Hacker News new | past | comments | ask | show | jobs | submit login

No, they didn't change it. It is one of its drawbacks. I enforced the security with SSL client authentication.



The problem is that the server can be configured from userspace. There's even a (horribly outdated) WordPress plugin for setting up email address from within WordPress. Super insecure, no matter how much SSL you throw at it.


I'm sorry, but I don't really follow. This tool, like many others, was created for exactly this purpose: to configure the server from userspace. The ISPconfig web interface doesn't write directly to the server. It creates a series of tasks that are executed in the background by another process with different privileges (and you are limited to a list of predefined tasks, you cannot do an "rm -rF /"). So... I don't think it's possible to run arbitrary code through the ISPConfig web interface, because it runs with the limited privileges of a PHP FPM process that writes a task to the database queue, which is later read and executed by another process. The main problem for me is when the web server (Apache or Ngnix) fails to start or restart for some reason. In this case you are cut off from the ISPconfig interface and forced to fix things by hand.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: