DirectAdmin 1.50.1 has been released

jbb

Verified User
Joined
Jan 30, 2005
Messages
19
Location
Oregon, US
Letsencrypt options are only available in enhanced skin. Will DA update power_user skin?
 

Protected

Verified User
Joined
Oct 29, 2006
Messages
57
I have upgraded to 1.50.1 . Can you confirm where letsencrypt_post.sh should go? I'm thinking of using it to fix the permissions on the key and cert files after they are renewed, since I have symbolic links pointing to those.
 

Protected

Verified User
Joined
Oct 29, 2006
Messages
57
Thanks, that seems to be working. It's not in the README yet!

Mail example:

Code:
#!/bin/bash

if [ -z $username ]; then echo "Missing username."; exit 1; fi
if [ -z $domain ]; then echo "Missing domain."; exit 2; fi

if [ -z $exit_code ] || [ $exit_code -ne 0 ]; then exit 3; fi
if [ $action != 'request' ] && [ $action != 'renew' ]; then exit 4; fi

FDIR=/usr/local/directadmin/data/users/$username/domains

chown :mail $FDIR/${domain}.cacert $FDIR/${domain}.cert $FDIR/${domain}.key
chmod g+r $FDIR/${domain}.cacert $FDIR/${domain}.cert $FDIR/${domain}.key
 

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
155
Can anyone confirm or deny this?

Directadmin ControlPanel 1.50.1 denial of service Vulnerability
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,005
I've tested a very long user/pass and didn't duplicate the issue so don't see any evidence that's it's valid.
I just get this in the debug output:
Code:
Username AAAAAAAAAAAAAA....AAAAAAAAA is 10890 characters long, but the directadmin.conf has this setting 'max_username_length=10'
so it had no effect.
I also hammered it many times, but didn't notice any of the child processes hanging or being coming unresponsive.

If anyone notices otherwise, please let us know, preferably via email or ticket :)
For the security of everyone's server, it's typically best to notify the coder of a security issue first :)

John
 

ikkeben

Verified User
Joined
May 22, 2014
Messages
714
Location
Netherlands Germany
I've tested a very long user/pass and didn't duplicate the issue so don't see any evidence that's it's valid.
I just get this in the debug output:
Code:
Username AAAAAAAAAAAAAA....AAAAAAAAA is 10890 characters long, but the directadmin.conf has this setting 'max_username_length=10'
so it had no effect.
I also hammered it many times, but didn't notice any of the child processes hanging or being coming unresponsive.

If anyone notices otherwise, please let us know, preferably via email or ticket :)
For the security of everyone's server, it's typically best to notify the coder of a security issue first :)

John
Hello John you also tried this very long chars (PHP) with the PASSWORD only?
While your text ( Debug) is about Username lenght. or sorry if i understand your text wrong here.

The issue there is waiting for verification. ( but the Author has done some issues before where he was right )

Is there a check for only the max password lenght? (with little/low hardware resources of Server as a DA user/resseller/admin that only has a "tiny" account somewhere)
 
Last edited:

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,005
Yes, I've also tested a 10,000 character password only, with "admin" and with a non-existent User, to no effect.
DA just correctly returns a wrong password message.

I've tried various combinations including with the login_keys=0 turned off, on, but no luck.
I've added a hard length check anyway (1024), but not sure that it was required.

John
 

kevinb

Verified User
Joined
Jul 27, 2006
Messages
96
John,

I've been looking at the upcoming release changes and there are a lot of fairly significant updates (which is awesome).

I really like small incremental updates.

A suggestion if possible would be to look at consistent releases monthly/bi-monthly/quarterly (whichever works best) with the features that are ready, rather than waiting for a large bundle.

Thanks,

Kevin
 

DirectAdmin Support

Administrator
Staff member
Joined
Feb 27, 2003
Messages
9,005
Totally agree there. The plan was to get DA released with the new skin, but that's taking longer than expected, hence the delay.
We may end up just releasing the next DA now, before the skin is ready, even though it has a huge number of internal changes for the new skin, that you won't really notice :)

John
 

ditto

Verified User
Joined
Apr 27, 2009
Messages
2,557
The guy posted a new alert, now because of XSS.

URL REMOVED

Comments?
This is the second time you post that kind of links in this thread. Did you not read Johns first reply?: http://forum.directadmin.com/showthread.php?t=53336&p=278133#post278133

For the security of everyone's server, it's typically best to notify the coder of a security issue first
Please stop posting those links, instead send a ticket to https://tickets.directadmin.com
 

Invader Zim

Verified User
Joined
Sep 4, 2004
Messages
155
I did read his response.

"If anyone notices otherwise, please let us know, preferably via email or ticket". the bit about "best to notify the coder", I think, was meant in response to the guy publically posting this before contacting DA about the issue, as is customary. Since it's already out there it concerns everybody running DA and what better place to post it in here?

If I had found an issue myself I'd notify DA first.
 
Top