Security Flaw: I Don't think this is normal...

Discussion in 'General' started by pg001, Jul 12, 2008.

  1. pg001

    pg001 New Member

    I followed the debian etch perfect server set up and have an updated ISPConfig running well, version 2.2.24 that is. Now I saw something I don't like while doing an FTP access...

    I have like 5 domains hosted on my server with usernames and sites:
    web1_user => domain1.com
    web2_user => domain2.com
    web3_user => domain3.com

    Now here's the problem, I accidentally inputed domain1.com on cuteFTP and web3_user (notice web3_user not web1_user) as the username and put the correct password. Supposed to be it should return an error because web3_user is not the owner of domain1.com and shouldn't allow me to login, but what happened was I was able to login meaning the login info (which is wrong) was accepted. But when I was already logged in, the files which was showing was files from domain3.com.

    How do I solve this so that when I FTP access domain1.com, only web1_user is allowed, using domain2.com only web2_use is allowed, and so on...?

    Is this a security flaw, bug or error?
     
  2. tal56

    tal56 Member

    If your talking about the host address, then using domain1 instead of domain3, it's not a security problem or bug, it's because you are using a shared IP, so domain1 and domain3 point to the same server. All you are doing is pointing to which server to log into, it's the username/password that determine which files you have access to after you log in.
     
  3. pg001

    pg001 New Member

    :confused:

    You mean to say, if let's say mywebsite.com is hosted in my server with an ip 122.1.457.12 and the way to login via FTP to mywebsite.com is web1_user, I can also login to mywebsite.com using the username of myotherwebsite.com which is web2_user and vice versa? Isn't that ugly?

    Is there a way so that only web1_user is allowed to login to mywebsite.com and not any other username else? And only web2_user will be allowed to login at myotherwebsite.com...
     
  4. tal56

    tal56 Member

    It's like that for any server. The server name "host" on cuteftp just tells it which server to log into. It dosent mean which files you can access. That is set by the username/password. So in your example the user web1_user can only access his sites files using his own password, no matter what "host" he puts in cuteftp. He can even put the server's IP address as a host instead if he wants to.

    The only way you can get around this that I know is if each of your websites have their own static IP, but maybe someone else knows a different way.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    As tal56 explained, this is the normal behaviour on a FTP server and not ISPConfig specific. Even if you have more then one IP, you can use all available IP's to connect to the server and use any valid username. Only the username and password are relevant to decide which website data you get.

    By the way, its the same for most other protocols like ssh, pop3, smtp, and imap.
     

Share This Page