Easy Hosting Control Panel for Ubuntu

SquirrelMail password Script Issue

Bug #818103 reported by Derek manning on 2011-07-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Easy Hosting Control Panel for Ubuntu	New	Undecided	Unassigned

Bug Description

ECHP version: 0.29.13

ehcp plugin for squirrel mail has two issues:
1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user. this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist. ie/ $dbname = foobar

2. Variable name in config.php file for database name is $dbname, while select statement in ehcp_password_change.php references $db. this causes the database update command to select a "null" database on the database server because $db is not initialized. This failure is not reported due to the issue (1.) above.

The emailuser password never gets changed.

Revision history for this message

ehcpdeveloper (ehcpdeveloper) wrote on 2011-07-29: Re: [Bug 818103] [NEW] SquirrelMail password Script Issue

is this same, in version 0.29.15, which is latest now ?
I checked on my side, files seems ok.
please download from www.ehcp.net/download and re-check
thanks for bug report.

On Fri, Jul 29, 2011 at 6:18 PM, Derek manning
<email address hidden> wrote:
> Public bug reported:
>
> ECHP version: 0.29.13
>
> ehcp plugin for squirrel mail has two issues:
> 1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user. this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist. ie/ $dbname = foobar
>
> 2. Variable name in config.php file for database name is $dbname, while
> select statement in ehcp_password_change.php references $db. this causes
> the database update command to select a "null" database on the database
> server because $db is not initialized. This failure is not reported due
> to the issue (1.) above.
>
> The emailuser password never gets changed.
>
> ** Affects: ehcp
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are a member of Easy
> Hosting Control Panel Team, which is subscribed to Easy Hosting Control
> Panel for Ubuntu.
> https://bugs.launchpad.net/bugs/818103
>
> Title:
> SquirrelMail password Script Issue
>
> Status in Easy Hosting Control Panel for Ubuntu:
> New
>
> Bug description:
> ECHP version: 0.29.13
>
> ehcp plugin for squirrel mail has two issues:
> 1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user. this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist. ie/ $dbname = foobar
>
> 2. Variable name in config.php file for database name is $dbname,
> while select statement in ehcp_password_change.php references $db.
> this causes the database update command to select a "null" database on
> the database server because $db is not initialized. This failure is
> not reported due to the issue (1.) above.
>
> The emailuser password never gets changed.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ehcp/+bug/818103/+subscriptions
>

is this same, in version 0.29.15, which is latest now ?
I checked on my side, files seems ok.
please download from www.ehcp.net/download and re-check
thanks for bug report.

On Fri, Jul 29, 2011 at 6:18 PM, Derek manning
<818103@bugs.launchpad.net> wrote:
> Public bug reported:
>
> ECHP version:  0.29.13
>
> ehcp plugin for squirrel mail has two issues:
> 1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user.   this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist.  ie/ $dbname = foobar
>
> 2. Variable name in config.php file for database name is $dbname, while
> select statement in ehcp_password_change.php references $db. this causes
> the database update command to select a "null" database on the database
> server because $db is not initialized.  This failure is not reported due
> to the issue (1.) above.
>
> The emailuser password never gets changed.
>
> ** Affects: ehcp
>     Importance: Undecided
>         Status: New
>
> --
> You received this bug notification because you are a member of Easy
> Hosting Control Panel Team, which is subscribed to Easy Hosting Control
> Panel for Ubuntu.
> https://bugs.launchpad.net/bugs/818103
>
> Title:
>  SquirrelMail password Script Issue
>
> Status in Easy Hosting Control Panel for Ubuntu:
>  New
>
> Bug description:
>  ECHP version:  0.29.13
>
>  ehcp plugin for squirrel mail has two issues:
>  1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user.   this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist.  ie/ $dbname = foobar
>
>  2. Variable name in config.php file for database name is $dbname,
>  while select statement in ehcp_password_change.php references $db.
>  this causes the database update command to select a "null" database on
>  the database server because $db is not initialized.  This failure is
>  not reported due to the issue (1.) above.
>
>  The emailuser password never gets changed.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ehcp/+bug/818103/+subscriptions
>

Revision history for this message

Derek manning (derek-manning) wrote on 2011-07-29:

Download full text (3.8 KiB)

I'm running .13 I haven't updated yet. I'll check and see .15 I've got an internal ticket that I'm tracking this against, but everything seems ok on my side after the fix.

does the .13 - .15 upgrade include a new squirrel mail plug in? The issue I ask having is explicitly with the squirrel plugin. Including some error return checking on the database use/select statement would catch this.

ehcpdeveloper <email address hidden> wrote:

>is this same, in version 0.29.15, which is latest now ?
>I checked on my side, files seems ok.
>please download from www.ehcp.net/download and re-check
>thanks for bug report.
>
>On Fri, Jul 29, 2011 at 6:18 PM, Derek manning
><email address hidden> wrote:
>> Public bug reported:
>>
>> ECHP version: 0.29.13
>>
>> ehcp plugin for squirrel mail has two issues:
>> 1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user. this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist. ie/ $dbname = foobar
>>
>> 2. Variable name in config.php file for database name is $dbname, while
>> select statement in ehcp_password_change.php references $db. this causes
>> the database update command to select a "null" database on the database
>> server because $db is not initialized. This failure is not reported due
>> to the issue (1.) above.
>>
>> The emailuser password never gets changed.
>>
>> ** Affects: ehcp
>> Importance: Undecided
>> Status: New
>>
>> --
>> You received this bug notification because you are a member of Easy
>> Hosting Control Panel Team, which is subscribed to Easy Hosting Control
>> Panel for Ubuntu.
>> https://bugs.launchpad.net/bugs/818103
>>
>> Title:
>> SquirrelMail password Script Issue
>>
>> Status in Easy Hosting Control Panel for Ubuntu:
>> New
>>
>> Bug description:
>> ECHP version: 0.29.13
>>
>> ehcp plugin for squirrel mail has two issues:
>> 1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user. this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist. ie/ $dbname = foobar
>>
>> 2. Variable name in config.php file for database name is $dbname,
>> while select statement in ehcp_password_change.php references $db.
>> this causes the database update command to select a "null" database on
>> the database server because $db is not initialized. This failure is
>> not reported due to the issue (1.) above.
>>
>> The emailuser password never gets changed.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/ehcp/+bug/818103/+subscriptions
>>
>
>--
>You received this bug notification because you are subscribed to the bug
>report.
>https://bugs.launchpad.net/bugs/818103
>
>Title:
> SquirrelMail password Script Issue
>
>Status in Easy Hosting Control Panel for Ubuntu:
> New
>
>Bug description:
> ECHP version: 0.29.13
>
> ehcp plugin for squirrel mail has two issues:
> 1. It is possible to select an invalid database. Lack of error checking on mysql select s...

I'm running .13 I haven't updated yet. I'll check and see .15  I've got an internal ticket that I'm tracking this against, but everything seems ok on my side after the fix.

does the .13 - .15 upgrade include a new squirrel mail plug in? The issue I ask having is explicitly with the squirrel plugin.  Including some error return checking on the database use/select statement would catch this.

ehcpdeveloper <info@ehcp.net> wrote:

>is this same, in version 0.29.15, which is latest now ?
>I checked on my side, files seems ok.
>please download from www.ehcp.net/download and re-check
>thanks for bug report.
>
>On Fri, Jul 29, 2011 at 6:18 PM, Derek manning
><818103@bugs.launchpad.net> wrote:
>> Public bug reported:
>>
>> ECHP version:  0.29.13
>>
>> ehcp plugin for squirrel mail has two issues:
>> 1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user.   this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist.  ie/ $dbname = foobar
>>
>> 2. Variable name in config.php file for database name is $dbname, while
>> select statement in ehcp_password_change.php references $db. this causes
>> the database update command to select a "null" database on the database
>> server because $db is not initialized.  This failure is not reported due
>> to the issue (1.) above.
>>
>> The emailuser password never gets changed.
>>
>> ** Affects: ehcp
>>     Importance: Undecided
>>         Status: New
>>
>> --
>> You received this bug notification because you are a member of Easy
>> Hosting Control Panel Team, which is subscribed to Easy Hosting Control
>> Panel for Ubuntu.
>> https://bugs.launchpad.net/bugs/818103
>>
>> Title:
>>  SquirrelMail password Script Issue
>>
>> Status in Easy Hosting Control Panel for Ubuntu:
>>  New
>>
>> Bug description:
>>  ECHP version:  0.29.13
>>
>>  ehcp plugin for squirrel mail has two issues:
>>  1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user.   this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist.  ie/ $dbname = foobar
>>
>>  2. Variable name in config.php file for database name is $dbname,
>>  while select statement in ehcp_password_change.php references $db.
>>  this causes the database update command to select a "null" database on
>>  the database server because $db is not initialized.  This failure is
>>  not reported due to the issue (1.) above.
>>
>>  The emailuser password never gets changed.
>>
>> To manage notifications about this bug go to:
>> https://bugs.launchpad.net/ehcp/+bug/818103/+subscriptions
>>
>
>-- 
>You received this bug notification because you are subscribed to the bug
>report.
>https://bugs.launchpad.net/bugs/818103
>
>Title:
>  SquirrelMail password Script Issue
>
>Status in Easy Hosting Control Panel for Ubuntu:
>  New
>
>Bug description:
>  ECHP version:  0.29.13
>
>  ehcp plugin for squirrel mail has two issues:
>  1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user.   this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist.  ie/ $dbname = foobar
>
>  2. Variable name in config.php file for database name is $dbname,
>  while select statement in ehcp_password_change.php references $db.
>  this causes the database update command to select a "null" database on
>  the database server because $db is not initialized.  This failure is
>  not reported due to the issue (1.) above.
>
>  The emailuser password never gets changed.
>
>To manage notifications about this bug go to:
>https://bugs.launchpad.net/ehcp/+bug/818103/+subscriptions

Revision history for this message

ehcpdeveloper (ehcpdeveloper) wrote on 2011-07-29:

Download full text (5.4 KiB)

in fact, .13 - .15 upgrade should not contain any sqmail plugin
update, as I remember,
however, I checked latest codes, issues that you described does not exist there

maybe, you updated before, to 0.29.13, without updateing sqm, leaving
it more old..

On Fri, Jul 29, 2011 at 10:53 PM, Derek manning
<email address hidden> wrote:
> I'm running .13 I haven't updated yet. I'll check and see .15 I've got
> an internal ticket that I'm tracking this against, but everything seems
> ok on my side after the fix.
>
> does the .13 - .15 upgrade include a new squirrel mail plug in? The
> issue I ask having is explicitly with the squirrel plugin. Including
> some error return checking on the database use/select statement would
> catch this.
>
> v2
>
> ehcpdeveloper <email address hidden> wrote:
>
>>is this same, in version 0.29.15, which is latest now ?
>>I checked on my side, files seems ok.
>>please download from www.ehcp.net/download and re-check
>>thanks for bug report.
>>
>>On Fri, Jul 29, 2011 at 6:18 PM, Derek manning
>><email address hidden> wrote:
>>> Public bug reported:
>>>
>>> ECHP version: 0.29.13
>>>
>>> ehcp plugin for squirrel mail has two issues:
>>> 1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user. this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist. ie/ $dbname = foobar
>>>
>>> 2. Variable name in config.php file for database name is $dbname, while
>>> select statement in ehcp_password_change.php references $db. this causes
>>> the database update command to select a "null" database on the database
>>> server because $db is not initialized. This failure is not reported due
>>> to the issue (1.) above.
>>>
>>> The emailuser password never gets changed.
>>>
>>> ** Affects: ehcp
>>> Importance: Undecided
>>> Status: New
>>>
>>> --
>>> You received this bug notification because you are a member of Easy
>>> Hosting Control Panel Team, which is subscribed to Easy Hosting Control
>>> Panel for Ubuntu.
>>> https://bugs.launchpad.net/bugs/818103
>>>
>>> Title:
>>> SquirrelMail password Script Issue
>>>
>>> Status in Easy Hosting Control Panel for Ubuntu:
>>> New
>>>
>>> Bug description:
>>> ECHP version: 0.29.13
>>>
>>> ehcp plugin for squirrel mail has two issues:
>>> 1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user. this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist. ie/ $dbname = foobar
>>>
>>> 2. Variable name in config.php file for database name is $dbname,
>>> while select statement in ehcp_password_change.php references $db.
>>> this causes the database update command to select a "null" database on
>>> the database server because $db is not initialized. This failure is
>>> not reported due to the issue (1.) above.
>>>
>>> The emailuser password never gets changed.
>>>
>>> To manage notifications about this bug go to:
>>> https://bugs.launchpad.net/ehcp/+bug/818103/+subscriptions
>>>
>>
>>--
>>You...

in fact, .13 - .15 upgrade should not contain any sqmail plugin
update, as I remember,
however, I checked latest codes, issues that you described does not exist there

maybe, you updated before, to 0.29.13, without updateing sqm, leaving
it more old..

On Fri, Jul 29, 2011 at 10:53 PM, Derek manning
<818103@bugs.launchpad.net> wrote:
> I'm running .13 I haven't updated yet. I'll check and see .15  I've got
> an internal ticket that I'm tracking this against, but everything seems
> ok on my side after the fix.
>
> does the .13 - .15 upgrade include a new squirrel mail plug in? The
> issue I ask having is explicitly with the squirrel plugin.  Including
> some error return checking on the database use/select statement would
> catch this.
>
> v2
>
> ehcpdeveloper <info@ehcp.net> wrote:
>
>>is this same, in version 0.29.15, which is latest now ?
>>I checked on my side, files seems ok.
>>please download from www.ehcp.net/download and re-check
>>thanks for bug report.
>>
>>On Fri, Jul 29, 2011 at 6:18 PM, Derek manning
>><818103@bugs.launchpad.net> wrote:
>>> Public bug reported:
>>>
>>> ECHP version:  0.29.13
>>>
>>> ehcp plugin for squirrel mail has two issues:
>>> 1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user.   this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist.  ie/ $dbname = foobar
>>>
>>> 2. Variable name in config.php file for database name is $dbname, while
>>> select statement in ehcp_password_change.php references $db. this causes
>>> the database update command to select a "null" database on the database
>>> server because $db is not initialized.  This failure is not reported due
>>> to the issue (1.) above.
>>>
>>> The emailuser password never gets changed.
>>>
>>> ** Affects: ehcp
>>>     Importance: Undecided
>>>         Status: New
>>>
>>> --
>>> You received this bug notification because you are a member of Easy
>>> Hosting Control Panel Team, which is subscribed to Easy Hosting Control
>>> Panel for Ubuntu.
>>> https://bugs.launchpad.net/bugs/818103
>>>
>>> Title:
>>>  SquirrelMail password Script Issue
>>>
>>> Status in Easy Hosting Control Panel for Ubuntu:
>>>  New
>>>
>>> Bug description:
>>>  ECHP version:  0.29.13
>>>
>>>  ehcp plugin for squirrel mail has two issues:
>>>  1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user.   this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist.  ie/ $dbname = foobar
>>>
>>>  2. Variable name in config.php file for database name is $dbname,
>>>  while select statement in ehcp_password_change.php references $db.
>>>  this causes the database update command to select a "null" database on
>>>  the database server because $db is not initialized.  This failure is
>>>  not reported due to the issue (1.) above.
>>>
>>>  The emailuser password never gets changed.
>>>
>>> To manage notifications about this bug go to:
>>> https://bugs.launchpad.net/ehcp/+bug/818103/+subscriptions
>>>
>>
>>--
>>You received this bug notification because you are subscribed to the bug
>>report.
>>https://bugs.launchpad.net/bugs/818103
>>
>>Title:
>>  SquirrelMail password Script Issue
>>
>>Status in Easy Hosting Control Panel for Ubuntu:
>>  New
>>
>>Bug description:
>>  ECHP version:  0.29.13
>>
>>  ehcp plugin for squirrel mail has two issues:
>>  1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user.   this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist.  ie/ $dbname = foobar
>>
>>  2. Variable name in config.php file for database name is $dbname,
>>  while select statement in ehcp_password_change.php references $db.
>>  this causes the database update command to select a "null" database on
>>  the database server because $db is not initialized.  This failure is
>>  not reported due to the issue (1.) above.
>>
>>  The emailuser password never gets changed.
>>
>>To manage notifications about this bug go to:
>>https://bugs.launchpad.net/ehcp/+bug/818103/+subscriptions
>
> --
> You received this bug notification because you are a member of Easy
> Hosting Control Panel Team, which is subscribed to Easy Hosting Control
> Panel for Ubuntu.
> https://bugs.launchpad.net/bugs/818103
>
> Title:
>  SquirrelMail password Script Issue
>
> Status in Easy Hosting Control Panel for Ubuntu:
>  New
>
> Bug description:
>  ECHP version:  0.29.13
>
>  ehcp plugin for squirrel mail has two issues:
>  1. It is possible to select an invalid database. Lack of error checking on mysql select statement will cause script failure without notifying user.   this can be tested by modifying config.php and changing the dbname variable to a database that doesn't exist.  ie/ $dbname = foobar
>
>  2. Variable name in config.php file for database name is $dbname,
>  while select statement in ehcp_password_change.php references $db.
>  this causes the database update command to select a "null" database on
>  the database server because $db is not initialized.  This failure is
>  not reported due to the issue (1.) above.
>
>  The emailuser password never gets changed.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ehcp/+bug/818103/+subscriptions
>

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.