ISPConfig released and Security Warning

ISPConfig Patch 3 is available for download. This is a patch release for ISPConfig that fixes some issues that were found in the last version and adds several security enhancements.

See changelog link below for a list of all changes that are included in this release.

– IMPORTANT: Security Warning

We received a email notification that a remote root exploit for ISPConfig shall
be released on August 15. The author of this potential exploit did not provide
us with details on the exploit upfront of the planned public release, so we neither
know what it affects nor if it exists at all. If it exists, then we will provide a
fix as soon as possible. If you know any details about the exploit or find the exploit
on the internet, then please contact us by email to dev [at] ispconfig [dot] org.

We highly recommend that you use the new security features below to protect your
system. If possible you should use the .htaccess protection as well until we know
more about the issue.

– UPDATE 2014-08-21 on security warning

We received a message from the person that planned to release the exploit that
he will not release the exploit publicly. We also received some details on the way
it affected ISPConfig. If the details that we have are complete, then the exploit
required a valid ispconfig administrator password. So only the person that administers
the server could attack it, neither clients nor resellers nor persons without
a ispconfig login were able to do the attack. The function related to apache settings
that was misused in conjunction with a third party exploit module is an intended admin
functionality, so one could argue if a correctly authenticated system admin should be
able to configure apache freely trough a web interface or not. In any case, we will add
a set of filters to prevent this kind of access by the admin user. Some users will
miss the functionality that we will disable with the filters, so these filters will be made
configurable trough the system_settings.ini. So every root user can decide then
on its own, if he wants to allow the ispconfig admin user to do this kind of configuration
trough the ISPConfig web interface or not.

– NEW Security Features

This version contains a new set of security settings that allows the root user
of a server to limit the access of the ispconfig “admin” user. There is also
a new security check script that can warn the root user when changes in
/etc/passwd, /etc/shadow or /etc/group occur or when a additional ispconfig
administrator user is added in ISPConfig.

The settings for the security limits and security check can be found in this file:


A detailed description of all settings can be found in the file


The most important features are


If you want to prevent that shell users for websites get added to your server, then
set this option to “no”. If this server is a server that does not host websites like
a mailserver or dns server node, then this option should be set to “no” as well.


If you do not use the remote API, then set this to “no”.

admin_allow_* = yes/no/superuser

The admin_allow_* features control which parts of the System module in ISPConfig can
be accessed by the admin user. You should disable all functions that you dont need
in the security settings by setting them to “no”. The option “superuser” limits a
function to the administrator with userid = 1, so if you created additional administrators,
then these will not be able to access these functions.

– NEW: Protect the ISPConfig Interface with .htaccess

We added a script that makes it easy to protect the ISPConfig Interface with a .htaccess
password protection. This script adds a apache password prompt in front of the ispconfig
Interface and exports all ispconfig client users into a .htpasswd file, so all client
logins will still work.

Run the following command as root user to activate the script:

php /usr/local/ispconfig/server/scripts/ispconfig_htaccess.php

you can use the same command at any time to update the user list.

In case that you want to remove the protection again, run:

rm -f /usr/local/ispconfig/interface/web/.htaccess
rm -f /usr/local/ispconfig/interface/.htpasswd

For nginx webservers, edit the file /etc/nginx/sites-available/ispconfig.vhost
and add the lines:

auth_basic “Members Only”;
auth_basic_user_file /usr/local/ispconfig/interface/.htpasswd;

right after line 35: “fastcgi_temp_file_write_size 256k;”.

– Download

The software can be downloaded here:

– Changelog

– Known Issues:

Please take a look at the bugtracker:

– BUG Reporting

Please report bugs to the ISPConfig bugtracking system:

– Supported Linux Distributions

– Debian Etch (4.0) – Wheezy (7.0) and Debian testing
– Ubuntu 7.10 – 14.04
– OpenSuSE 11 – 13.1
– CentOS 5.2 – 6.5
– Fedora 9 – 15

– Installation

The installation instructions for ISPConfig can be found here:

or in the text files (named INSTALL_*.txt) which are inside the docs folder of the .tar.gz file.

– Update

To update existing ISPConfig 3 installations, run this command on the shell:

Select “stable” as the update resource. The script will check if an updated version of ISPConfig 3 is available and then download the tar.gz and start the setup script.

Detailed instructions for making a backup before you update can be found here:

If the ISPConfig version on your server does not have this script yet, follow the manual update instructions below.

– Manual update instructions

cd /tmp
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php