This release contains an important security fix for an insufficient validation of the PHP version selector.
Scope of the issue: an attacker would require a valid ISPConfig login with access to the web module. The issue affects the ISPConfig interface only, on a multiserver system, only the interface server(s) have to be patched.
Thank you to Timo Boldt https://git.ispconfig.org/u/timo.boldt for reporting this issue!
The fix can be applied by updating to ISPConfig 22.214.171.124p9 or by using the ISPConfig patch tool.
Run the command:
as root user on the shell. Enter the following patch code when requested by the tool:
See details at the end of this post.
The “Reconfigure services” option can be answered with “no” on servers that run ISPConfig 126.96.36.199p8.
See changelog link below for a list of all changes that are included in this release.
The software can be downloaded here:
Please take a look at the bug tracker:
Please report bugs to the ISPConfig bug tracking system:
– Debian Etch (4.0) – Jessie (8.0) and Debian testing
– Ubuntu 7.10 – 15.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 8
– Fedora 9 – 15
The installation instructions for ISPConfig can be found here:
or in the text files (named INSTALL_*.txt) which are inside the docs folder of the .tar.gz file.
To update existing ISPConfig 3 installations, run this command on the shell:
Select “stable” as the update resource. The script will check if an updated version of ISPConfig 3 is available and then download the tar.gz and start the setup script.
Detailed instructions for making a backup before update can be found here:
If the ISPConfig version on your server does not have this script yet, follow the manual update instructions below.
cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz tar xvfz ISPConfig-3-stable.tar.gz cd ispconfig3_install/install php -q update.php