ISPConfig 3.1.11 Released – Seurity and Bugfix update

What’s new in ISPConfig 3.1.11

In the past weeks, we reviewed the ISPConfig sourcecode for further XSS issues and ISPConfig was tested with professional security test tools. Thank you very much to Fábián Patrik for his efforts in testing ISPConfig. This uncovered more places where ISPConfig was vulnerable to XSS attacks. For all attacks, a valid ISPConfig login was required to exploit the XSS vulnerability. This release fixes the XSS issues that were found. Besides that, it includes several other bugfixes and new features.

The ISPConfig IDS system was extended to have different attack score levels for users and the admin, this drastically reduced the false positive rate and allowed it to enable the IDS by default now. The IDS settings can be found in the file /usr/local/ispconfig/security/security_settings.ini

A new feature has been added to change the document root directory on nginx servers to a sub folder. More:


The software can be downloaded here:


Known Issues

Please take a look at the bug tracker:

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15


The installation instructions for ISPConfig can be found here:


To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
tar xvfz ISPConfig-3.1.11.tar.gz
cd ispconfig3_install/install
php -q update.php