Hello, I've just started playing with ISPConfig yesterday and I found one thing that I was truly shocked about, when I create a protected folder under some website, the resulting .htpasswd file is WORLD READABLE!! What the heck is that? Am I missing something? That's like putting a door key under the floor mat. Is there any way how to easily fix this "feature"? I can set permissions manually of course, but I am using the panel to do all the dirty work for me... I was quite enthusiastic about ISPConfig, but now I'm really having doubts about the security of the whole thing when I see thing like having a password file world readable...
This has been changed in svn stable branch. Thats not the case as the passwords are not stored in cleartext, the passwords are stored as hash with salt, so you cant decrypt them in a reasonable amount of time even if you use rainbow tables etc. If you don believe me, then tell me the cleartext of this password: $1$CtoFNwP5$y/b.nF3naIKfam9jQE.Jx0
Ok, but still it's not nice. However good to hear that it's been taken care of. Other than that I really like the panel so far... I needed something simple yet powerful enough and ISPConfig looks it exactly fits my needs.
Well, I have upgraded to the SVN version to test it and I'm still having the same problem. What am I doing wrong?
Most likely you used the wrong svn branch, the work for the next release (3.0.5) is done in this branch and not in trunk: svn://svn.ispconfig.org/ispconfig3/branches/ispconfig-3.0.5
