Search the Community
Showing results for tags 'security'.
Found 7 results
Dear froxlor community, we are excited to announce the release of froxlor 2.0! This release includes several improvements and new features, which we have summarized below for you: Redesigned UI: The appearance of the user interface has been completely modernized. The redesigned froxlor is now even more user-friendly, efficient and customizable. We've added a global search for general data as well as for searching functions and configuration options. Custom column selection for listings has been added. And of course, it's all 100% responsive. Revamped installation routine: The froxlor installation has been improved in many ways it is now easier, faster than ever and looks better. Now you can activate SSL and PHP-FPM from within the installation process and start using froxlor in minutes. Improved security features: With expanded and enhanced security features like modern password hashing-algorithms we have made froxlor a better place for your data. On top of that, the code has been completely reviewed and restructured to make security fixes easier, CSFR-tokens on forms have been implemented to make Cross Site transactions more secure, and much more. CLI tool: With the new froxlor CLI tool, you can now use froxlor via the command line – great for automation! For example, complete the installation process, check and run updates, (re)configure services and more. Changes in 2.0: New features: [API] new MysqlServer Command to allow multiple MySQL servers to be used by customers [API] optional requests via api.php?/module/function/ [UI] Global-search [UI] Customize visibility of table-columns [CLI] new bin/froxlor-cli tool (installer, updater, helper scripts and cron) [Distros] added Debian Bookworm (12)* and Ubuntu 22.04 (Jammy Jellyfish) Breaking changes: PHP-7.4+ and php-gmp extension are now required [API] auth via HTTP-Auth, old format with apikey/secret in the request is no longer possible [UI] auto-update must be enabled explicitly in lib/config.inc.php [Config] proftpd needs to be re-configured (or simply add `OpenSSL` to `SQLAuthTypes` in `/etc/proftpd/sql.conf`) [Config] dovecot needs to be re-configured (or simply comment out `default_pass_scheme ...` in `/etc/dovecot/dovecot-sql.conf.ext`) [Distros] removed Debian Stretch / Ubuntu Xenial and CentOS [APT package] default installation path is now /var/www/html/froxlor. If you are updating, your froxlor installation will be moved there from /var/www/froxlor! Changes in minor releases: 2.0.10 security release enforce password requirements set in settings for directory-protection [CWE-521: Weak Password Requirements] add missing use statement for error-reporting to include the dbms version [CWE-391: Unchecked Error Condition] validate existence of language in admin-templates [CWE-840: Business Logic Errors] verify cronjob interval is one of the fixed available values [CWE-96: Static Code Injection] fix possible privilege escalation from customer to root when specifying custom error documents in directory-options [CWE-94: Code Injection] 2.0.11 security / bugfix release add new email-domain-overview for better overview of multiple email-domains/addresses fix let's encrypt dns validation check backup possible remote-db-server databases in backup-cron check for existing fields when setting/updating tablelisting-columns [CWE-352: Cross-Site Request Forgery (CSRF)] corrected validation of import-settings data to avoid injecting malicious content [CWE-94: Code Injection] 2.0.12 bugfix release fix wrong function-defintion/call in Nginx cron fix setting/resetting table-column preferences 2.0.13 maintenance release keep search-fields/text in pagination links of displaying a search-result specify clearly which tls settings are being overwritten/ignored depending on the 'Override system TLS settings' flag when adding/updating Domains type-safe comparsion of md5-compatibility hash-validation [CWE-305: Authentication Bypass by Primary Weakness] fix email-domain navigation and descriptions update dependencies 2.0.14/2.0.15 maintenance release use correct parameter in PowerDNS::cleanDomainZone(), fixes #1104 add 'Passing HTTP AUTH BASIC' header option when using FCGID require php-gd extension for better/secure validating uploaded images add Spanish language (#1105) avoid socket length limitations leading to cut-off/invalid filename for very long domain and/or loginnames, fixes #1108 corrected checkLocalGroup() validation if setting did not change, fixes #1111 open newsfeed-links in a new tab, fixes #1112 fix incorrect indexed array sorting in case of FTP-domain-usernames; fixes #1114 add certificate metadata to db table to allow filter/sort of 'Issuer', 'Valid from' and 'Valid until' properties correctly retriggered certificate issue on froxlor-vhost alias-domain changes, fixes #1115 2.0.19 maintenance release don't run cron tasks if requirements return non-success; fixes #1122 respect no-try_files setting also in protected directories put php-fpm directives in Directory-directive in apache2; fixes #1120 strictly check whether field to select is the id or the email-address b/c is cases of email-addresses starting with a digit this is somehow used as value for the id field and return the wrong entity fix adding mysql-server to customers without any prior assigned mysql-server, fixes #1123 fix issues with displaying set value if path-mode is 'dropdown' trigger rebuild of config files after changing only ip-settings in domains add copy-system-details-to-clipboard button on admin dashboard; fixes #1126 Allow admins to edit openbasedir_path for domains (#1125) set default value of 'openbasedir_path' to 0 in SubDomain.add() like we do in Domains.add() set default value for email_quota to settings-default in EmailAccounts.add(); fixes #1132 Disable autocomplete on 2FA input element (#1133) introduce http-request rate-limit 2.0.20 maintenance release Fix typo in English privileged_passwd by @n-thumann in #1136 Fix IPv6 address in cookie domain by @n-thumann in #1137 Add same loginfail restrictions for entering 2fa code as for user/pwd login Remove superfluous try_files in nginx config if php-backend (non-fastcgi) is used Fix missing idna encode adding/editing email-account/email-forwarder Secure filename of local-archive in webupdate Show 0 value of resource-fields if value is empty, fixes #1149 Re-enable fcgid/php-fpm activation-validate-check See also our Migration Guide for more information. We hope you enjoy froxlor 2.0 and look forward to your feedback. Download: 2.0 | website Documentation at https://docs.froxlor.org/. Visit https://www.froxlor.org and join our Discord channel (https://discord.froxlor.org) for support, help, participation or just to chat Thank you, the froxlor team * Debian 12 is not yet released and should be considered unstable. Froxlor will fully support Debian Bookworm after its release.
release Security Release 0.10.38.3 - Maintenance and minor bugfixes
d00p posted a topic in AnnouncementsDear Froxlor community, besides possible bugfix releases, this will be most likely the last 0.10.x release. All new feature requests or enhancements to the current feature-set will be redirected to the next major version. All 0.10.x installations will be upgradeable. We plan on having a public beta soon and depending on the feedback a stable release by the end of the year. Changes in 0.10.38: correct Dropdown directory selection; fixes #1044 add security question for deleting api-keys to avoid accidental deletion Changes in 0.10.38.1 / 0.10.38.2: fix possible HTML injections in "forgot password" feature when given email address is not valid and when adding/editing customers as admin/reseller Changes in 0.10.38.3: fix unintended API key generation fix authenticated unrestricted File Upload to RCE fix username and email enumeration via "forgot password" feature fix unintended SSL certificates deletion Download: 0.10.38.3 | website Visit http://www.froxlor.org, join our Discord channel (https://discord.froxlor.org) or join #froxlor on irc.libera.chat for support, help, participation or just a chat Thank you, d00p
Dear Froxlor Community, with the introduction of 0.10.x API, users are able to externally call the provided functions (if enabled, default disabled) and invoke custom parameters to search/sort the queried entities. (Quote by Alex Birnberg [zymo-security.com], who found this and was a great help in resolving the issue. Thanks again) Affected are all versions prior to 0.10.34. We highly recommend to update to the current latest version or disable external API. Changes in 0.10.34: [security] fix validation of API parameters sql_search & sql_orderby [php-fpm] php-sessionclean script moved from install/scripts/ to scripts/ and will automatically be added to the cron if php-fpm is enabled. [docs] updated installation guide for debian/ubuntu (use [signed-by=...] for the gpg key instead of apt-key add) [install] fix installation for mariadb-10.5 add return-code to the helper scripts in install/scripts/ in case of error when invoking these with bash or similiar Changes in 0.10.34.1: [cli] fix invalid return statements in helper scripts [php-fpm] don't rely on executable flag being set for php-sessionclean script and respect croncmdline-setting [cron] respect domain.writeerrorlog and domain.writeaccesslog when using log-to-pipe in Apache Download: 0.10.34.1 | website Visit http://www.froxlor.org or join our discord channel via https://discord.froxlor.org/ for support, help, participation or just a chat Thank you, d00p
Dear Froxlor Community, with the release of 0.10.28 we've introduced the possiblity to let customer use custom-database names if enabled in the settings. One of our community members found out that the parameter was not validated correctly and that a user with customer-privileges to the panel could exploit this with an SQL injection. The assigned CVE is CVE-2021-42325 and the fixing commit can be found here. Default froxlor installations are not affected per se as this feature requires an admin to set DBNAME in the corresponding "SQL prefix" setting to be enabled. Additionally, this release fixes minor validation in the SubDomains-module and the bulk-import of domains. You can now also specify that a newly created php-confiugrations gets assigned to all customers instead of having to add them to each customer manually. Changes in 0.10.30: fix validation of database_name if custom-database-name feature is enabled fix allowed-phpconfigs check in SubDomains.add() and SubDomains.update() adjust debian 11 config templates, fixes #982 don't remove 0-value parameter values from bulk-actions add possibility to assign new/edited php-config to all customer accounts; fixes #980 add complete list of nameserver-ips and given axfr-servers to allow-axfr-ips list for PowerDNS; fixes #985 fix api documentation for Domains.add() and Domains.update(); fixes #987 soften/correct permissions on pdns configs; fixes #991 check whether the domain to clean from pdns actually still exists there; fixes #992 avoid possible DivisionByZeroError in APCu info page, fixes #995 Download: 0.10.30 | website Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.libera.chat for support, help, participation or just a chat Thank you, d00p
Dear Froxlor Community, this release integrates a few security improvements that have been reported to us regarding the session settings, session id and possible url manipulation. Additionally, thanks to the guys from INWX, support for mysql-tls settings have been integrated in the installation-process and the system. Thanks again for the contribution. Changes in 0.10.29: set php session security related settings (httponly and secure flag) secure commonly used filename-variable against url manipulation generate unpredictable unique session ids fix session for 2fa enabled logins integrate the new czech language file; refs #976 possibility to decide whether target database should be dropped after backup when installing adds mysql tls support, refs #979 Changes in 0.10.29.1: fix fresh installation (database exist check) Download: 0.10.29.1 | website Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.libera.chat for support, help, participation or just a chat Thank you, d00p
A few basic questions
Boruch Weisfish posted a question in General DiscussionHi all, I am new to Froxlor and so far enjoying it but unsure how to use it and have a few questions. I have pointed an A record from my domain provider to the server and am able to access the web panel using the domain but my FTP client (filezilla) can't find it. Does it have a mail server built in or do I have to configure that. Can I use it as a nameserver? What ports does it need to function (so I can setup my firewall) Thanks in advance for all your help.
Important bugfix release 0.9.33.2
d00p posted a topic in AnnouncementsDear Froxlor-community, due to a severe security issue in the database logging system, we strongly recommend to update your current froxlor installation to 0.9.33.2. We also recommend to remove any content from the /froxlor/logs/ directory. Download: 0.9.33.2 Note: Gentoo-ebuild and Debian packages are now available.. Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net. Thank you, d00p