ISPConfig 3 Security Advisory 2013/08/08

Discussion in 'General' started by till, Aug 8, 2013.

  1. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig 3 Security Advisory 2013/08/08


    A security issue has been found in the sites module which allows customers to create website users
    for websites which they do not own from within the ISPConfig interface. This issue requires a valid
    ISPConfig client login and the manipulation of http variables. If a client would try to create a
    login for a different site, his actions are recorded in the sys_datalog and can be tracked down
    by the administrator even if he deletes this login again.

    Affected versions

    All ISPConfig 3 versions <


    A hotfix for ISPConfig is available at

    This hotfix needs to be applied only to servers with an ISPConfig interface; you do not need to apply this patch on slave servers without an ISPConfig interface.

    Installation instructions for the hotfix:

    Login to your server as root and execute the following commands:

    cd ispconfig-hotfix-2013-08-08/
    chmod +x
    Additionally to the hotfix, ISPConfig will be released tomorrow
    (August 09. 2013) which fixes this issue as well.


    ISPConfig was notified of this issue by researcher Tim Mishutin ( ISPConfig forum user: Almere )
    from SecureHoster (

Share This Page