Cannot create accounts by api after upgrade to 3.1.11

Abel Vieira · Feb 14, 2018

After upgrade ispconfig to 3.1.11 the website add function in API not work anymore.

After read the log, i found this:

[INTERFACE]: PHP IDS Alert.Total impact: 54 Affected tags: xss, csrf, dt, id, lfi, rfe, sqli Variable: POST.{"session_id":"(hidden)","client_id":"282","params":{"server_id":"5","http_port":80,"https_port":443,"ip_address":"*","ipv6_address":"","domain":"(hidden)","type":"vhost","parent_domain_id":0,"vhost_type":"name","hd_quota":-1,"traffic_quota":-1,"cgi":"n","ssi":"n","suexec":"y","errordocs":1,"is_subdomainwww":1,"subdomain":"www","php":"php-fpm","perl":"n","ruby":"n","python":"n","redirect_type":"","redirect_path":"","seo_redirect":"","rewrite_rules":"","ssl":"y","ssl_letsencrypt":"n","ssl_state":"","ssl_locality":"","ssl_organisation":"","ssl_organisation_unit":"","ssl_country":"","ssl_domain":"(hidden)","ssl_request":"-----BEGIN_CERTIFICATE_REQUEST-----(hidden)1Mw | Value: =n-----END CERTIFICATE REQUEST-----","ssl_cert":"-----BEGIN CERTIFICATE-----(hidden)n-----END CERTIFICATE-----","ssl_bundle":"-----BEGIN CERTIFICATE-----(hidden)-----n-----BEGIN CERTIFICATE-----(hidden) n-----END CERTIFICATE-----","ssl_action":"save","stats_password":"","stats_type":"","allow_override":"All","apache_directives":"","php_open_basedir":"/","custom_php_ini":"session.save_handler = redisnsession.save_path = "tcp://127.0.0.1:6379"","backup_interval":"none","backup_copies":1,"backup_excludes":"","active":"y","traffic_quota_lock":"n","php_fpm_use_socket":"y","pm":"dynamic","pm_max_children":10,"pm_start_servers":2,"pm_min_spare_servers":1,"pm_max_spare_servers":5,"pm_max_requests":0,"pm_process_idle_timeout":10,"log_retention":30,"added_date":"2018-02-14 17:24:01","ssl_key":"-----BEGIN RSA PRIVATE KEY-----(hidden)-----END RSA PRIVATE KEY-----","added_by":"CPL API"}} Impact: 54 | Tags: xss, csrf, dt, id, lfi, rfe, sqli Description: Finds attribute breaking injections including whitespace attacks | Tags: xss, csrf | ID 2 Description: Detects basic directory traversal | Tags: dt, id, lfi | ID 10 Description: Detects JavaScript location/document property access and window access obfuscation | Tags: xss, csrf | ID 23 Description: Detects data: URL injections, VBS injections and common URI schemes | Tags: xss, rfe | ID 27 Description: Detects common comment types | Tags: xss, csrf, id | ID 35 Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID 43 Description: Detects basic SQL authentication bypass attempts 1/3 | Tags: sqli, id, lfi | ID 44 Description: Detects basic SQL authentication bypass attempts 2/3 | Tags: sqli, id, lfi | ID 45 Description: Detects basic SQL authentication bypass attempts 3/3 | Tags: sqli, id, lfi | ID 46 Description: Detects MySQL comment-/space-obfuscated injections and backtick termination | Tags: sqli, id | ID 57 

I can be do something to fix?

Regards,

till · Feb 15, 2018

Update to git-stable (not git-master), the issue is fixed there. Or you turn of the IDS completely for anon and user in /usr/local/ispconfig/security/security_settings.ini until ISPConfig 3.1.12 get's released.

Log in or Sign up

Cannot create accounts by api after upgrade to 3.1.11

Abel Vieira New Member

till Super Moderator Staff Member ISPConfig Developer

Share This Page

Log in or Sign up

Cannot create accounts by api after upgrade to 3.1.11

Abel Vieira New Member

till Super Moderator Staff Member ISPConfig Developer

Share This Page

Useful Searches