Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
I
ISPConfig 3
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 484
    • Issues 484
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 23
    • Merge Requests 23
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • ISPConfig
  • ISPConfig 3
  • Issues
  • #5102

Closed
Open
Opened Aug 17, 2018 by Till Brehm@tbrehmOwner

Authenticated client local code inclusion issue

A security vulnerability has been found which allows a client to execute code under the permissions of the ispconfig user.

The following two requirements must be met for this:

  • The attacker must have a valid ISPConfig login (Client, Reseller or Admin - username and password).
  • The attacker must be able to create a website on the same server where the ISPConfig interface is hosted or he must have any other kind of local file system access that allows him to upload files to the server were the ISPConfig interface is hosted on.

Thank you very much to Rio Sherri - 0x09AL for finding and reporting this issue.

We highly recommend installing this update immediately.

Assignee
Assign to
3.1.13
Milestone
3.1.13
Assign milestone
Time tracking
None
Due date
None
Reference: ispconfig/ispconfig3#5102