A XSS vulnerability has been found in the ISPConfig 3 module changer script.
The vulnerability requires a valid user login to ISPConfig, unauthenticated
users are not affected.
Vulnerable versions:
All recent ISPConfig 3 releases.
Fix:
A patch for ISPConfig 3.0.5.4p5 is available trough the ISPConfig patch tool.
Patch Installation:
Run the command:
ispconfig_patch
as root user on the shell and enter:
3054_capp
as patch code. The patch tool will download the patch from
ispconfig.org and apply it.
Credits:
We thank Alain Homewood for informing us about this issue.
Alain Homewood
PwC New Zealand
http://www.pwc.co.nz/services/assurance-services/pwc-security/
