ISPConfig 3.1.14p2 Released – Important Security Bugfix

What’s new in ISPConfig 3.1.14p2

A security vulnerability has been found in ISPConfig which might allow a client to create folders outside of his web root and to alter permissions of folders outside of the web root.

The following two requirements must be met for this:

– The attacker must have a valid ISPConfig login (Client, Reseller or Admin – username and password).
– The attacker must have the website module enabled for his ISPConfig account and he must have the permission in his client limit settings to add or edit FTP users.

All ISPConfig 3 versions before ISPConfig 3.1.14p2 are affected.

Thank you very much to WHO for finding and reporting this issue.

We highly recommend installing this update immediately. Either by installing the ISPConfig update on the regular way or by applying just the security patch by using the ISPConfig patch tool.

To start the patch tool, run the command:


as root user on the shell. When the command asks for the patch ID, enter: 3114_ftpuser

The patch tool should be able to apply the fix on versions released since 2015. If you get a patch error displayed, then you must use the regular update instead.

This release contains some other bug fixes and minor feature enhancements besides the security fix. For details, please see the changelog.

ISPConfig 3.1.14p2 Download

The software can be downloaded here:


Known Issues

Please take a look at the bug tracker:

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

Supported Linux Distributions

– Debian 8 – 10 and Debian testing
– Ubuntu 16.04 – 18.04
– OpenSuSE 11 – 13.2
– CentOS 6 – 7
– Fedora 9 – 15


The installation instructions for ISPConfig can be found here:


ISPConfig can be updated to version 3.1.14p2 by running the command:

as root user on the shell. Choose ‘stable’ as the update source.

Manual Update

In case you have any issues with updating ISPConfig trough command, then use the manual update instructions below.

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
tar xvfz ISPConfig-3.1.14p2.tar.gz
cd ispconfig3_install/install
php -q update.php