ISPConfig 3.1.15p3 Released – Security Bugfix Release

What’s new in ISPConfig 3.1.15p3

An SQL injection vulnerability has been discovered in ISPConfig. This release fixes that issue.

Thanks to Paolo Serracino for finding and reporting this issue!

Who is affected by this issue?

Most likely your system is not affected by the issue because the vulnerable code is part of an undocumented feature that is not used by default and it requires manual editing of the ISPConfig security_settings.ini file to activate it and make your system vulnerable.

Run this command as root user to find out if your ISPConfig installation is affected:

grep reverse_proxy_panel_allowed /usr/local/ispconfig/security/security_settings.ini

If the result is:


then your system is vulnerable.

If the result is:




or you get no result at all, then your system is not vulnerable by the issue. Generally not affected are ISPConfig versions below 3.1.13.

Affected users should patch their system immediately. All other users can install the patch as well, it has no negative effect on any ISPConfig functions.

How to patch your system?

There are two ways to install the security patch.

1) Update to ISPConfig 3.1.15p3 the usual way with command. Reconfigure services is not required when updating from 3.1.15p2.

2) Use the ISPConfig patch tool. Run this command as root or via sudo:


when the tool requests a patch ID, enter:


The patch tool will download the patch from and apply it to your system. In case you get a patch error, install the update via the method (1) instead.

ISPConfig 3.1.15p3 Download

The software can be downloaded here:

Known Issues

Please take a look at the bug tracker:

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

Supported Linux Distributions

– Debian 9 – 10 and Debian testing
– Ubuntu 16.04 LTS – 18.04 LTS
– OpenSuSE 11 – 13.2
– CentOS 7
– Fedora 9 – 15


The installation instructions for ISPConfig can be found here:


ISPConfig can be updated to version 3.1.15p3 by running the command:

as root user on the shell. Choose ‘stable’ as the update source.

Manual Update

In case you have any issues with updating ISPConfig trough command, then use the manual update instructions below.

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
tar xvfz ISPConfig-3.1.15p3.tar.gz
cd ispconfig3_install/install
php -q update.php