iT邦幫忙

4

ISPConfig 官方通知有安全性的問題(建議)

相信 ISPConfig 3.0.5.3 應該不久就會釋出
官方通知原文如下

ISPConfig 3 Security Advisory

Summary

A security issue has been found in the sites module which allows customers to create website users for websites which they do not own from within the ISPConfig interface.

This issue requires a valid ISPConfig client login and the manipulation of http variables.

If a client would try to create a login for a different site, his actions are recorded in the sys_datalog and can be tracked down by the administrator even if he deletes this login again.

Affected versions

All ISPConfig 3 versions < 3.0.5.3

Mitigation

A hotfix for ISPConfig 3.0.5.2 is available at ispconfig.org:

http://www.ispconfig.org/downloads/ispconfig-hotfix-2013-08-08.zip

This hotfix needs to be applied only to servers with an ISPConfig interface; you do not need to apply this patch on slave servers without an ISPConfig interface.

Installation instructions for the hotfix:

Login to your server as root and execute the following commands:

wget http://www.ispconfig.org/downloads/ispconfig-hotfix-2013-08-08.zip
unzip ispconfig-hotfix-2013-08-08.zip
cd ispconfig-hotfix-2013-08-08/
chmod +x ispconfig-hotfix.sh
./ispconfig-hotfix.sh

Additionally to the hotfix, ISPConfig 3.0.5.3 will be released tomorrow
(August 09. 2013) which fixes this issue as well.

Credit

ISPConfig was notified of this issue by researcher Tim Mishutin ( ISPConfig forum user: Almere )
from SecureHoster (www.securehoster.nl).

2013.0810
上午收到官方通知 ISPConfig 3.0.5.3 釋出了
http://prdownloads.sourceforge.net/ispconfig/ISPConfig-3.0.5.3.tar.gz

2013.0817
ISPConfig 3.0.5.3 正體中文完成
本次共中譯檔案 224 個(新增中譯檔 6 個)
修正檔案 3 個
並修改 Roundcube 0.9.2、phpMyBackupPro 2.4 整併方式


尚未有邦友留言

立即登入留言