Hi, Sorry if someone already posted this. https://www.ambionics.io/blog/php-fpm-local-root Is there any word on if the implementation in ISPconfig is vulnerable as well?
As far as I can see, it depends on the PHP version if a setup is vulnerable or not. The PHP on your server is not from ISPConfig, so it does not matter for your system if it is using ISPConfig or not for its vulnerability state as this seems to affect all web servers that use PHP-FPM, which are probably almost all web servers that run PHP sites today as PHP-FPM is the most recent and most widely used PHP implementation. ISPConfig itself uses php-fcgi for its vhost on port 8080 on apache, but this does not help as it should be enough that one of the websites on that system uses php-fpm. On Nginx, the ISPConfig vhost uses php-fpm. You should look at the repositories of the Linux distribution that you use to see if the PHP binaries you are using are vulnerable or if they have been patched yet. As far as I can see, there is nothing that we can do from ISPConfig's side on this matter except recommend to keep your system up to date, and in case some older PHP versions don't receive updates, then you must consider discontinuing them.
