In the past weeks, we reviewed the ISPConfig sourcecode for further XSS issues and ISPConfig was tested with professional security test tools. Thank you very much to Fábián Patrik for his efforts in testing ISPConfig. This uncovered more places where ISPConfig was vulnerable to XSS attacks. For all attacks, a valid ISPConfig login was required to exploit the XSS vulnerability. This release fixes the XSS issues that were found. Besides that, it includes several other bugfixes and new features.
The ISPConfig IDS system was extended to have different attack score levels for users and the admin, this drastically reduced the false positive rate and allowed it to enable the IDS by default now. The IDS settings can be found in the file /usr/local/ispconfig/security/security_settings.ini
A new feature has been added to change the document root directory on nginx servers to a sub folder. More: https://git.ispconfig.org/ispconfig/ispconfig3/merge_requests/698
The software can be downloaded here:
http://www.ispconfig.org/downloads/ISPConfig-3.1.11.tar.gz
https://git.ispconfig.org/dashboard/issues?milestone_title=3.1.11&state=closed
Please take a look at the bug tracker:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
Please report bugs to the ISPConfig bug tracking system:
https://git.ispconfig.org/ispconfig/ispconfig3/issues
– Debian Etch (4.0) – Stretch (9.0) and Debian testing
– Ubuntu 7.10 – 17.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 7
– Fedora 9 – 15
The installation instructions for ISPConfig can be found here:
http://www.ispconfig.org/ispconfig-3/documentation/
To update existing ISPConfig 3 installations, run these commands in the shell:
cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3.1.11.tar.gz tar xvfz ISPConfig-3.1.11.tar.gz cd ispconfig3_install/install php -q update.php
