A security vulnerability has been found in ISPConfig which might allow a client to execute code under the permissions of the ispconfig user.
The following two requirements must be met for this:
– The attacker must have a valid ISPConfig login (Client, Reseller or Admin – username and password).
– The attacker must be able to create a website on the same server where the ISPConfig interface is hosted or he must have any other kind of local file system access that allows him to upload files to the server were the ISPConfig interface is hosted on.
Thank you very much to Rio Sherri – 0x09AL for finding and reporting this issue.
We highly recommend installing this update immediately.
This release contains some other bug fixes and minor feature enhancements besides the security fix. For details, please see the changelog.
The software can be downloaded here:
Please take a look at the bug tracker:
Please report bugs to the ISPConfig bug tracking system:
– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 18.04
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15
The installation instructions for ISPConfig can be found here:
To update existing ISPConfig 3 installations, run these commands in the shell:
cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3.1.13.tar.gz tar xvfz ISPConfig-3.1.13.tar.gz cd ispconfig3_install/install php -q update.php