ISPConfig 3.0.5.4 Patch 3 is available for download. This is a patch release for ISPConfig 3.0.5.4 that fixes some issues that were found in the last version and adds several security enhancements. See changelog link below for a list of all changes that are included in this release. -------------------------------------------------------------------------------- - IMPORTANT: Security Warning -------------------------------------------------------------------------------- We received a email notification that a remote root exploit for ISPConfig shall be released on August 15. The author of this potential exploit did not provide us with details on the exploit upfront of the planned public release, so we neither know what it affects nor if it exists at all. If it exists, then we will provide a fix as soon as possible. If you know any details about the exploit or find the exploit on the internet, then please contact us by email to dev [at] ispconfig [dot] org. We highly recommend that you use the new security features below to protect your system. If possible you should use the .htaccess protection as well until we know more about the issue. ---------------------------------------------------------------------------------- - UPDATE 2014-08-21 on security warning ---------------------------------------------------------------------------------- We received a message from the person that planned to release the exploit that he will not release the exploit publicly. We also received some details on the way it affected ISPConfig. If the details that we have are complete, then the exploit required a valid ispconfig administrator password. So only the person that administers the server could attack it, neither clients nor resellers nor persons without a ispconfig login were able to do the attack. The function related to apache settings that was misused in conjunction with a third party exploit module is an intended admin functionality, so one could argue if a correctly authenticated system admin should be able to configure apache freely trough a web interface or not. In any case, we will add a set of filters to prevent this kind of access by the admin user. Some users will miss the functionality that we will disable with the filters, so these filters will be made configurable trough the system_settings.ini. So every root user can decide then on its own, if he wants to allow the ispconfig admin user to do this kind of configuration trough the ISPConfig web interface or not. -------------------------------------------------------------------------------- - NEW Security Features -------------------------------------------------------------------------------- This version contains a new set of security settings thats allows the root user of a server to limit the access of the ispconfig "admin" user. There is also a new security check script that can warn the root user when changes in /etc/passwd, /etc/shadow or /etc/group occur or when a additional ispconfig administrator user is added in ISPConfig. The settings for the security limits and security check can be found in this file: /usr/local/ispconfig/security/security_settings.ini A detailed description of all settings can be found in the file /usr/local/ispconfig/security/README.txt The most important features are -------------------------------- allow_shell_user=yes/no If you want to prevet that shell users for websites get added to your server, then set this option to "no". If this server is a server that does not host websites like a mailserver or dns server node, then this option should be set to "no" as well. remote_api_allowed=yes/no If you do not use the remote API, then set this to "no". admin_allow_* = yes/no/superuser The admin_allow_* fetaures control which parts of the System module in ISPConfig can be accessed by the admin user. You should disable all functions that you dont need in the security settings by setting them to "no". The option "superuser" limits a function to the administrator with userid = 1, so if you created additional administrators, then these will not be able to access these functions. -------------------------------------------------------------------------------------- - NEW: Protect the ISPConfig Interface with .htaccess -------------------------------------------------------------------------------------- We added a script that makes it easy to protect the ISPConfig Interface with a .htaccess password protection. This script adds a apache password prompt in front of the ispconfig Interface and exports all ispconfig client users into a .htpasswd file, so all client logins will still work. Run the following command as root user to activate the script: php /usr/local/ispconfig/server/scripts/ispconfig_htaccess.php you can use the same command at any time to update the user list. In case that you want to remove the protection again, run: rm -f /usr/local/ispconfig/interface/web/.htaccess rm -f /usr/local/ispconfig/interface/.htpasswd For nginx webservers, edit the file /etc/nginx/sites-available/ispconfig.vhost and add the lines: auth_basic "Members Only"; auth_basic_user_file /usr/local/ispconfig/interface/.htpasswd; right after line 35: "fastcgi_temp_file_write_size 256k;". ----------------------------------------------------- - Download ----------------------------------------------------- The software can be downloaded here: http://prdownloads.sourceforge.net/ispconfig/ISPConfig-3.0.5.4p3.tar.gz ------------------------------------ - Changelog ------------------------------------ http://bugtracker.ispconfig.org/index.php?do=index&tasks=&project=3&due=81&status[]= -------------------------------------- - Known Issues: -------------------------------------- Please take a look at the bugtracker: http://bugtracker.ispconfig.org -------------------------------------- - BUG Reporting -------------------------------------- Please report bugs to the ISPConfig bugtracking system: http://bugtracker.ispconfig.org ---------------------------------------- - Supported Linux Distributions ---------------------------------------- - Debian Etch (4.0) - Wheezy (7.0) and Debian testing - Ubuntu 7.10 - 14.04 - OpenSuSE 11 - 13.1 - CentOS 5.2 - 6.5 - Fedora 9 - 15 ----------------------------------------- - Installation ----------------------------------------- The installation instructions for ISPConfig can be found here: http://www.ispconfig.org/ispconfig-3/documentation/ or in the text files (named INSTALL_*.txt) which are inside the docs folder of the .tar.gz file. ------------------------------------------ - Update ------------------------------------------ To update existing ISPConfig 3 installations, run this command on the shell: ispconfig_update.sh Select "stable" as the update resource. The script will check if an updated version of ISPConfig 3 is available and then download the tar.gz and start the setup script. Detailed instructions for making a backup before you update can be found here: http://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-update-ispconfig-3/ If the ISPConfig version on your server does not have this script yet, follow the manual update instructions below. ------------------------------------------- - Manual update instructions ------------------------------------------- Code: cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz tar xvfz ISPConfig-3-stable.tar.gz cd ispconfig3_install/install php -q update.php
Thank you for lookin after us! I updated my Debian servers with no problem! Do I need to restart ISPConfig after making changes to "/usr/local/ispconfig/security/security_settings.ini"?
New Features, Manual I was just wondering, have there really been no updates made to the ISPConfig user manual since 2013? Is there any documentation on the newer features/changes? This was pretty much the main reason I got a subscription to SourceForge to begin with. It would be nice to have the newest documentation handy, rather than go searching through the support forum for answers. Thanks.
This depends on your curent version. If you have 3.0.5.4p1 or 3.0.5.4p2 installed, then you can leave out reconfigure services, but apach / nginx has to be restarted manually after the update.
Please see date of the post, the announced release date is today. I dont know if it will be released today or not and I dont know where it will be released, so even if it would get released today the this does not mean that we will find it on the same day.
For us that have restricted access with htaccess we need to manually run Code: php /usr/local/ispconfig/server/scripts/ispconfig_htaccess.php everytime a client's password is changed? Can you automate this? Maybe add execution of ispconfig_htaccess.php to server.sh ?
You can either add this at the end of server.sh or as cronjob e.g. every 5 minutes in root crontab. I will develop a server plugin that handles this better when a client is cahnged but but this will take a few days.
webmail not functional Hi there, since this update my webmail on url https://domain:8080/webmail is not functional. Instead of webmail i see pure php code of roundcube like : <?php /* +-------------------------------------------------------------------------+ | Roundcube Webmail IMAP Client | | Version ... Is there some security restriction ? or what can be the problem ? root@server:/usr/local/ispconfig/interface/web# ls -la | grep webmail lrwxrwxrwx 1 ispconfig ispconfig 30 Mar 9 2011 webmail -> /usr/share/roundcubemail (it's symlink to roundcube install dir) Thanks
Most likely the line: AddType application/x-httpd-php .php is missing in the roudcube apache config file inside the <Directory ....> directive for the roundcube installation directory.
admin_allow_remote_users failed Hi, Server Centos 6.5, ISPConfig 3.0.5.4p3 Since the update, the user in the admin group don't have access to the admin functions. Only the original "admin" ispconfig user has access to admin functions: Here is the message when I click remote user under some user in the admin group: Error Check for security permission: admin_allow_remote_users failed. And the remote user function are not working anymore. I use this user from an external api to feed config in ispconfiig. I was working before the update but now nothing works. Admin functions: Here is the error message with another user in the admin group when I try to access the firewall: Error Check for security permission: admin_allow_firewall_config failed. Again, if I log with the original user "admin" from ispconfig, I have access to everything. Am I the only one with this trouble?
Please read the release notes about the new security features, they are in the first post of this thread.
SOAP Error: after updating p3 a get a SOAP Error: how to get info on this error? is there a option to follow the soap call? kind regards,
did you enable the .htaccess protection? If yes, then you have to allow the ip from where you connect to the api in the .htaccess file.
