CVE-2023-46818: ISPConfig 3.2.11p1 Released - ISPConfig

This is a security patch release, it fixes a PHP Code Injection Vulnerability in the ISPConfig language file editor.
The vulnerability requires that the attacker is correctly logged in as the ‘admin’ user (the account with superadmin privilege) in ISPConfig, so an attacker must know the administrator password or get access to an active admin account session. Not affected are logins from Clients, Resellers, or Email users and also not logins from additionally created admin users.
Also not affected are systems where the language editor is disabled. The language editor can be disabled by setting:

admin_allow_langedit=no

in the file /usr/local/ispconfig/security/security_settings.ini.
Thank you to Egidio Romano from Karma(In)Security for reporting this issue.

You can see the full changelog here:

https://git.ispconfig.org/ispconfig/ispconfig3/-/milestones/90

Known issues

Please take a look at the bug tracker:

https://git.ispconfig.org/ispconfig/ispconfig3/-/issues?scope=all&utf8=%E2%9C%93&state=opened&label_name[]=Bug

You can report bugs at https://git.ispconfig.org/ispconfig/ispconfig3/-/issues

Supported Linux Distributions

– Debian 9 – 12 (recommended) and Debian testing
– Ubuntu 18.04 — LTS – 22.04 LTS (recommended)
– CentOS 7 – 8

Download ISPConfig 3.2.11p1

https://www.ispconfig.org/downloads/ISPConfig-3.2.11p1.tar.gz

The installation instructions for ISPConfig can be found here:

https://www.ispconfig.org/ispconfig-3/documentation/

How can I update to the ISPConfig 3.2.11p1?

You can update to ISPConfig 3.2.11p1 by using the ispconfig_update.sh command.

Manual update instructions

In case you need to run the update manually without using ispconfig_update.sh, use the manual download procedure below:

Run the following commands as root user on your ISPConfig server:

cd /tmp wget https://www.ispconfig.org/downloads/ISPConfig-3.2.11p1.tar.gz tar xvfz ISPConfig-3.2.11p1.tar.gz cd ispconfig3_install/install php -q update.php