Software Installer - Security issues - Server breakage

  • Dear community ;

    Yesterday, an important bug has been reported to our team regarding the i-MSCP softwares installer.

    The bug concerns the way the data are passed to the software installer scripts, including those which are in the software packages. Indeed, the data are passed to those scripts using a comma as value delimiter. The problem is that if a customer use a comma in a value such as a password, the data get corrupted when the data are decoded.

    When the data are corrupted, the backend is unable to process any new software instance and ends with the following error:

    1. main::run: Argument "yes" isn't numeric in addition (+) at /var/www/imscp/engine/imscp-sw-mngr line 111.

    Even worse, the input data for the software instances (customer input data) are not validated. This is a security issue which should be addressed as soon as possible.

    Unfortunately, we cannot fix these issues in next release and for this reason, we will disable the software installer. In the next weeks, we will either fix those bugs or replace the software installer.

    For now, you are greatly encouraged to disable the softwares installer feature for your customers since this can lead to security issues and/or server breakage.

    Note: This bug affect all i-MSCP versions.

    i-MSCP Team


  • Some news:

    After all, I decided to fix the bug and security issues described above. See…03d9a513ed597f71095cd6243