SVN DEV VERSION Undefined index: s in admispconfig/ispconfig/lib/config.inc.php on line 53 $s = $HTTP_GET_VARS["s"]; if(isset($HTTP_POST_VARS["s"])) $s = $HTTP_POST_VARS["s"]; probably should be if(isset($HTTP_POST_VARS["s"])) { $s = $HTTP_POST_VARS["s"]; $s = addslashes($s); $session = "s=$s"; } Session.inc.php line 195 could read if (!isset($s)) $go_api->auth->check_user(); elseif (empty($s)) $go_api->auth->check_user(); elseif ($s == "") $go_api->auth->check_user(); else $go_api->auth->check_session(); --------------------------------------------------------------------------------------------------------------------------- Undefined index: reseller in admispconfig/ispconfig/web/login.php on line 59 The above error has something to do with design of the reseller account, I do not know for certain if it is applicable as their are no designs in the design folder, the code refers design/reseller_images/login_'.$reseller.'.png' the whole code should be be enclosed in if (isset($_REQUEST["reseller"])) { ............................ } or $filename = '/path/to/foo.txt'; if (file_exists($filename)) { --------------------------------- } or both
http://www.5s7.com:81/login/login.php?username=<username>&passwort=<passwort> being able to do the above from the browser address bar and successfully login is a security flaw. It atleast means that a brute force attack can be run on ISPConfig server
I dont think that get variables are a security flaw in general and the above function has been explicitely implemented as requested by users. I agree with you that there should be added a brute force detection which denies logins for x minutes after x login failures.
This article describes the feature you requested although I still believe that ISPConfig would be better if it dropped GET REQUEST where possible (logical) in exchange for POST http://www.webcheatsheet.com/php/blocking_system_access.php
Post requests can be used for brute force attacks as well as get requets, there is no difference in this point. The only to secure the login against these attacks is to log all login attempts and then allow just x attempts in a defined timespan. The only security waekness with get requests is that they might be cached by a browser, but ISPConfig itself does not use the get requests at all for logins, it just allows it so this problem can not occur in default installations. I have put the request for a brute force login detection in the bugtracker.
