What’s new in ISPConfig 3.1.13

A security vulnerability has been found in ISPConfig which might allow a client to execute code under the permissions of the ispconfig user.

The following two requirements must be met for this:

– The attacker must have a valid ISPConfig login (Client, Reseller or Admin – username and password).
– The attacker must be able to create a website on the same server where the ISPConfig interface is hosted or he must have any other kind of local file system access that allows him to upload files to the server were the ISPConfig interface is hosted on.

Thank you very much to Rio Sherri – 0x09AL for finding and reporting this issue.

We highly recommend installing this update immediately.

This release contains some other bug fixes and minor feature enhancements besides the security fix. For details, please see the changelog.

Download

The software can be downloaded here:

http://www.ispconfig.org/downloads/ISPConfig-3.1.13.tar.gz

Changelog

https://git.ispconfig.org/ispconfig/ispconfig3/milestones/64

Known Issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

BUG Reporting

Please report bugs to the ISPConfig bug tracking system:

https://git.ispconfig.org/ispconfig/ispconfig3/issues

Supported Linux Distributions

– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 18.04
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15

Installation

The installation instructions for ISPConfig can be found here:

http://www.ispconfig.org/ispconfig-3/documentation/

Update

To update existing ISPConfig 3 installations, run these commands in the shell:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3.1.13.tar.gz
tar xvfz ISPConfig-3.1.13.tar.gz
cd ispconfig3_install/install
php -q update.php