A XSS vulnerability has been found in the ISPConfig 3 module changer script. The vulnerability requires a valid user login to ISPConfig, unauthenticated users are not affected. Vulnerable versions: All recent ISPConfig 3 releases. Fix: A patch for ISPConfig 3.0.5.4p5 is available trough the ISPConfig patch tool. Patch Installation: Run the command: ispconfig_patch as root user on the shell and enter: 3054_capp as patch code. The patch tool will download the patch from ispconfig.org and apply it. Credits: We thank Alain Homewood for informing us about this issue. Alain Homewood PwC New Zealand http://www.pwc.co.nz/services/assurance-services/pwc-security/
Thank you for the patch. Applied the patch following the above procedure and all went well. Thanks again.
Hi Till, I did some changes in ISPC file. Can you tell me which file was affected with this recent update? I need to know so I can add my existing code to the new updated file. Thanks in advance.
I tried it many times but get this error: Enter patch id: 3054_aps Patch with id 3054_aps does not exist.The ISPConfig version is actual, the same error cames with patch 3054_capp. I cant update the package list. Any idea whats wrong or to manualy update?
Seems as if you run a firewall which blocks connections on port 80 to the ispconfig server. the patch tool works fine and the patches are available, just tested it: Code: root@server1:~# ispconfig_patch -------------------------------------------------------------------------------- _____ ___________ _____ __ _ |_ _/ ___| ___ \ / __ \ / _(_) | | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ | | `--. \ __/ | | / _ \| '_ \| _| |/ _` | _| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | \___/\____/\_| \____/\___/|_| |_|_| |_|\__, | __/ | |___/ -------------------------------------------------------------------------------- >> Patch tool Please enter the patch id that you want to be applied to your ISPConfig installa tion. Please be aware that we take NO responsibility that this will work for you. Only use patches if you know what you are doing. Enter patch id: 3054_aps Patch description: -------------------------------------------------------------------------------- This patch fixes: APS crawler: String could not be parsed as XML -------------------------------------------------------------------------------- Do you really want to apply this patch now? (y,n) [y]: y (Stripping trailing CRs from patch.) patching file interface/lib/classes/aps_crawler.inc.php Reversed (or previously applied) patch detected! Assume -R? [n] Apply anyway? [n] Skipping patch. 2 out of 2 hunks ignored -- saving rejects to file interface/lib/classes/aps_crawler.inc.php.rej (Stripping trailing CRs from patch.) patching file server/lib/classes/aps_installer.inc.php Hunk #1 succeeded at 554 (offset -1 lines). (Stripping trailing CRs from patch.) patching file server/lib/classes/aps_installer.inc.php Hunk #1 succeeded at 697 (offset -1 lines).
