ISPConfig released


What’s new in ISPConfig
This release contains an important security fix for an insufficient validation of the PHP version selector.

Scope of the issue: an attacker would require a valid ISPConfig login with access to the web module. The issue affects the ISPConfig interface only, on a multiserver system, only the interface server(s) have to be patched.

Thank you to Timo Boldt for reporting this issue!

The fix can be applied by updating to ISPConfig or by using the ISPConfig patch tool.

Use the Patch tool
Run the command:

as root user on the shell. Enter the following patch code when requested by the tool:


Use the normal ISPConfig update procedure with the command.
See details at the end of this post.

The “Reconfigure services” option can be answered with “no” on servers that run ISPConfig

See changelog link below for a list of all changes that are included in this release.

The software can be downloaded here:


Known Issues
Please take a look at the bug tracker:

BUG Reporting
Please report bugs to the ISPConfig bug tracking system:

Supported Linux Distributions
– Debian Etch (4.0) – Jessie (8.0) and Debian testing
– Ubuntu 7.10 – 15.10
– OpenSuSE 11 – 13.2
– CentOS 5.2 – 8
– Fedora 9 – 15

The installation instructions for ISPConfig can be found here:

or in the text files (named INSTALL_*.txt) which are inside the docs folder of the .tar.gz file.

To update existing ISPConfig 3 installations, run this command on the shell:

Select “stable” as the update resource. The script will check if an updated version of ISPConfig 3 is available and then download the tar.gz and start the setup script.

Detailed instructions for making a backup before update can be found here:

If the ISPConfig version on your server does not have this script yet, follow the manual update instructions below.

Manual update instructions
cd /tmp
tar xvfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install
php -q update.php