Jump to content
Froxlor Forum

Search the Community

Showing results for tags 'security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Froxlor
    • Announcements
    • Feedback
    • Development
    • Bugs and Feature Requests
    • Trashcan
  • Support
    • General Discussion
  • Other Languages
    • German / Deutsch

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


AIM


MSN


Website URL


ICQ


Yahoo


Jabber


Skype


Location


Interests

Found 5 results

  1. Dear Froxlor Community, with the introduction of 0.10.x API, users are able to externally call the provided functions (if enabled, default disabled) and invoke custom parameters to search/sort the queried entities. (Quote by Alex Birnberg [zymo-security.com], who found this and was a great help in resolving the issue. Thanks again) Affected are all versions prior to 0.10.34. We highly recommend to update to the current latest version or disable external API. Changes in 0.10.34: [security] fix validation of API parameters sql_search & sql_orderby [php-fpm] php-sessionclean script moved from install/scripts/ to scripts/ and will automatically be added to the cron if php-fpm is enabled. [docs] updated installation guide for debian/ubuntu (use [signed-by=...] for the gpg key instead of apt-key add) [install] fix installation for mariadb-10.5 add return-code to the helper scripts in install/scripts/ in case of error when invoking these with bash or similiar Changes in 0.10.34.1: [cli] fix invalid return statements in helper scripts [php-fpm] don't rely on executable flag being set for php-sessionclean script and respect croncmdline-setting [cron] respect domain.writeerrorlog and domain.writeaccesslog when using log-to-pipe in Apache Download: 0.10.34.1 | website Visit http://www.froxlor.org or join our discord channel via https://discord.froxlor.org/ for support, help, participation or just a chat Thank you, d00p
  2. Dear Froxlor Community, with the release of 0.10.28 we've introduced the possiblity to let customer use custom-database names if enabled in the settings. One of our community members found out that the parameter was not validated correctly and that a user with customer-privileges to the panel could exploit this with an SQL injection. The assigned CVE is CVE-2021-42325 and the fixing commit can be found here. Default froxlor installations are not affected per se as this feature requires an admin to set DBNAME in the corresponding "SQL prefix" setting to be enabled. Additionally, this release fixes minor validation in the SubDomains-module and the bulk-import of domains. You can now also specify that a newly created php-confiugrations gets assigned to all customers instead of having to add them to each customer manually. Changes in 0.10.30: fix validation of database_name if custom-database-name feature is enabled fix allowed-phpconfigs check in SubDomains.add() and SubDomains.update() adjust debian 11 config templates, fixes #982 don't remove 0-value parameter values from bulk-actions add possibility to assign new/edited php-config to all customer accounts; fixes #980 add complete list of nameserver-ips and given axfr-servers to allow-axfr-ips list for PowerDNS; fixes #985 fix api documentation for Domains.add() and Domains.update(); fixes #987 soften/correct permissions on pdns configs; fixes #991 check whether the domain to clean from pdns actually still exists there; fixes #992 avoid possible DivisionByZeroError in APCu info page, fixes #995 Download: 0.10.30 | website Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.libera.chat for support, help, participation or just a chat Thank you, d00p
  3. Dear Froxlor Community, this release integrates a few security improvements that have been reported to us regarding the session settings, session id and possible url manipulation. Additionally, thanks to the guys from INWX, support for mysql-tls settings have been integrated in the installation-process and the system. Thanks again for the contribution. Changes in 0.10.29: set php session security related settings (httponly and secure flag) secure commonly used filename-variable against url manipulation generate unpredictable unique session ids fix session for 2fa enabled logins integrate the new czech language file; refs #976 possibility to decide whether target database should be dropped after backup when installing adds mysql tls support, refs #979 Changes in 0.10.29.1: fix fresh installation (database exist check) Download: 0.10.29.1 | website Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.libera.chat for support, help, participation or just a chat Thank you, d00p
  4. Hi all, I am new to Froxlor and so far enjoying it but unsure how to use it and have a few questions. I have pointed an A record from my domain provider to the server and am able to access the web panel using the domain but my FTP client (filezilla) can't find it. Does it have a mail server built in or do I have to configure that. Can I use it as a nameserver? What ports does it need to function (so I can setup my firewall) Thanks in advance for all your help.
  5. Dear Froxlor-community, due to a severe security issue in the database logging system, we strongly recommend to update your current froxlor installation to 0.9.33.2. We also recommend to remove any content from the /froxlor/logs/ directory. Download: 0.9.33.2 Note: Gentoo-ebuild and Debian packages are now available.. Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net. Thank you, d00p
×
×
  • Create New...