Jump to content
Froxlor Forum

Search the Community

Showing results for tags 'security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Froxlor
    • Announcements
    • Feedback
    • Development
    • Bugs and Feature Requests
    • Trashcan
  • Support
    • General Discussion
  • Other Languages
    • German / Deutsch

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Found 8 results

  1. Dear froxlor community, we are pleased to announce the release of froxlor 2.1! Notable new features, improvements and also breaking changes are listed below: Duplicate domains: You can now easily duplicate domains as admin user. With just one click, specify the new domain-name and select the target-customer and all the compatible settings from the source domain will be used for the new domain. Via the new API call Domains.duplicate(), you can even overwrite any domain-value you like by passing them to the request, just like you would for Domains.add(). Deactivate single domains: It is now possible to deactivate and re-activate single domains. This also deactivates any email-address/account created with that domain. Deactivate single ftp-accounts: As well as domains, users can now enable or disable a specific ftp-account. One-Time Login links: Admin users are now able to generate a one-time login-link for customers via CLI or API, which start a customer session automatically without the customer entering any login credentials. This comes in handy especially when using third-party interfaces / portals to integrate a link to the customers froxlor dashboard. You can also specify the validity time for the link (from 10 up to 120 seconds) and a comma-separated list of IP addresses to restrict the request-source. The corresponding added API call is Froxlor.generateLoginLink(). CustomerBackup is now DataDump: The CustomerBackup API calls and its integration in the UI has been renamed to DataDump to clarify the difference between a one-time data-extraction/dump and backups. This also paves the path for a possible Backup-feature in the future. Additionally, if the php-gnupg extension is present, you have the ability to encrypt your data-exports with your pgp-key. OTP for critical settings: We've added an OTP requirement for some of the critical/system-related settings in order to enhance security. To change these specific settings, 2FA/OTP has to be enabled system-wide and activated for the current admin user. More details see https://docs.froxlor.org/v2.1/admin-guide/settings/#_1-3-settings-that-require-otp-validation Custom page for unmanaged/unknown domains: In case a domain is pointing to your server but is not yet added to froxlor a customizable notice is now displayed instead of the froxlor login page. You can specify your own content for the file as admin in "Email- & File-templates". New update channel 'nightly': We now create nightly-builds for every successful push to the git-repository. If you want to participate in testing the current development state, you are now able to do so without the need to have composer/npm and all the dev-tools requirements but just use a pre-built nightly. These packages are only available through the updater of froxlor (either CLI or Web-Update, if enabled). To activate, just select the update-channel 'nightly' (only available in settings-mode 'advanced'). Keep in mind that downgrades are not supported. You can always switch back to the stable or beta channel but you will have to wait until corresponding releases catch up to the nightly-version you have. Changes in 2.1: New features: [API] new Domains.duplicate() command to copy domains [API] One-Click One-Time-Login-Link (remote-login) via newFroxlor.generateLoginLink() [API] Domains.add()/update() -> added parameter `deactivated` [API] Ftps.add()/update() -> added parameter `login_enabled` [UI] OTP requirement for specific/system-relevant settings [UI] markdown syntax in custom_notes field [UI] change password/theme/language is now combined in profile [Settings] New update-channel "nightly" (development-versions only, every signed commit to 'main' will be build) [CLI] new froxlor:config-diff command [other] In order to encrypt data-exports using pgp you need to have the php-gnupg extension installed and activated. [other] Domains pointing to the server but are unmanaged by froxlor will now display a corresponding message. Breaking changes: [API] CustomerBackups renamed to DataDump [Services] support for lighttpd webserver will be dropped in future 2.1 releases due to no active maintainer and no significant user-base [Distros] Debian 10 buster & Ubuntu 18.04 bionic were deprecated as of 2.0.x and are now removed in froxlor-2.1 [Distros] Gentoo is deprecated due to no active maintainer [Config] postfix needs reconfiguration in the file `/etc/postfix/mysql-virtual_mailbox_domains.cf` in order for deactivated domain flag to be recognized Alternatively, simply search for the line: query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' and replace it with: query = SELECT domain FROM panel_domains WHERE domain = '%s' AND isemaildomain = '1' AND deactivated = 0 Changes in 2.1.1: [DNS] fix wrong result in Domain::getMainSubdomainIds(); #1202 [Install] fix wrong version being set Changes in 2.1.2: [general] fixed compatibility with older installations [DNS] fixed wrong type when dns zone for system-hostname is active [UI] fixed non-empty value for file-input fields when using uploaded logos [UI] fixed 2fa login when using email validation [UI] fixed wrong size-unit for mailquota-dashboard-info [UI] fixed possibility to have empty name/surname and empty company [Installation] allow more complex passwords to be set (skip escaping) Changes in 2.1.3: [CLI] Add manual_config parameter to install json; #1208 [API] use panel.password_min_length setting for Froxlor.generatePassword() default length parameter [general] allow '::1' as valid mysql localhost value [UI] fixed bug that lead to select-box values not being changed [UI] fixed bug that lead to an error when using custom.css Changes in 2.1.4: [UI] Don't show stats-icon for domains with redirect [Cron] hide goaccess output in traffic cron and keepalive database connection for long-running log-analysis [Cron/Apache] use same certificate-file if child-domain inherits the parentdomain's certificate data (avoid possible http 421 Misdirected Request) [UI] use different language string for password-placeholder when adding a new customer; fixes #1216 [Install] don't use deprecated 'mysql_native_password' for mysql8; fixes #1214 [Install] possibility to specify sender address for froxlor as the admin-email address, custom or empty for system-default; fixes #1217 [general] don't output ipv6 in brackets for system.ipaddress setting as the brackets will be added to the value resulting in an invalid mysql-access-host; fixes #1215 [settings] use correct validation for dnscheck-resolver; fixes #1220 Changes in 2.1.5: [Config] disable pam auth in dovecot for debian bookworm [general] Check for argon2 support before using constant PASSWORD_ARGON2X; #1228 [UI] fix incorrect top-5 customers in traffic overview for admins [UI] show manual update command if webupdate is disabled [Cron] create empty dns-server config if no (dns-enabled) domain is determined; fixes #1230 [general] set correct channel for update-check if switching from apt-installed stable/testing to nightly [API] fix check for allowed_phpconfigs if using mod_php when adding/editing a customer Changes in 2.1.6: [general] fix regression bug from "Check for argon2 support before using constant PASSWORD_ARGON2X; #1228" Changes in 2.1.7: [UI] backport UI/Callback fixes from 2.2-dev (main); fixes #1235 [UI] fix regression bug in 'incorrect top-5 customers' sorting in traffic-overview which leads to incorrect customer-links due to wrong indexing in the array; fixes #1236 [UI] fix adding/editing domains as customer when php is not enabled for the domain [Cron] don't add custom-vhost-content to deactivated domain-vhosts [Cron] correctly save pass_authorizationheader flag for php-configs if FCGID is used; correctly add 'FcgidPassHeader' for froxlor-vhost itself if set [Cron] wrap SetHandler to php-fpm in file-exists check, as we do for customer-domains already [API] correctly disabled ssl-related settings when domain update sets ssl-enabled flag to false; fixes #1241 [general] correctly validate if a symlink is within the customers home-directory if it's not an absolute path; fixes #1242 Changes in 2.1.8: [settings] fix "session expires" option, #1246 [UI] fix missing csrf tokens for some ajax requests [Cron] also add logfiles to virtual-host if it's a redirect Changes in 2.1.9: [security] fix in mysql-logger, see https://github.com/froxlor/Froxlor/security/advisories/GHSA-x525-54hf-xr53 (published one week after release, on May 10th) [install] add compatibility for mariadb-dump executable instead of mysqldump See also our Migration Guide for more information. We hope you enjoy froxlor 2.1 and look forward to your feedback. Download: froxlor-2.1 Documentation at https://docs.froxlor.org/. Visit https://www.froxlor.org and join our Discord channel (https://discord.froxlor.org) for support, help, participation or just to chat Thank you, the froxlor team
  2. Dear froxlor community, we are excited to announce the release of froxlor 2.0! This release includes several improvements and new features, which we have summarized below for you: Redesigned UI: The appearance of the user interface has been completely modernized. The redesigned froxlor is now even more user-friendly, efficient and customizable. We've added a global search for general data as well as for searching functions and configuration options. Custom column selection for listings has been added. And of course, it's all 100% responsive. Revamped installation routine: The froxlor installation has been improved in many ways it is now easier, faster than ever and looks better. Now you can activate SSL and PHP-FPM from within the installation process and start using froxlor in minutes. Improved security features: With expanded and enhanced security features like modern password hashing-algorithms we have made froxlor a better place for your data. On top of that, the code has been completely reviewed and restructured to make security fixes easier, CSFR-tokens on forms have been implemented to make Cross Site transactions more secure, and much more. CLI tool: With the new froxlor CLI tool, you can now use froxlor via the command line – great for automation! For example, complete the installation process, check and run updates, (re)configure services and more. Changes in 2.0: New features: [API] new MysqlServer Command to allow multiple MySQL servers to be used by customers [API] optional requests via api.php?/module/function/ [UI] Global-search [UI] Customize visibility of table-columns [CLI] new bin/froxlor-cli tool (installer, updater, helper scripts and cron) [Distros] added Debian Bookworm (12)* and Ubuntu 22.04 (Jammy Jellyfish) Breaking changes: PHP-7.4+ and php-gmp extension are now required [API] auth via HTTP-Auth, old format with apikey/secret in the request is no longer possible [UI] auto-update must be enabled explicitly in lib/config.inc.php [Config] proftpd needs to be re-configured (or simply add `OpenSSL` to `SQLAuthTypes` in `/etc/proftpd/sql.conf`) [Config] dovecot needs to be re-configured (or simply comment out `default_pass_scheme ...` in `/etc/dovecot/dovecot-sql.conf.ext`) [Distros] removed Debian Stretch / Ubuntu Xenial and CentOS [APT package] default installation path is now /var/www/html/froxlor. If you are updating, your froxlor installation will be moved there from /var/www/froxlor! Changes in minor releases: 2.0.10 security release enforce password requirements set in settings for directory-protection [CWE-521: Weak Password Requirements] add missing use statement for error-reporting to include the dbms version [CWE-391: Unchecked Error Condition] validate existence of language in admin-templates [CWE-840: Business Logic Errors] verify cronjob interval is one of the fixed available values [CWE-96: Static Code Injection] fix possible privilege escalation from customer to root when specifying custom error documents in directory-options [CWE-94: Code Injection] 2.0.11 security / bugfix release add new email-domain-overview for better overview of multiple email-domains/addresses fix let's encrypt dns validation check backup possible remote-db-server databases in backup-cron check for existing fields when setting/updating tablelisting-columns [CWE-352: Cross-Site Request Forgery (CSRF)] corrected validation of import-settings data to avoid injecting malicious content [CWE-94: Code Injection] 2.0.12 bugfix release fix wrong function-defintion/call in Nginx cron fix setting/resetting table-column preferences 2.0.13 maintenance release keep search-fields/text in pagination links of displaying a search-result specify clearly which tls settings are being overwritten/ignored depending on the 'Override system TLS settings' flag when adding/updating Domains type-safe comparsion of md5-compatibility hash-validation [CWE-305: Authentication Bypass by Primary Weakness] fix email-domain navigation and descriptions update dependencies 2.0.14/2.0.15 maintenance release use correct parameter in PowerDNS::cleanDomainZone(), fixes #1104 add 'Passing HTTP AUTH BASIC' header option when using FCGID require php-gd extension for better/secure validating uploaded images add Spanish language (#1105) avoid socket length limitations leading to cut-off/invalid filename for very long domain and/or loginnames, fixes #1108 corrected checkLocalGroup() validation if setting did not change, fixes #1111 open newsfeed-links in a new tab, fixes #1112 fix incorrect indexed array sorting in case of FTP-domain-usernames; fixes #1114 add certificate metadata to db table to allow filter/sort of 'Issuer', 'Valid from' and 'Valid until' properties correctly retriggered certificate issue on froxlor-vhost alias-domain changes, fixes #1115 2.0.19 maintenance release don't run cron tasks if requirements return non-success; fixes #1122 respect no-try_files setting also in protected directories put php-fpm directives in Directory-directive in apache2; fixes #1120 strictly check whether field to select is the id or the email-address b/c is cases of email-addresses starting with a digit this is somehow used as value for the id field and return the wrong entity fix adding mysql-server to customers without any prior assigned mysql-server, fixes #1123 fix issues with displaying set value if path-mode is 'dropdown' trigger rebuild of config files after changing only ip-settings in domains add copy-system-details-to-clipboard button on admin dashboard; fixes #1126 Allow admins to edit openbasedir_path for domains (#1125) set default value of 'openbasedir_path' to 0 in SubDomain.add() like we do in Domains.add() set default value for email_quota to settings-default in EmailAccounts.add(); fixes #1132 Disable autocomplete on 2FA input element (#1133) introduce http-request rate-limit 2.0.20 maintenance release Fix typo in English privileged_passwd by @n-thumann in #1136 Fix IPv6 address in cookie domain by @n-thumann in #1137 Add same loginfail restrictions for entering 2fa code as for user/pwd login Remove superfluous try_files in nginx config if php-backend (non-fastcgi) is used Fix missing idna encode adding/editing email-account/email-forwarder Secure filename of local-archive in webupdate Show 0 value of resource-fields if value is empty, fixes #1149 Re-enable fcgid/php-fpm activation-validate-check 2.0.21 maintenance release Correcting Nginx location match, fixes #1153 remove hidden fields from login/passwd-reset; refs #1102 adjust log-levels in API methods exclude password fields from being filtered/escaped by AntiXSS, fixes #1150 Fix typo in pathDescriptionSubdomain; #1156 validate generated config-json parameter string 2.0.22 maintenance release [API] validate non-empy admin-name in Admins.update() [API] fix optional-flag for IpsAndPorts.add() and IpsAndPorts.update() rework path to certificates non-ecc/ecc, regardless of current setting adjust proftpd config for debian 12 bookworm correctly redirect to last-page if session is timed out and remove passing script/qrystr url parameters correct validation of hostingplan name and description add config-diff CLI Command; #1168 2.0.23 bugfix release [API] validate non-empy admin-name in Admins.update() [API] fix optional-flag for IpsAndPorts.add() and IpsAndPorts.update() rework path to certificates non-ecc/ecc, regardless of current setting adjust proftpd config for debian 12 bookworm correctly redirect to last-page if session is timed out and remove passing script/qrystr url parameters correct validation of hostingplan name and description add config-diff CLI Command by @bashgeek in #1168 2.0.24 maintenance release fix API permission error in navigation when customer-hide-options include 'domains'; fixes #1183 fix vhost-cleaning regex for nginx-location directives; fixes #1185 added catalan language NOTE: This is the last release in the 2.0 series. Stay tuned for announcements about froxlor-2.1 See also our Migration Guide for more information. We hope you enjoy froxlor 2.0 and look forward to your feedback. Download: 2.0 | website Documentation at https://docs.froxlor.org/. Visit https://www.froxlor.org and join our Discord channel (https://discord.froxlor.org) for support, help, participation or just to chat Thank you, the froxlor team
  3. Dear Froxlor community, besides possible bugfix releases, this will be most likely the last 0.10.x release. All new feature requests or enhancements to the current feature-set will be redirected to the next major version. All 0.10.x installations will be upgradeable. We plan on having a public beta soon and depending on the feedback a stable release by the end of the year. Changes in 0.10.38: correct Dropdown directory selection; fixes #1044 add security question for deleting api-keys to avoid accidental deletion Changes in / fix possible HTML injections in "forgot password" feature when given email address is not valid and when adding/editing customers as admin/reseller Changes in fix unintended API key generation fix authenticated unrestricted File Upload to RCE fix username and email enumeration via "forgot password" feature fix unintended SSL certificates deletion Download: | website Visit http://www.froxlor.org, join our Discord channel (https://discord.froxlor.org) or join #froxlor on irc.libera.chat for support, help, participation or just a chat Thank you, d00p
  4. Dear Froxlor Community, with the introduction of 0.10.x API, users are able to externally call the provided functions (if enabled, default disabled) and invoke custom parameters to search/sort the queried entities. (Quote by Alex Birnberg [zymo-security.com], who found this and was a great help in resolving the issue. Thanks again) Affected are all versions prior to 0.10.34. We highly recommend to update to the current latest version or disable external API. Changes in 0.10.34: [security] fix validation of API parameters sql_search & sql_orderby [php-fpm] php-sessionclean script moved from install/scripts/ to scripts/ and will automatically be added to the cron if php-fpm is enabled. [docs] updated installation guide for debian/ubuntu (use [signed-by=...] for the gpg key instead of apt-key add) [install] fix installation for mariadb-10.5 add return-code to the helper scripts in install/scripts/ in case of error when invoking these with bash or similiar Changes in [cli] fix invalid return statements in helper scripts [php-fpm] don't rely on executable flag being set for php-sessionclean script and respect croncmdline-setting [cron] respect domain.writeerrorlog and domain.writeaccesslog when using log-to-pipe in Apache Download: | website Visit http://www.froxlor.org or join our discord channel via https://discord.froxlor.org/ for support, help, participation or just a chat Thank you, d00p
  5. Dear Froxlor Community, with the release of 0.10.28 we've introduced the possiblity to let customer use custom-database names if enabled in the settings. One of our community members found out that the parameter was not validated correctly and that a user with customer-privileges to the panel could exploit this with an SQL injection. The assigned CVE is CVE-2021-42325 and the fixing commit can be found here. Default froxlor installations are not affected per se as this feature requires an admin to set DBNAME in the corresponding "SQL prefix" setting to be enabled. Additionally, this release fixes minor validation in the SubDomains-module and the bulk-import of domains. You can now also specify that a newly created php-confiugrations gets assigned to all customers instead of having to add them to each customer manually. Changes in 0.10.30: fix validation of database_name if custom-database-name feature is enabled fix allowed-phpconfigs check in SubDomains.add() and SubDomains.update() adjust debian 11 config templates, fixes #982 don't remove 0-value parameter values from bulk-actions add possibility to assign new/edited php-config to all customer accounts; fixes #980 add complete list of nameserver-ips and given axfr-servers to allow-axfr-ips list for PowerDNS; fixes #985 fix api documentation for Domains.add() and Domains.update(); fixes #987 soften/correct permissions on pdns configs; fixes #991 check whether the domain to clean from pdns actually still exists there; fixes #992 avoid possible DivisionByZeroError in APCu info page, fixes #995 Download: 0.10.30 | website Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.libera.chat for support, help, participation or just a chat Thank you, d00p
  6. Dear Froxlor Community, this release integrates a few security improvements that have been reported to us regarding the session settings, session id and possible url manipulation. Additionally, thanks to the guys from INWX, support for mysql-tls settings have been integrated in the installation-process and the system. Thanks again for the contribution. Changes in 0.10.29: set php session security related settings (httponly and secure flag) secure commonly used filename-variable against url manipulation generate unpredictable unique session ids fix session for 2fa enabled logins integrate the new czech language file; refs #976 possibility to decide whether target database should be dropped after backup when installing adds mysql tls support, refs #979 Changes in fix fresh installation (database exist check) Download: | website Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.libera.chat for support, help, participation or just a chat Thank you, d00p
  7. Hi all, I am new to Froxlor and so far enjoying it but unsure how to use it and have a few questions. I have pointed an A record from my domain provider to the server and am able to access the web panel using the domain but my FTP client (filezilla) can't find it. Does it have a mail server built in or do I have to configure that. Can I use it as a nameserver? What ports does it need to function (so I can setup my firewall) Thanks in advance for all your help.
  8. Dear Froxlor-community, due to a severe security issue in the database logging system, we strongly recommend to update your current froxlor installation to We also recommend to remove any content from the /froxlor/logs/ directory. Download: Note: Gentoo-ebuild and Debian packages are now available.. Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net. Thank you, d00p
  • Create New...