Plugin system with version upgrade.

Discussion in 'Developers' Forum' started by ivomendonca, Sep 24, 2010.

  1. ivomendonca

    ivomendonca Banned

    Hello .
    Ispconfig is now beta testing the new release that will prevent users from getting the ispconfig password and hack the entire cloud.

    This shoud be treated as top priority as a plugin or engine release not as a new version that needs ages to be tested.

    Is not the first time that i say this, but ispconfig is adding alot of features but cant event respond to the gross bugs that are here for more than a year.

    The problems in ispconfig are not the test time, is the teorical study that does not exist or i cant see it anywhere.

    Resuming, using an engine that can be updated(patched) on a easy way is the only way to stop the continuous nasty bug creation on all versions until now.
     
    Last edited: Sep 24, 2010
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    I've never heard of the bug you are talking about. So I'am not sure where you added this, but it is definately not in the bugtracker and has not been reported to dev [at] ispconfig [dot] org as all bugs get closed in a short time in ISPConfig.

    For example as 3.0.2.2 was realesed, all known bugs in the bugtracker were fixed at that moment.

    So if you think that you found a bug, please send a description to dev [at] ispconfig [dot] org or make a bugreport in the bugtracker.
     
  3. ivomendonca

    ivomendonca Banned

    the bug was reported by an user in this forum

    the bug was reported by an user and you said that is resolved is this latest version(beta).
     
  4. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    There had been no bug that allowed a user to hack the whole cloud. Otherwise we had released a patch update for the 3.0.2.x series.

    ISPConfig uses a version numbering scheme where the third number is for releases that introduce a lot new features like 3.0.3 (beta) and the fourth number is for patch releases. So 3.0.2.2 is the second patch release for the 3.0.2 series and there had been no critical security bugs in that series otherwise we would have released a 3.0.2.3 patch relaese.
     
  5. ivomendonca

    ivomendonca Banned

    what i have read is that a client using a php script the password will appear in the array.

    I cant see that anywhere now, maybe a bad dream.

    And my propose os to make plugin update to fix problems not entire system again.
     
  6. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Please post the exact thread you are referring to. I can assure you that all security related bugs get closed in a very short time. You can see that yourself in the bugtracker.

    Also you should keep in mind that not every one who is posting to this forum is a Linux or security pro, so not every post where someone thought he found a critical security issue is really a security problem and some of these issues are also related to misconfigurations on a specific system and not even related to ISPConfig.
     
  7. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    One additional note to this sentence. Where do you have a problem with the ispconfig update? It taks less then a minute and downloads all changes automatically. Just run:

    ispconfig_update.sh

    on the shell and the script will even inform you if your system is already up to date. Additionally, ISPConfig has a newsletter ere you can subscribe yourself to get informed on updates by email.
     
  8. ivomendonca

    ivomendonca Banned

    Yes, i know how to update, im just saying that ispconf can use wget to update plugins with no need to go to ssh.

    Thats why i use the "propose" word.
     
  9. ivomendonca

    ivomendonca Banned

    I did not try this but, if it can be done will be like this.

    Open http://yourdomain.com:8080

    place a index.php and make a var_dump.

    see if ispconfig $_session appears in your client site.
     
  10. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    No client site has write access to these files.
     
  11. ivomendonca

    ivomendonca Banned

    place index.php in client site yourdomain.com
    not in ispconfig folder.
     
  12. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    The port is part of the session identifier. So you dont get any session info from port 8080 if you connect to port 80. I just verified that:

    1) I logged into ispconfig on test.tld:8080
    2) I created a website test.tld and added the file:

    <?php
    session_start();
    print_r($_SESSION);
    ?>

    and opened test.tld/info.php in the same browser window without closing ispconfig nor closing the browser window and the output is:

    Array ( )

    Normally you should always connect to ispconfig trough the server hostname anyway, so if you dont trust the php session handler and want to add a second security level then you can set the server hostname in the ispconfig vhost so that only connections trough this hostname are possible.

    For larger multiserver setups you use a dedicated controlpanel server, so there are no other vhosts on that server.
     

Share This Page