ISPConfig 3

  • Status Closed
  • Percent Complete
  • Task Type Bug Report
  • Category Backend / Core
  • Assigned To No-one
  • Operating System All
  • Severity Critical
  • Priority Normal
  • Reported Version
  • Due in Version
  • Due Date Undecided
Attached to Project: ISPConfig 3
Opened by hakong (hakong) - 2012-04-03
Last edited by Till (Till) - 2012-04-09

FS#2157 - "Add new Webdav user" can chmod and chown entire server from client interface

Through the client interface, I was able to chmod and chown the root directory (/) of my server to web3:client9 and 770 using the "Add new Webdav user" by using ../../../../../../../../../../../../ as a path.
This can probably be exploited in some way too.

This task does not depend on any other tasks.

Closed by  Till (Till)
Monday, 09 April 2012, 10:10 GMT
Reason for closing:  Fixed
hakong (hakong)
Tuesday, 03 April 2012, 16:21 GMT
Just tried this on a fresh install of ISPConfig version, and it worked, had to re-install the entire VM. This has to be fixed as soon as possible.
Till (Till)
Monday, 09 April 2012, 10:09 GMT
The Issue has been fixed in SVN stable branch on April 4, Revison 3020.

Fast Workaround

Set the Webdav User Limit to 0 in Client settings to disable the ability that clients add new webdav users.

Quick Fix

Copy the webdav_user_edit.php file that is attached to this post to the directory /usr/local/ispconfig/interface/web/sites/webdav_user_edit.php

Final Fix

The Bug is fixed in ISPConfig which will be released on April 10.

To get the latest fixes from svn incl. the above bugfix, follow these instructions:

svn export svn://
cd ispconfig-3.0.4/install/
php update.php