ISPConfig 3.1.14p2 Released – Important Security Bugfix

What’s new in ISPConfig 3.1.14p2

A security vulnerability has been found in ISPConfig which might allow a client to create folders outside of his web root and to alter permissions of folders outside of the web root.

The following two requirements must be met for this:

– The attacker must have a valid ISPConfig login (Client, Reseller or Admin – username and password).
– The attacker must have the website module enabled for his ISPConfig account and he must have the permission in his client limit settings to add or edit FTP users.

All ISPConfig 3 versions before ISPConfig 3.1.14p2 are affected.

Thank you very much to WHO for finding and reporting this issue.

We highly recommend installing this update immediately. Either by installing the ISPConfig update on the regular way or by applying just the security patch by using the ISPConfig patch tool.

To start the patch tool, run the command:

ispconfig_patch

as root user on the shell. When the command asks for the patch ID, enter: 3114_ftpuser

The patch tool should be able to apply the fix on versions released since 2015. If you get a patch error displayed, then you must use the regular update instead.

This release contains some other bug fixes and minor feature enhancements besides the security fix. For details, please see the changelog.