ispCP - Board - Support - Security Advisories

[Solved] Bug PHP

Tue, 08 May 2012 09:01:48 +0000

Good morning, this bug detected in our engine we use php for even a bush in 5.2 may be a problem for our servers.

Any partner I may say something

PHP 5.3.12/5.4.2 do not fix all variations of the CGI issues described in CVE-2012-1823. It has also come to our attention that some sites use an insecure cgiwrapper script to run PHP. These scripts will use $* instead of "$@" to pass parameters to php-cgi which causes a number of issues. Again, people using mod_php or php-fpm are not affected.

One way to address these CGI issues is to reject the request if the query string contains a '-' and no '='. It can be done using Apache's mod_rewrite like this:

RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? - [F,L]

Note that this will block otherwise safe requests like ?top-40 so if you have query parameters that look like that, adjust your regex accordingly.
Another set of releases are planned for Tuesday, May, 8th. These releases will fix the CGI flaw and another CGI-related issue in apache_request_header (5.4 only).

We apologize for the inconvenience created with these releases and the (lack of) communication around them.

Security Announcement: Backup Restore Manager

Sun, 29 Aug 2010 15:23:40 +0000

Today another critical security issue has been found. All ispCP Omega versions are effected.
It is possible to use the ispCP Client Backup Manager to restore forged backups and - in worst case - gain control over the server system.

We strongly recommend to fix the described security issue by disabling the backup restore routine. For this open the ispcp-dmn-mngr in /var/www/ispcp/engine/ and search for

Code:

sub dmn_restore_data {

add

Code:

exit 1;

directly in the next line.

We try to deliver a patch as fast as possible. You can follow the status in ticket: 2440

Critical security issue

Sun, 29 Aug 2010 10:35:12 +0000

Backup engine can be used to upload a symlink to an arbitrary file. Of course, that file must be accessible and readable for vuxxxx user resulting a minor issue.
Ex:
download last available backup
unpack
create in htdocs a simlink to /etc/passwd
upload in backup folder
call http://site.tld/symlink_name and you will get passwd.

PS. My trac account is unusable that’s why I use forum.

ispCP Omega 1.0.5 Security Announcement II

Thu, 29 Jul 2010 22:20:15 +0000

Dear all,

Today we discovered another potential fault, this time in the ispCP Omega Engine. This security fix only affects installations where DEBUG is switched on in ispcp.conf. By default this functionality is disabled, if you have not enabled it then this security announcement does not affect you.

The details of the security fix are, on Database backup the password for the ispCP database user is revealed and logged in clear text without obfuscation.

To secure your installation, it is recommended to either set DEBUG to 0 or use the
patch attached to ticket 2411.

We apologise for any inconvenience caused.

ispCP Omega 1.0.5 Security Announcement

Fri, 23 Jul 2010 12:02:36 +0000

Dear ispCP Users ;

Today, a new security hole was discovered in ispCP stable release.

This security hole allows your customers to connect to the database (pma) from other customers by passing arbitrary identifiers in the URL via the client/sql_auth.php script.

For better information, and to learn how to fix this security hole, you can read the following ticket:

http://isp-control.net/ispcp/ticket/2410

Note: This security hole also affect all prior versions of ispCP ω that implement the client/sql_auth.php script.

Best Regards :

Edit:

See http://isp-control.net/ispcp/ticket/2410#comment:9 for a quick fix.

ispCP Omega 1.0.3 Security Announcement

Thu, 24 Dec 2009 01:32:22 +0000

Sometimes not even the best testing help to find all remaining bugs in software and this time it's a security issue we overlooked in ispCP ω 1.0.3.

If you have already installed ispCP ω 1.0.3 on your server, get our security fix.
Just follow these instructions (as root):

Code:

# cd /var/www/ispcp/engine/setup

 # wget -O- 'http://www.isp-control.net/ispcp/raw-attachment/ticket/2112/permission-fix.tar.gz' | tar -xzv

 # ./set-gui-permissions.sh

 # ./set-engine-permissions.sh

Else if you have not yet installed ispCP ω 1.0.3, please proceed to our downloads page and download the latest released version of ispCP ω 1.0.3-1. An update is strongly recommended, because all prior versions of ispCP ω contain this security hole.
Beside the security fix ispCP ω 1.0.3-1 eliminates those situations, where it was not possible to install ispCP Omega for some reason.

ispCP ω 1.0.3-1 does not implement any new features or bugfixes. There is no need to install ispCP ω 1.0.3-1 on a running ispCP ω 1.0.3. (Please don't forget the security fix!)

ispCP Omega is an open source solution to all your web hosting needs. You can download the latest stable release from the downloads section. Before you download ispCP, please browse through our comprehensive ispCP documentation section and review the System Requirements, Installing ispCP, Frequently Asked Questions and HowTo's.

CSRF in all SquirrelMail forms

Mon, 17 Aug 2009 19:52:48 +0000

A few days ago, SquirrelMail announced an cross-site request forgery issue in all forms and versions below 1.4.20RC1 with the following text:

Quote:"All form submissions (send message, change preferences, etc.) in SquirrelMail were previously subject to cross-site request forgery (CSRF), wherein data could be sent to them from an offsite location, which could allow an attacker to inject malicious content into user preferences or possibly send emails without user consent."

To prevent your server from attacks, please use the updated SquirrelMail package for ispCP Omega. We recommend to update your SquirrelMail soon.

The original announcement can be found in the SquirrelMail homepage.

Warning: bug found in all 2.4.x and 2.6.x kernels

Fri, 14 Aug 2009 07:17:00 +0000

A local privilege scalation exploitable bug has been found on *all* linux kernels from 2.4. There are exploits out there, so beware!

No SquirrelMail Module Vulnerabilität in ispCP

Mon, 03 Aug 2009 22:00:49 +0000

Hi

there were some problems on the squirrel website...
here a german (heise) comment:
http://www.heise.de/newsticker/Passwort-...ung/142979

engl: http://www.h-online.com/security/Squirre...ews/113920

I don't know if we have bundled ispcp with one of theese modules. But I like the last sentence in the report...

/J

[fixed] Update RC2 -> RC3: Do not use ispcp-update

Fri, 08 Feb 2008 00:22:03 +0000

Only care about this if you've downloaded the RC3 Package before Feb. 08 2008 18:00 GMT.

Due to the fact no one tested the update script from RC2 to RC3 there are a lot of errors revealed.

DO NOT USE THE UPDATE SCRIPT SHIPPED WITH RC3 TO UPDATE YOUR ispCP INSTALLATION FROM RC2 TO RC3.

From VHCS to RC3 should make no problems.
fix can be downloaded here: hotfix1-rc3.tar.bz2.

Extract the file to your ./ispcp/engine/ folder before you start the update!

IMPORTANT: DOVECOT VULNERABILITY

Thu, 10 Jan 2008 18:53:24 +0000

All dovecot users with ldap dictionaries should update a.s.a.p

See Debian DSA 1457-1 for more details.

You should upgrade your dovecot packages also without using ldap dictionaries, but it's not that important then...

[solved] Security Problem detected

Fri, 17 Aug 2007 16:21:42 +0000

Hi

Platzwart had a problem on his server and mentioned that this could be a security issue:

A customer can add a domain-alias, eg. gmx.net
Then he adds an emailaddress for this domain: all@gmx.net
and then he can add a catchall for gmx.net to go into this new mailbox.

Well - all mails to gmx.net which are sent over this server (webmail, smtp...) will go to the customers account.
I checked this and got an email to djkherjkghekj@gmx.net to my web.de account...

This is *not really* good.... (better: this is really not good)

What are others thinking about (besides opening a ticket)...
http://www.isp-control.net/ispcp/ticket/573

/Joximu

Security vulnerability warning ispCP Omega 1.0.0 RC2

Tue, 24 Apr 2007 23:01:13 +0000

Raphael (atomo64) today posted a security vulnerability in our bug tracker. We implemented as soon as possible a fix to solve this vulnerability. As a result you can download the new release candidate RC2b.

For fixing only the critical security bug, there is a patch available on http://downloads.sourceforge.net/ispcp/i...-patch.txt
With the next command you can install the patch:

Code:

patch -cl -d /var/www/ispcp < /path/to/ispcp-omega-1.0.0-rc2-security-patch.txt

To manually fix the security bug add the following line above in the file /var/www/ispcp/gui/include/sql.php immediately below the commented text (around line 20):

PHP Code:

$include_path = realpath(dirname(__FILE__)); 

We thank Raphael to reporting this security bug and we hope everyone using ispCP Omega will patch this bug. To stay informed about security bugs and new releases, subscribe to our announce mailinglist.