Welcome to our website
To take full advantage of all features you need to login or register. Registration is completely free and takes only a few seconds.
ispCP Omega 1.0.5 Security Announcement II
Posted by: Philipp Esselbach on: 07/30/2010 01:02 PM [ Print | 0 comment(s) ]
Another small vulnerability has been discovered in ispCP Omega 1.0.5 while running in DEBUG mode
Today we discovered another fault, this time in the ispCP Omega Engine if DEBUG is set to 1 in ispcp.conf. (System default is 0.)
On Database backup the password for the ispCP database user is shown and logged in clear text, while logs are world readable. It is recommended to fix this bug by either set DEBUG to 0 or use the patch attached to ticket 2411.
An Identical security hole was discovered today in these scripts:
engine/backup/ispcp-backup-all
engine/backup/ispcp-backup-ispcp
The patch attached to the ticket #2411 was updated today.
Also, it's recommended to remove all the /var/log/ispcp/* log after fixing this security hole by setting debug mode to 0, or by applying the patch. For versions prior to ispCP 1.0.5, it's strongly recommended to migrate and to apply the patch.
Note: For the last script, it's really more important because this time, it's the main SQL account login (eg. SQL root account) credentials that is stored in cleartext.
We apologize for any inconvenience caused.
On Database backup the password for the ispCP database user is shown and logged in clear text, while logs are world readable. It is recommended to fix this bug by either set DEBUG to 0 or use the patch attached to ticket 2411.
An Identical security hole was discovered today in these scripts:
engine/backup/ispcp-backup-all
engine/backup/ispcp-backup-ispcp
The patch attached to the ticket #2411 was updated today.
Also, it's recommended to remove all the /var/log/ispcp/* log after fixing this security hole by setting debug mode to 0, or by applying the patch. For versions prior to ispCP 1.0.5, it's strongly recommended to migrate and to apply the patch.
Note: For the last script, it's really more important because this time, it's the main SQL account login (eg. SQL root account) credentials that is stored in cleartext.
We apologize for any inconvenience caused.
ispCP Omega 1.0.5 Security Announcement II
Related Stories
07/25/2010 06:46 PM: ispCP Omega 1.0.5 Security Announcement by Philipp Esselbach
A security patch has been released for ispCP Omega 1.0.5...
03/01/2010 11:04 AM: ispCP Omega 1.0.4 Released by Philipp Esselbach
ispCP Omega 1.0.4 has been released...
12/20/2009 11:38 AM: ispCP Omega 1.0.3 Released by Philipp Esselbach
ispCP Omega 1.0.3 has been released...
02/26/2009 08:35 PM: ispCP Omega v1.0.0 Stable released by Philipp Esselbach
ispCP Omega v1.0.0 Stable has been released...
08/06/2008 12:47 PM: ispCP Omega 1.0.0 RC6 released by Philipp Esselbach
ispCP Omega 1.0.0 RC6 has been released...
03/17/2008 11:08 AM: ispCP Omega 1.0.0 RC4 by Philipp Esselbach
ispCP Omega 1.0.0 RC4 has been released...
A security patch has been released for ispCP Omega 1.0.5...
03/01/2010 11:04 AM: ispCP Omega 1.0.4 Released by Philipp Esselbach
ispCP Omega 1.0.4 has been released...
12/20/2009 11:38 AM: ispCP Omega 1.0.3 Released by Philipp Esselbach
ispCP Omega 1.0.3 has been released...
02/26/2009 08:35 PM: ispCP Omega v1.0.0 Stable released by Philipp Esselbach
ispCP Omega v1.0.0 Stable has been released...
08/06/2008 12:47 PM: ispCP Omega 1.0.0 RC6 released by Philipp Esselbach
ispCP Omega 1.0.0 RC6 has been released...
03/17/2008 11:08 AM: ispCP Omega 1.0.0 RC4 by Philipp Esselbach
ispCP Omega 1.0.0 RC4 has been released...
