ISPConfig 3.1.15p3 Released – Security Bugfix Release

An SQL injection vulnerability has been discovered in ISPConfig. This release fixes that issue.

Thanks to Paolo Serracino for finding and reporting this issue!

Who is affected by this issue?

Most likely your system is not affected by the issue because the vulnerable code is part of an undocumented feature that is not used by default and it requires manual editing of the ISPConfig security_settings.ini file to activate it and make your system vulnerable.

Run this command as root user to find out if your ISPConfig installation is affected:

grep reverse_proxy_panel_allowed /usr/local/ispconfig/security/security_settings.ini

If the result is:

reverse_proxy_panel_allowed=sites

then your system is vulnerable.

If the result is:

reverse_proxy_panel_allowed=none

or

reverse_proxy_panel_allowed=all

or you get no result at all, then your system is not vulnerable by the issue. Generally not affected are ISPConfig versions below 3.1.13.

Affected users should patch their system immediately. All other users can install the patch as well, it has no negative effect on any ISPConfig functions.

How to patch your system?

There are two ways to install the security patch.

1) Update to ISPConfig 3.1.15p3 the usual way with ispconfig_update.sh command. Reconfigure services is not required when updating from 3.1.15p2.

2) Use the ISPConfig patch tool. Run this command as root or via sudo:

ispconfig_patch

when the tool requests a patch ID, enter:

3114_revproxy

The patch tool will download the patch from ispconfig.org and apply it to your system. In case you get a patch error, install the update via the method (1) instead.

Do NOT follow this link or you will be banned from the site!