A security vulnerability has been found in ISPConfig which might allow a client to create folders outside of his web root and to alter permissions of folders outside of the web root.
The following two requirements must be met for this:
– The attacker must have a valid ISPConfig login (Client, Reseller or Admin – username and password).
– The attacker must have the website module enabled for his ISPConfig account and he must have the permission in his client limit settings to add or edit FTP users.
All ISPConfig 3 versions before ISPConfig 3.1.14p2 are affected.
Thank you very much to WHO for finding and reporting this issue.
We highly recommend installing this update immediately. Either by installing the ISPConfig update on the regular way or by applying just the security patch by using the ISPConfig patch tool.
To start the patch tool, run the command:
as root user on the shell. When the command asks for the patch ID, enter: 3114_ftpuser
The patch tool should be able to apply the fix on versions released since 2015. If you get a patch error displayed, then you must use the regular update instead.
This release contains some other bug fixes and minor feature enhancements besides the security fix. For details, please see the changelog.
The software can be downloaded here:
Please take a look at the bug tracker:
Please report bugs to the ISPConfig bug tracking system:
– Debian 8 – 10 and Debian testing
– Ubuntu 16.04 – 18.04
– OpenSuSE 11 – 13.2
– CentOS 6 – 7
– Fedora 9 – 15
The installation instructions for ISPConfig can be found here:
ISPConfig can be updated to version 3.1.14p2 by running the command:
as root user on the shell. Choose ‘stable’ as the update source.
In case you have any issues with updating ISPConfig trough ispconfig_update.sh command, then use the manual update instructions below.
To update existing ISPConfig 3 installations, run these commands in the shell:
cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3.1.14p2.tar.gz tar xvfz ISPConfig-3.1.14p2.tar.gz cd ispconfig3_install/install php -q update.php