This release fixes several security issues in ISPConfig 3.3.0:
- An authenticated code injection in language_edit functionality was found by SSD-Disclosure. This requires a valid administrator login.
- Administrators could grant clients access to the Admin module via the Remote API. While the fact that an admin can do this is not a security issue, it is probably not intended, so we have restricted the available modules in the API now.
- Authenticated reflected cross-site scripting issue in ISPConfig monitor. This requires a valid admin login. Credits: Marco Nappi
- Rotated ISPConfig log files are world-readable. These files may contain sensitive information if you activated debug mode in ISPConfig. Credits: Hannes
You can see the full changelog here:
https://git.ispconfig.org/ispconfig/ispconfig3/-/milestones/97
Known issues
Please take a look at the bug tracker:
https://git.ispconfig.org/ispconfig/ispconfig3/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Bug
You can report bugs at https://git.ispconfig.org/ispconfig/ispconfig3/issues
Supported Linux Distributions
- Debian 10 – 12 (recommended) and Debian testing
- Ubuntu 24.04 — LTS – 24.04 LTS (recommended)
- CentOS 7 – 8
Download ISPConfig 3.3.0p2
https://www.ispconfig.org/downloads/ISPConfig-3.3.0p2.tar.gz
The installation instructions for ISPConfig can be found here:
https://www.ispconfig.org/ispconfig-3/documentation/
How can I update to ISPConfig 3.3.0p2?
You can update to ISPConfig 3.3.0p2 by using the ispconfig_update.sh command.
Manual update instructions
In case you need to run the update manually without using ispconfig_update.sh, use the manual download procedure below:
Run the following commands as root user on your ISPConfig server:
cd /tmp
wget https://www.ispconfig.org/downloads/ISPConfig-3.3.0p2.tar.gz
tar xvfz ISPConfig-3.3.0p2.tar.gz
cd ispconfig3_install/install
php -q update.php
