Dear community,

WARNING – Before updating your i-MSCP installation, don’t forget to read the errata file WARNING

We are pleasure to announce the immediate availability of i-MSCP version 1.3.9 which is a maintenance release for the 1.3.x Serie.

This new version addresses the following issues:


  • Fixed: Prevent replacement of Apache2 variables in vhost files (iMSCP::TemplateParser)
  • Fixed: Wrong substitution for deleted mount points (iMSCP::Mount)


  • Added: iMSCP_Authentication_AuthEvent class (Represent authentication event passed-in to listeners)
  • Added: `onSharedScriptStart’ and `onSharedScriptEnd’ events
  • Added: Static info in custom DNS management interface explaining rules for substitution with $ORIGIN (Custom DNS)
  • Added: Support for DNS NS resource record – only allowed for subzone delegation (Custom DNS)
  • Changed: Authentication service class now expects an authentication result object pulled from authentication event
  • Changed: FTP chooser script (ftp_choose_dir.php) is now a shared script (previously, it was a client script)
  • Fixed: A backend request must be triggered when a customer password is being updated by the administrator (Admin level)
  • Fixed: Authentication data (htuser(s)/htgroup(s)) must remain selected upon errors (Protected area form)
  • Fixed: Could not install a new software instance due to a bad check on installation path (Software installer)
  • Fixed: Default (credentials) authentication handler must not stop propagation of authentication event on failure
  • Fixed: Favicon not loaded in some browsers, specially MSIE
  • Fixed: Installation of a new software instance on forwarded domains must be prohibited (Software installer)
  • Fixed: Installation of a new software instance outside of the document root must be prohibited (Software installer)
  • Fixed: MCRYPT extension is being deprecated in PHP 7.1.x and will be removed in PHP 7.2.x (replaced by openssl)
  • Fixed: Missing check on FTP user owner while editing (Ftp user edit form – Security flaw)
  • Fixed: Missing check on Htuser(s)/Htgroup(s) owner while editing (Protected area form – Security flaw)
  • Fixed: Password hash is not updated on customer password change (Reseller level)
  • Fixed: Reseller cannot edit DocumentRoot of domain aliases (Reseller alias edit form)
  • Fixed: Several layout issues in admin/software_rights.tpl (Software installer)
  • Fixed: Several layout issues in client/software_view.tpl (Software installer)
  • Fixed: Wrong SQL query leading to an exception (Software installer)
  • Removed: decryptBlowfishCbcPassword() function (replaced by iMSCPCrypt library)


  • Fixed: Default timezone badly detected – DateTime::TimeZone object isn’t stringifiable


  • Added: listener file for Apache2 security headers –
  • Fixed: listener file is broken


  • Renamed: Modules::Htusers package to Modules::Htpasswd package


  • Fixed: Don’t load unused data from plugin table (iMSCP_Plugin_Manager)
  • Updated: API version to 1.0.7 (due to changes made in Authentication service class)


  • Fixed: Hide DEBUG messages from the script when running APT
  • Fixed: Missing `–debug’ command line option in several scripts


  • Changed: Usage of AES-256 (Rijndael) algorithm to encrypt data in place of the Blowfish algorithm (see the errata)


  • Fixed: Several issues with ProxyErrorOverride directive. See


  • Dropped: Upgrade support for i-MSCP versions older than 1.1.0 (See the errata)


  • #IP-1639 When editing a hosting plan, some PHP INI values are not always those that were set while creation
  • #IP-1640 When editing reseller properties, customers’s PHP INI values are updated with incorrect values
  • #IP-1665 Allow underscore in CNAME-record
  • #IP-1666 Could not dump domain.tld when two DNS entries have same name
  • #IP-1667 ITK httpd server implementation – Variables not replaced in vhost template
  • #IP-1671 Backup script – literal error in sql query without visible or negative effect
  • #IP-1672 DocumentRoot no longer editable for domains with shared mount point feature enabled
  • #IP-1676 Input mask during installation when confirmation of password is wrong

You can download this new version at:

Thank you for choosing i-MSCP.
Source: i-MSCP release