We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Open_basedir security bug !
Open_basedir security bug !
Hi !
I'm a french vestacp user, I recently see that no open_basedir was set for the users, so, they can check all the conf files, passwords files, and others users files :/
I think it's a major bug, and I tried to patch him but it's very complicated, I didn't succeed :(
Please, can you help me to patch this bug, and if an admin or a dev see this post, can you patch him in future version of vestacp ?
I'm a french vestacp user, I recently see that no open_basedir was set for the users, so, they can check all the conf files, passwords files, and others users files :/
I think it's a major bug, and I tried to patch him but it's very complicated, I didn't succeed :(
Please, can you help me to patch this bug, and if an admin or a dev see this post, can you patch him in future version of vestacp ?
Re: Open_basedir security bug !
Re,
I forgot to tell you my vestacp configuration !
I am on full nginx (with php-fpm) so, I think the most powerful and simple to set the openbasedir is on php-fpm users's configuration.
Thanks for attention.
I forgot to tell you my vestacp configuration !
I am on full nginx (with php-fpm) so, I think the most powerful and simple to set the openbasedir is on php-fpm users's configuration.
Thanks for attention.
Re: Open_basedir security bug !
Hi !
It's always me ^^
I've patched the bug, I've just add this to the end of "v-add-web-domain" (/usr/local/vesta/bin)
It's working fine for me !
(EDIT: For full nginx with php-fpm configurations !)
It's always me ^^
I've patched the bug, I've just add this to the end of "v-add-web-domain" (/usr/local/vesta/bin)
Code: Select all
echo "php_admin_value[open_basedir] = /home/$1/web/" >> /etc/php5/fpm/pool.d/$2.conf
service php5-fpm restart
(EDIT: For full nginx with php-fpm configurations !)