This is a security patch release, it fixes a PHP Code Injection Vulnerability in the ISPConfig language file editor.
The vulnerability requires that the attacker is correctly logged in as the ‘admin’ user (the account with superadmin privilege) in ISPConfig, so an attacker must know the administrator password or get access to an active admin account session. Not affected are logins from Clients, Resellers, or Email users and also not logins from additionally created admin users.
Also not affected are systems where the language editor is disabled. The language editor can be disabled by setting:
admin_allow_langedit=no
in the file /usr/local/ispconfig/security/security_settings.ini.
Thank you to Egidio Romano from Karma(In)Security for reporting this issue.
You can see the full changelog here:
https://git.ispconfig.org/ispconfig/ispconfig3/-/milestones/90
Please take a look at the bug tracker:
You can report bugs at https://git.ispconfig.org/ispconfig/ispconfig3/-/issues
– Debian 9 – 12 (recommended) and Debian testing
– Ubuntu 18.04 — LTS – 22.04 LTS (recommended)
– CentOS 7 – 8
https://www.ispconfig.org/downloads/ISPConfig-3.2.11p1.tar.gz
The installation instructions for ISPConfig can be found here:
https://www.ispconfig.org/ispconfig-3/documentation/
You can update to ISPConfig 3.2.11p1 by using the ispconfig_update.sh command.
In case you need to run the update manually without using ispconfig_update.sh, use the manual download procedure below:
Run the following commands as root user on your ISPConfig server:
cd /tmp wget https://www.ispconfig.org/downloads/ISPConfig-3.2.11p1.tar.gz tar xvfz ISPConfig-3.2.11p1.tar.gz cd ispconfig3_install/install php -q update.php
