoc.nl

    ncoc.nl Member

    I agree, I did protect granted.php for a MySQL injection but I forgot the other files :(
    Tonight I'll modify the other files and upload the zip again.

  4. Ben

    Ben ISPConfig Developer ISPConfig Developer

    But don't forget about Cross Site Scripting and others, as well ;)
  5. ncoc.nl

    ncoc.nl Member


    In basic if not logged on there is no possibilty to run one of the other scripts, validation is done at the beginning of every script:


    then the MySQL injection is checked:

    $User = stripslashes($User);
    $Password = stripslashes($Password);
    $User = mysql_real_escape_string($User);
    $Password = mysql_real_escape_string($Password);

    and the password is encrypted:


    at last the session is registered:


    Did I miss something or better, is there something that can make the script better?
    Please advise!

  6. ncoc.nl

    ncoc.nl Member

    The files are modified and more secure, thanks to Ben for his advice.

    The zip in the first post is updated
  7. ncoc.nl

    ncoc.nl Member

    Added a installation manual for Debian Lenny (see first post)
  8. Ben

    Ben ISPConfig Developer ISPConfig Developer

    Every trustfull user might be untrustfull or used by a victim when logged in A and surfing B while beeing the victim of a XSS Attack combined with CSRF to attack A... ;)

Share This Page