ISPConfig released and Security Warning

Discussion in 'General' started by till, Aug 15, 2014.

  1. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig Patch 3 is available for download. This is a patch release for
    ISPConfig that fixes some issues that were found in the last version
    and adds several security enhancements.

    See changelog link below for a list of all changes that are included in this release.

    - IMPORTANT: Security Warning

    We received a email notification that a remote root exploit for ISPConfig shall
    be released on August 15. The author of this potential exploit did not provide
    us with details on the exploit upfront of the planned public release, so we neither
    know what it affects nor if it exists at all. If it exists, then we will provide a
    fix as soon as possible. If you know any details about the exploit or find the exploit
    on the internet, then please contact us by email to dev [at] ispconfig [dot] org.

    We highly recommend that you use the new security features below to protect your
    system. If possible you should use the .htaccess protection as well until we know
    more about the issue.

    - UPDATE 2014-08-21 on security warning

    We received a message from the person that planned to release the exploit that
    he will not release the exploit publicly. We also received some details on the way
    it affected ISPConfig. If the details that we have are complete, then the exploit
    required a valid ispconfig administrator password. So only the person that administers
    the server could attack it, neither clients nor resellers nor persons without
    a ispconfig login were able to do the attack. The function related to apache settings
    that was misused in conjunction with a third party exploit module is an intended admin
    functionality, so one could argue if a correctly authenticated system admin should be
    able to configure apache freely trough a web interface or not. In any case, we will add
    a set of filters to prevent this kind of access by the admin user. Some users will
    miss the functionality that we will disable with the filters, so these filters will be made
    configurable trough the system_settings.ini. So every root user can decide then
    on its own, if he wants to allow the ispconfig admin user to do this kind of configuration
    trough the ISPConfig web interface or not.

    - NEW Security Features

    This version contains a new set of security settings thats allows the root user
    of a server to limit the access of the ispconfig "admin" user. There is also
    a new security check script that can warn the root user when changes in
    /etc/passwd, /etc/shadow or /etc/group occur or when a additional ispconfig
    administrator user is added in ISPConfig.

    The settings for the security limits and security check can be found in this file:


    A detailed description of all settings can be found in the file


    The most important features are


    If you want to prevet that shell users for websites get added to your server, then
    set this option to "no". If this server is a server that does not host websites like
    a mailserver or dns server node, then this option should be set to "no" as well.


    If you do not use the remote API, then set this to "no".

    admin_allow_* = yes/no/superuser

    The admin_allow_* fetaures control which parts of the System module in ISPConfig can
    be accessed by the admin user. You should disable all functions that you dont need
    in the security settings by setting them to "no". The option "superuser" limits a
    function to the administrator with userid = 1, so if you created additional administrators,
    then these will not be able to access these functions.

    - NEW: Protect the ISPConfig Interface with .htaccess

    We added a script that makes it easy to protect the ISPConfig Interface with a .htaccess
    password protection. This script adds a apache password prompt in front of the ispconfig
    Interface and exports all ispconfig client users into a .htpasswd file, so all client
    logins will still work.

    Run the following command as root user to activate the script:

    php /usr/local/ispconfig/server/scripts/ispconfig_htaccess.php

    you can use the same command at any time to update the user list.

    In case that you want to remove the protection again, run:

    rm -f /usr/local/ispconfig/interface/web/.htaccess
    rm -f /usr/local/ispconfig/interface/.htpasswd

    For nginx webservers, edit the file /etc/nginx/sites-available/ispconfig.vhost
    and add the lines:

    auth_basic "Members Only";
    auth_basic_user_file /usr/local/ispconfig/interface/.htpasswd;

    right after line 35: "fastcgi_temp_file_write_size 256k;".

    - Download

    The software can be downloaded here:

    - Changelog

    - Known Issues:

    Please take a look at the bugtracker:

    - BUG Reporting

    Please report bugs to the ISPConfig bugtracking system:

    - Supported Linux Distributions

    - Debian Etch (4.0) - Wheezy (7.0) and Debian testing
    - Ubuntu 7.10 - 14.04
    - OpenSuSE 11 - 13.1
    - CentOS 5.2 - 6.5
    - Fedora 9 - 15

    - Installation

    The installation instructions for ISPConfig can be found here:

    or in the text files (named INSTALL_*.txt) which are inside the docs folder of the .tar.gz file.

    - Update

    To update existing ISPConfig 3 installations, run this command on the shell:

    Select "stable" as the update resource. The script will check if an updated version of ISPConfig 3 is available and then download the tar.gz and start the setup script.

    Detailed instructions for making a backup before you update can be found here:

    If the ISPConfig version on your server does not have this script yet, follow the manual update instructions below.

    - Manual update instructions

    cd /tmp
    tar xvfz ISPConfig-3-stable.tar.gz
    cd ispconfig3_install/install
    php -q update.php
    Last edited: Aug 21, 2014
  2. edge

    edge Active Member Moderator

    Thank you for lookin after us!

    I updated my Debian servers with no problem!

    Do I need to restart ISPConfig after making changes to "/usr/local/ispconfig/security/security_settings.ini"?
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    No, the changes are applied immediately.
  4. wvh

    wvh New Member

    New Features, Manual

    I was just wondering, have there really been no updates made to the ISPConfig user manual since 2013? Is there any documentation on the newer features/changes? This was pretty much the main reason I got a subscription to SourceForge to begin with. It would be nice to have the newest documentation handy, rather than go searching through the support forum for answers. Thanks.
  5. elmacus

    elmacus Active Member

    Is "reconfigure services" required on this update ?
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    This depends on your curent version. If you have or installed, then you can leave out reconfigure services, but apach / nginx has to be restarted manually after the update.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    We are working on a new update for the manual.
  8. skycity

    skycity New Member

    Was the reported "remote root exploit" ever released?
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Please see date of the post, the announced release date is today. I dont know if it will be released today or not and I dont know where it will be released, so even if it would get released today the this does not mean that we will find it on the same day.
  10. skycity

    skycity New Member

    Thanks, and I commend you on your transparency.
  11. emad

    emad Member

    All of us are waiting, for a temporary solution you can lock access to ISPConfig to your IP address.
  12. grungy

    grungy Member

    For us that have restricted access with htaccess we need to manually run

    php /usr/local/ispconfig/server/scripts/ispconfig_htaccess.php
    everytime a client's password is changed?

    Can you automate this? Maybe add execution of ispconfig_htaccess.php to ?
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    You can either add this at the end of or as cronjob e.g. every 5 minutes in root crontab. I will develop a server plugin that handles this better when a client is cahnged but but this will take a few days.
  14. Snowman

    Snowman Member

    webmail not functional

    Hi there,
    since this update my webmail on url https://domain:8080/webmail is not functional. Instead of webmail i see pure php code of roundcube like :

    | Roundcube Webmail IMAP Client |
    | Version ...

    Is there some security restriction ? or what can be the problem ?

    root@server:/usr/local/ispconfig/interface/web# ls -la | grep webmail
    lrwxrwxrwx 1 ispconfig ispconfig 30 Mar 9 2011 webmail -> /usr/share/roundcubemail (it's symlink to roundcube install dir)

  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely the line:

    AddType application/x-httpd-php .php

    is missing in the roudcube apache config file inside the <Directory ....> directive for the roundcube installation directory.
  16. spazio

    spazio Member HowtoForge Supporter

    admin_allow_remote_users failed


    Server Centos 6.5, ISPConfig
    Since the update, the user in the admin group don't have access to the admin functions.
    Only the original "admin" ispconfig user has access to admin functions:
    Here is the message when I click remote user under some user in the admin group:
    Check for security permission: admin_allow_remote_users failed.
    And the remote user function are not working anymore. I use this user from an external api to feed config in ispconfiig. I was working before the update but now nothing works.

    Admin functions:
    Here is the error message with another user in the admin group when I try to access the firewall:
    Check for security permission: admin_allow_firewall_config failed.

    Again, if I log with the original user "admin" from ispconfig, I have access to everything.

    Am I the only one with this trouble?
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    Please read the release notes about the new security features, they are in the first post of this thread.
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    I've added a status update in the first post.
  19. BenM

    BenM Member

    SOAP Error:

    after updating p3 a get a SOAP Error:

    how to get info on this error? is there a option to follow the soap call?

    kind regards,
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    did you enable the .htaccess protection? If yes, then you have to allow the ip from where you connect to the api in the .htaccess file.

Share This Page