The ISPConfig source code has undergone an initial code review by security company RACK911 LABS. During this check several problems were found which were fixed in this patch version.
This release improves the protection against CSRF attacks. While additions and edits were already protected, deletions were not. This has now been fixed.
The hashed (CRYPT_SHA512 with salt) password was visible in the ps command output, while a shell user was added with the adduser command. This has now been changed to hide the password hash.
This release also contains some bug fixes. For details, please see the changelog.
The software can be downloaded here:
Please take a look at the bug tracker:
Please report bugs to the ISPConfig bug tracking system:
– Debian 9 – 10 and Debian testing
– Ubuntu 16.04 LTS – 18.04 LTS
– OpenSuSE 11 – 13.2
– CentOS 7
– Fedora 9 – 15
The installation instructions for ISPConfig can be found here:
ISPConfig can be updated to version 3.1.15p1 by running the command:
as root user on the shell. Choose ‘stable’ as the update source.
In case you have any issues with updating ISPConfig trough ispconfig_update.sh command, then use the manual update instructions below.
To update existing ISPConfig 3 installations, run these commands in the shell:
cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3.1.15p1.tar.gz tar xvfz ISPConfig-3.1.15p1.tar.gz cd ispconfig3_install/install php -q update.php