Our Sponsors

Die ISPConfig Entwicklung wird unterstützt von der projektfarm GmbH Lüneburg.

What’s new in ISPConfig 3.1.13

A security vulnerability has been found in ISPConfig which might allow a client to execute code under the permissions of the ispconfig user.

The following two requirements must be met for this:

– The attacker must have a valid ISPConfig login (Client, Reseller or Admin – username and password).
– The attacker must be able to create a website on the same server where the ISPConfig interface is hosted or he must have any other kind of local file system access that allows him to upload files to the server were the ISPConfig interface is hosted on.

Thank you very much to Rio Sherri – 0x09AL for finding and reporting this issue.

We highly recommend installing this update immediately.

This release contains some other bug fixes and minor feature enhancements besides the security fix. For details, please see the changelog.

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.13.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/milestones/64

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 18.04
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.13.tar.gz
tar xvfz ISPConfig-3.1.13.tar.gz
cd ispconfig3_install/install
php -q update.php

What’s new in ISPConfig 3.1.11

In the past weeks, we reviewed the ISPConfig sourcecode for further XSS issues and ISPConfig was tested with professional security test tools. Thank you very much to Fábián Patrik for his efforts in testing ISPConfig. This uncovered more places where ISPConfig was vulnerable to XSS attacks. For all attacks, a valid ISPConfig login was required to exploit the XSS vulnerability. This release fixes the XSS issues that were found. Besides that, it includes several other bugfixes and new features.

The ISPConfig IDS system was extended to have different attack score levels for users and the admin, this drastically reduced the false positive rate and allowed it to enable the IDS by default now. The IDS settings can be found in the file /usr/local/ispconfig/security/security_settings.ini

A new feature has been added to change the document root directory on nginx servers to a sub folder. More: https://git.ispconfig.org/ispconfig/ispconfig3/merge_requests/698

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.11.tar.gz

Changelog

https://git.ispconfig.org/dashboard/issues?milestone_title=3.1.11&state=closed

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.11.tar.gz
tar xvfz ISPConfig-3.1.11.tar.gz
cd ispconfig3_install/install
php -q update.php

What’s new in ISPConfig 3.1.10

This update fixes several XSS vulnerabilities that were found in ISPConfig. A valid ISPConfig login is required to exploit the XSS vulnerabilities. The release includes other bugfixes and some minor improvements as well. See changelog link below for details.

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.10.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/issues?assignee_id=&author_id=&label_name=&milestone_title=3.1.10&scope=all&sort=id_desc&state=closed

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.10.tar.gz
tar xvfz ISPConfig-3.1.10.tar.gz
cd ispconfig3_install/install
php -q update.php

What’s new in ISPConfig 3.1.9

This release contains an important security fix for an authenticated local root vulnerability in the ISPConfig website cron system, the vulnerability has the CVE number CVE-2017-17384 assigned and has been reported to us by Chris Kessler. The update should be installed immediately. All ISPConfig 3 versions before 3.1.9 are affected.

An attacker requires either the correct ISPConfig admin password or a remote user (valid username and password) which has the permissions to create cronjobs or a client login with permission to create cronjobs.

We received reports that the net is currently scanned for ISPConfig installations with weak admin passwords, especially for systems with password ‚admin‘. Ensure that your system uses a strong admin user password to protect your server!

The ISPConfig 3.1.9 release scans your system for potentially malicious cronjobs and will report them during update.

In case that you can not install the update right now, then a possible temporary attack prevention is to disable the cron plugin by removing the symlink like this:

rm -f /usr/local/ispconfig/server/plugins-enabled/cron_plugin.inc.php

It is not possible to create cronjobs from within ISPConfig after you deleted that symlink (cronjobs will show up in ISPConfig UI in that case but will not get added to the Linux cron.d directory). The symlink in plugins-enabled folder to the cron plugin in the plugins-available folder has to be added again to get the cron functionality back.

If you like to scan your system for potentially malicious cronjobs on the shell, use this command (copy / paste it on the shell as root user to execute it):

IFS=$'\n' ;
for F in $(find /etc/cron.d -type f -name "ispc_*") ; do
 USR=${F:17} ;
 if [[ "$USR" = "chrooted_"* ]] ; then
  USR=${USR:9} ;
 fi ;
 USR=${USR%.*} ;
 echo "Checking cron file $F for user $USR";
 for L in $(awk '{print $6}' "$F") ; do
  if [[ "$USR" != "$L" ]] ; then
   echo "WARNING: $F contains cron job for user $L" ;
  fi ;
 done ;
done

The 3.1.9 release contains some other minor bugfixes beside the security fix, please see release notes for details.

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.9.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/issues?assignee_id=&author_id=&label_name=&milestone_title=3.1.9&scope=all&sort=id_desc&state=closed

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.9.tar.gz
tar xvfz ISPConfig-3.1.9.tar.gz
cd ispconfig3_install/install
php -q update.php

ISPConfig 3.1.8 Released

Donnerstag, November 9, 2017

What’s new in ISPConfig 3.1.8

This release adds support for Ubuntu 17.10 and fixes several bugs. ISPConfig supports PHP 7.1 as main PHP version now.

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.8.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/issues?assignee_id=&author_id=&label_name=&milestone_title=3.1.8&scope=all&sort=id_desc&state=closed

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.8.tar.gz
tar xvfz ISPConfig-3.1.8.tar.gz
cd ispconfig3_install/install
php -q update.php

ISPConfig 3.1.7 Released

Montag, September 25, 2017

What’s new in ISPConfig 3.1.7

This release adds a new search path for the latest Let’s Encrypt certbot program and fixes some minor bugs.

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.7.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/issues?assignee_id=&author_id=&label_name=&milestone_title=3.1.7&scope=all&sort=id_desc&state=closed

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.04
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.7.tar.gz
tar xvfz ISPConfig-3.1.7.tar.gz
cd ispconfig3_install/install
php -q update.php

ISPConfig 3.1.6 Released

Donnerstag, Juli 20, 2017

What’s new in ISPConfig 3.1.6

This release adds remote API functions to set values in the global and system configuration and fixes some minor bugs.

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.6.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/issues?assignee_id=&author_id=&label_name=&milestone_title=3.1.6&scope=all&sort=id_desc&state=closed

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.04
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.6.tar.gz
tar xvfz ISPConfig-3.1.6.tar.gz
cd ispconfig3_install/install
php -q update.php

ISPConfig 3.1.5 Released

Donnerstag, Juni 29, 2017

What’s new in ISPConfig 3.1.5

This release contains an important security fix. A user that is logged into ISPConfig was able to view contact details of other users due to an insufficient privilege check. Some minor bugs have been fixed in this release as well, see changelog in issue tracker for details.

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.5.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/issues?assignee_id=&author_id=&label_name=&milestone_title=3.1.5&scope=all&sort=id_desc&state=closed

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.04
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.5.tar.gz
tar xvfz ISPConfig-3.1.5.tar.gz
cd ispconfig3_install/install
php -q update.php

ISPConfig 3.1.4 Released

Dienstag, Juni 20, 2017

What’s new in ISPConfig 3.1.4

This release adds support for Debian 9 (Stretch) and fixes some minor bugs.

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.4.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/issues?assignee_id=&author_id=&label_name=&milestone_title=3.1.4&scope=all&sort=id_desc&state=closed

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.04
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.4.tar.gz
tar xvfz ISPConfig-3.1.4.tar.gz
cd ispconfig3_install/install
php -q update.php

ISPConfig 3.1.2 Released

Mittwoch, Januar 25, 2017

What’s new in ISPConfig 3.1.2

This release contains a security fix and several bug fixes.

SSH user certificates were not created securely in ISPConfig versions < 3.1.2. The code to create the SSH private and public key has been completely rewritten and placed into a central function for easier maintenance in ISPConfig 3.1.2 to solve this problem. Thank you very much to Greg for reporting this issue.

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.2.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/issues?assignee_id=&author_id=&label_name=&milestone_title=3.1.2&scope=all&sort=id_desc&state=closed

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Jessie (8.0) and Debian testing
– Ubuntu 7.10 – 16.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.2.tar.gz
tar xvfz ISPConfig-3.1.2.tar.gz
cd ispconfig3_install/install
php -q update.php