ISPConfig 3.0.5 RC 1 released for testing

Discussion in 'Developers' Forum' started by till, Dec 21, 2012.

  1. Typhon

    Typhon New Member

    You're willing to say that it is not the best way?
    A simple check in the database can be avoided this kind of fault who can compromise the security of all the host ?
    With this vulnerability everyone can make a phishing page and really realistic and with a guaranteed result
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please see instructions in post #20 of this thread to enable domain limits. None of your clients will be able to use a domain of another client after you enabled this. Off course the admin has to enter and assign a domain to a client first as the system needs to know which client is owner of which domain. ISPConfig can not know "out of the blue" which client is the owner of which domain. Assigning a domain to a client by a authoritive person (the aministrator) is the only reliable way to do it as ispconfig can not know which relations, contracts etc. define the legal ownership or administration rights of any given domain that exists in the internet.
  3. Typhon

    Typhon New Member

    Yes, but this method has many defects :
    -It's take too many times to the admin and to the client maybe he needs to deploy its site NOW
    -It is the same thing because the admin dont necessarily know that it is the domain of this or this client ... unless if he looks at the whois or contact the customer which will take much more time

    I think the problem can be resolved easily and without 1000 lines of code, simply by checking the domain name thanks to a Regex + SQL query and it is done ... like the vast majority of hosts !
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    As a internet service provider, you sell the domains to your customer so you will have to enter them anyway as you have to write your customers invoices etc.

    Ok,so you say a computer program like isponfig shall be able to read contracts and find the real ownerships and administrations rights for a domain when a human is not able to do this? As administrator, you sold the domain to the custiomer or he ordered the website for this domain on your hosting pagem so you know that he owns the domain.

    Ok, please show me the regex that validates that the person which is in front of a computer monitor owns the domain name or is authorized by the domain owner of the domain to create is as website or email domain and I will implement it.
  5. Typhon

    Typhon New Member

    We are not all domains provider
    This is not what i said ! You can do a very simple SQL query find there are a another website with the same domain so first come first served.
    And no this is not better than a human but it's take less time and it's better when you haven't this option checked.
    This is not wat i said, i said that with a Regex+SQL you can see if a domain is already used IN YOU SERVER, and this is logic no ?
    Although this is not what I said, yes there's a regex that it allows you to do this and it is extremely simple regex you can do it in 15 minutes (Okey the script need to download a whois page from a whois provider (XML: HTML or anything else) and you perse it using regex to find the name after this you use a condition and it's done) but this is not what i say to do, what i say to do is to simply check if a domain is already used by another clients if we haven't check the option of limited domain, yeah okey it's not betted than a human but it's fast the same :D
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You can not add duplicate domains, so if customer a added domain1.tld as mail domain, customer 2 cannot add it. So if thats all you want, then its already implemented. But it wont solve the phising problems as these problems arise when someone adds a domain which is not used on your server but might be used by other customers to send email to.

    1) You can not access whois data from all domains with a script. E.g. a .de domain requires a captcha and some tld's hide the owner details.
    2) The whois data does not always match the client data.
    3) Domains can be rented, so the person in the whois is not the person allowed to use it.

    So if you reject domains based on whois details, you will get a lot of customer complaints.
  7. Typhon

    Typhon New Member

    Okey, but this is so in every host, so this is not a defect and this is not the problem but the problem is that you can make :
    And it's work perfectly with every domain, THIS is what i am talking about
    Last edited: Jan 1, 2013
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats what we made the domain limits for. I understand that you dont like them but they are the only secure way in securing the server against domain misuse and phising.

    Btw, adding a website might only harm if you work with wildcard dns records which is not recommended anyway. If you dont use wildcard dns, nobody can access this site as the domain owner controls the dns record. If I add google.ocm on my ispconfig server, I will not get any traffic from google as their dns does not point to my server.

    There is a feature request for adding a optional simple database match for website domains in the bugtracker for those who dont like the domain limit feature, so you might want to vote for that. But such a database match can never be really secure and customers can use it to block your system by adding e.g. a website "" which is a valid domain name and no other customer will be able to add a site with domain on your server until you removed or renamed the site. So while this check adds some pseudo security, it will case you troubles on the other side.
  9. Typhon

    Typhon New Member

    Okey ;)
    Oh and before I forget, you do a great job, really !
  10. mccharlet

    mccharlet Member HowtoForge Supporter


    How to remove the "APS installer" menu and the backup tab on the client control panel ?

    Best regards
  11. popper2001

    popper2001 New Member

    ISP 3.0.5 RC not starting up on Debian Wheezy

    I just installed a testing environment based on upgraded to Debian Wheezy. Installation went fine without any errors, but ISPConfig interface is not accessible afterwards on port 8080. I simply get
    in the browser and Apache error log states only:
    [Sun Jan 13 18:37:23 2013] [error] [client] client denied by server configuration: /var/www/, referer:
    I first thought it might be a php-fcgi issue and activated the mod_php section in 000-ispconfig.vhost following the comment in, but after doing that I only get an 500 internal server error stating the following in the error.log:
    [Sun Jan 13 18:40:53 2013] [error] [client] PHP Warning:  require_once(/usr/local/ispconfig/interface/lib/ failed to open stream: Permission denied in /usr/local/ispconfig/interface/web/index.php on line 31, referer:
    [Sun Jan 13 18:40:53 2013] [error] [client] PHP Fatal error:  require_once(): Failed opening required '../lib/' (include_path='.:/usr/share/php:/usr/share/pear') in /usr/local/ispconfig/interface/web/index.php on line 31, referer:
    Any Ideas what's going wrong here? Other vHosts / redirects to symlinks as e.g. /phpmyadmin or /squirrelmail work fine.
  12. popper2001

    popper2001 New Member

    OK, meanwhile I discovered some things on my own:

    Compared to it seems to be required in Wheezy to manually enable libapache2-mod-fcgid to make ISP with 000-ispconfig.vhost work:

    a2enmod fcgid 
    /etc/init.d/apache2 restart
    In addition to that (and completely independent from the problem above) also the following dovecot packages need to be installed on Wheezy: dovecot-mysql dovecot-sieve.

    Nevertheless, what I'm still struggeling with: Why does the commenting in of the mod_php section in 000-ispconfig.vhost not work. Is there a access rights issue for apache or a different default symlink handling in Wheezy?
  13. wiss

    wiss New Member

    Hy all.

    How do I enable db backup?


  14. year

    year New Member

    go to databases select your DB et in the menu you juste have to select le website to associate to it.
    and the next backup will have a db saved

Share This Page