Security issue

Discussion in 'Developers' Forum' started by remy74, Dec 5, 2013.

  1. remy74

    remy74 New Member

    Dear All,

    We have experiencing an issue with the security of ISPConfig.
    We have wrote 2 modules for managing some objects (Exchange Mailboxes and vmware VPS). For each module, we use the internal security of ISPConfig.
    In fact, this is sys_groupid / sys_userid (etc..) columns in each table, and $form["auth"] = 'yes' on all tables (tform).
    Each customers have access to their own objects, no problem at all.
    But yesterday, we saw that a customer have deleted an object , for another customer. We trace all what we can. The sys_groupid is different OK. (First customer have 22 and the second have 8.) The first customer delete an object , on the table the sys_groupid have 8 (before the deleted action, we saw them on the backup). Apparently, the customer have see an object that they don't need, and they just drop it.
    How this should be possible ?
    Is anybody have also experience of this situation ?

    Thanks for your help.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I'am not aware of such an issue yet. May you please contact me by email to dev [at] ispconfig [dot] org as I will need more details on the issue so I can try to reproduce it like the sys_user and sys_group records of both users (the owner and the one that deletec the record) plus the record that was deleted. I also need to know which ispconfig version you use.

Share This Page