Redirect variable in capp.php script not sanitized correctly.
A XSS vulnerability has been found in the ISPConfig 3 module changer script. The vulnerability requires a valid user login to ISPConfig, unauthenticated users are not affected.
All recent ISPConfig 3 releases.
A patch for ISPConfig 220.127.116.11p5 is available trough the ISPConfig patch tool.
Run the command:
as root user on the shell and enter:
as patch code. The patch tool will download the patch from ispconfig.org and apply it.
We thank Alain Homewood for informing us about this issue.
Alain Homewood PwC New Zealand http://www.pwc.co.nz/services/assurance-services/pwc-security/