An SQL injection vulnerability has been discovered in ISPConfig. This release fixes that issue.
Thanks to Paolo Serracino for finding and reporting this issue!
Who is affected by this issue?
Most likely your system is not affected by the issue because the vulnerable code is part of an undocumented feature that is not used by default and it requires manual editing of the ISPConfig security_settings.ini file to activate it and make your system vulnerable.
Run this command as root user to find out if your ISPConfig installation is affected:
grep reverse_proxy_panel_allowed /usr/local/ispconfig/security/security_settings.ini
If the result is:
reverse_proxy_panel_allowed=sites
then your system is vulnerable.
If the result is:
reverse_proxy_panel_allowed=none
or
reverse_proxy_panel_allowed=all
or you get no result at all, then your system is not vulnerable by the issue. Generally not affected are ISPConfig versions below 3.1.13.
Affected users should patch their system immediately. All other users can install the patch as well, it has no negative effect on any ISPConfig functions.
How to patch your system?
There are two ways to install the security patch.
1) Update to ISPConfig 3.1.15p3 the usual way with ispconfig_update.sh command. Reconfigure services is not required when updating from 3.1.15p2.
2) Use the ISPConfig patch tool. Run this command as root or via sudo:
ispconfig_patch
when the tool requests a patch ID, enter:
3114_revproxy
The patch tool will download the patch from ispconfig.org and apply it to your system. In case you get a patch error, install the update via the method (1) instead.
The software can be downloaded here:
http://www.ispconfig.org/downloads/ISPConfig-3.1.15p3.tar.gz
Please take a look at the bug tracker:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
Please report bugs to the ISPConfig bug tracking system:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
– Debian 9 – 10 and Debian testing
– Ubuntu 16.04 LTS – 18.04 LTS
– OpenSuSE 11 – 13.2
– CentOS 7
– Fedora 9 – 15
The installation instructions for ISPConfig can be found here:
http://www.ispconfig.org/ispconfig-3/documentation/
ISPConfig can be updated to version 3.1.15p3 by running the command:
ispconfig_update.sh
as root user on the shell. Choose ‘stable’ as the update source.
In case you have any issues with updating ISPConfig trough ispconfig_update.sh command, then use the manual update instructions below.
To update existing ISPConfig 3 installations, run these commands in the shell:
cd /tmp wget https://www.ispconfig.org/downloads/ISPConfig-3.1.15p3.tar.gz tar xvfz ISPConfig-3.1.15p3.tar.gz cd ispconfig3_install/install php -q update.php