ISPCONFIG 3 Web Interface Error

Discussion in 'Installation/Configuration' started by Maile Halatuituia, Jul 19, 2016.

Page 1 of 2
  1. Maile Halatuituia

    Maile Halatuituia Member

    Anyone come across this error ...

    Ubuntu 16.04 with ISPCONFIG 3 latest, also php 5.6 ispcon.png
     
    Maile Halatuituia, Jul 19, 2016
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The DB seems to be broken. Run a repair on the dbispconfig database with phpmyadmin.
     
    till, Jul 19, 2016
    #2
  3. Steinbruch

    Steinbruch Member HowtoForge Supporter

    Am I right to be somewhat concerned? The error stack dumped to the screen _could_ be quite helpful for a potential attacker - while it is perfectly ok to log errors to a location where the sys admin can access them, details like the above should never make it to the end user (which could as well be a bot trying to break the application)
    Just my €.02
     
    Steinbruch, Jul 19, 2016
    #3
  4. Maile Halatuituia

    Maile Halatuituia Member

    would it be the same if i reinstall ....
     
    Maile Halatuituia, Jul 19, 2016
    #4
  5. Maile Halatuituia

    Maile Halatuituia Member

    my php.ini display is off not sure where to turn that thing off now ...
     
    Maile Halatuituia, Jul 19, 2016
    #5
  6. Steinbruch

    Steinbruch Member HowtoForge Supporter

    I think what Till is saying is you need to actually repair the existing database - a reinstall might fail if the tables are already present but marked as crashed or anything.
    And since there's no PHP error shown, I'm not sure the stack dump can even be controlled via php.ini...
     
    Steinbruch, Jul 19, 2016
    #6
  7. Maile Halatuituia

    Maile Halatuituia Member

    looks like something wrong with my dbispconfig i have only 5 tables on it .. is that the latest version ??? or what
     
    Maile Halatuituia, Jul 19, 2016
    #7
  8. Steinbruch

    Steinbruch Member HowtoForge Supporter

    Looks _very_ wrong then - mine has 75 tables and I'm still on 3.0.5 - if you haven't actually set up any accounts, dropping the DB and reinstalling could be the better option indeed. Log in as the root DB user and check again to be sure you're not just accidentally checking with limited privileges.
     
    Steinbruch, Jul 19, 2016
    #8
  9. Maile Halatuituia

    Maile Halatuituia Member

    i think i download the wronf latest file .. can you post the correct link
     
    Maile Halatuituia, Jul 19, 2016
    #9
  10. Steinbruch

    Steinbruch Member HowtoForge Supporter

    Steinbruch, Jul 19, 2016
    #10
  11. Maile Halatuituia

    Maile Halatuituia Member

    or is it because i use ubuntu 16.04
     
    Maile Halatuituia, Jul 19, 2016
    #11
  12. Steinbruch

    Steinbruch Member HowtoForge Supporter

    Can't figure why Ubuntu 16.04 should be a problem - if you are generally following the "Perfect Server" approach, that is.
    If you're flying casual from a generic Ubuntu install, all kinds of funny things could happen - but you should always see some warnings/errors pop up during ISPconfig install then. Maybe watch the shell output carefully on your next attempt.
     
    Steinbruch, Jul 19, 2016
    #12
  13. Maile Halatuituia

    Maile Halatuituia Member

    Maile Halatuituia, Jul 19, 2016
    #13
  14. Maile Halatuituia

    Maile Halatuituia Member

    i follow this
    https://www.howtoforge.com/multiser...se-servers-on-debian-squeeze-with-ispconfig-3
     
    Maile Halatuituia, Jul 19, 2016
    #14
  15. Maile Halatuituia

    Maile Halatuituia Member

    my issue is only 5 tables is created during the installation.
    i think this is hte line that cause the issue
    ERROR 1067 (42000) at line 139: Invalid default value for 'added_date' on my ispconfig3.sql file .. any idea ???
     
    Maile Halatuituia, Jul 19, 2016
    #15
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Ubuntu 16.04 requires ISPConfig 3.1beta 2, you can not use The stable ISPConfig 3.0.5 on that Ubuntu version.
     
    till, Jul 19, 2016
    #16
  17. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    This seemed interesting so I dug into it some. The above error "only" gives away the session id, nothing else that I see is sensitive. However, in ispconfig a valid admin sessionid is indeed the "keys to the kingdom". With only the session id set/copied, you get full admin access to the control panel, you can change the admin password (without knowing the old one), add your own admin user, etc.

    Even if you logout and/or set sessions to expire, when the admin logs in again next time, the same session id is sent (by the admin's browser), and reused by ispconfig, and at this point it becomes alive for anyone else who has copied/uses it. A quick way to invalidate the session is to logout, then clear cookies in your browser for the ispconfig hostname (and might hit the IP address if you've logged in there, though that should be a different session id). Note that if an attacker had added another admin account, or changed your password or anything, you'll have to recover from that (eg. password reset and check cp users), but we'll assume it's not an ongoing fight for the control panel, just typical cleanup/sanitization.

    In this particular case/post, the error message would have the session id for a broken ispconfig installation, possibly set on a temp/disposable domain, and there's no indication from this post what server name that cookie would be good for, so possibly a non-issue overall. If @Maile Halatuituia will eventually use the same server name in production, it would be a good idea to clear cookies in all browsers where that was set.

    So there's definitely an opportunity/need to improve this here. In fact, it looks like ispconfig used to regenerate the session id upon login, but that was commented out, probably creating this bug/issue: https://git.ispconfig.org/ispconfig/ispconfig3/blob/stable-3.1/interface/web/login/index.php#L213

    Probably related to https://git.ispconfig.org/ispconfig/ispconfig3/issues/3827

    EDIT: I was testing ispconfig 3.1 from I think July 6, where the session id does not change, hence session hijacking is a much greater possibility. I have not tested stable 3.0.5, it's certainly possible that isn't an issue there.
     
    Last edited: Jul 19, 2016
    Jesse Norell, Jul 19, 2016
    #17
  18. Maile Halatuituia

    Maile Halatuituia Member

    is the beta version ok for production, if so where can i get it otherwise i have to downgrade to ubuntu 14
     
    Maile Halatuituia, Jul 19, 2016
    #18
  19. Maile Halatuituia

    Maile Halatuituia Member

    thanks for the reply but i think the mysql version 5.7 does not support the disbuted field i guess .... i am looking for the beta version now of ispconfig or downgrade to ubuntu 14
     
    Maile Halatuituia, Jul 19, 2016
    #19
  20. Maile Halatuituia

    Maile Halatuituia Member

    Manage to install the beta version ok but cannot login with the admin user and passwword set during install
     
    Maile Halatuituia, Jul 19, 2016
    #20
Page 1 of 2

Share This Page