ISPConfig 3.1.13 Released – Important Security Bugfix
What’s new in ISPConfig 3.1.13
A security vulnerability has been found in ISPConfig which might allow a client to execute code under the permissions of the ispconfig user.
The following two requirements must be met for this:
– The attacker must have a valid ISPConfig login (Client, Reseller or Admin – username and password).
– The attacker must be able to create a website on the same server where the ISPConfig interface is hosted or he must have any other kind of local file system access that allows him to upload files to the server were the ISPConfig interface is hosted on.
Thank you very much to Rio Sherri – 0x09AL for finding and reporting this issue.
We highly recommend installing this update immediately.
This release contains some other bug fixes and minor feature enhancements besides the security fix. For details, please see the changelog.
Download
The software can be downloaded here:
http://www.ispconfig.org/downloads/ISPConfig-3.1.13.tar.gz
Changelog
https://git.ispconfig.org/ispconfig/ispconfig3/milestones/64
Known Issues
Please take a look at the bug tracker:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
BUG Reporting
Please report bugs to the ISPConfig bug tracking system:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
Supported Linux Distributions
– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 18.04
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15
Installation
The installation instructions for ISPConfig can be found here:
http://www.ispconfig.org/ispconfig-3/documentation/
Update
To update existing ISPConfig 3 installations, run these commands in the shell:
cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3.1.13.tar.gz tar xvfz ISPConfig-3.1.13.tar.gz cd ispconfig3_install/install php -q update.php