Authenticated client local code inclusion issue
A security vulnerability has been found which allows a client to execute code under the permissions of the ispconfig user.
The following two requirements must be met for this:
- The attacker must have a valid ISPConfig login (Client, Reseller or Admin - username and password).
- The attacker must be able to create a website on the same server where the ISPConfig interface is hosted or he must have any other kind of local file system access that allows him to upload files to the server were the ISPConfig interface is hosted on.
Thank you very much to Rio Sherri - 0x09AL for finding and reporting this issue.
We highly recommend installing this update immediately.