We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Security discussion
Security discussion
Hello,
I'm a security engineer and a computer forensic analyst.
Since the community is frightened about the latest attack and everyone wants to have a solution, I'm opening this post as discussion for security tips.
First of all, every exploit developed by unknown is using the bad-written Web Interface. Don't you think so? I'm writing this since I want to get all the users to understand this post. Then if you have questions, please ask.
1. Passwords
https://github.com/serghey-rodin/vesta/ ... /index.php
VestaCP could use three algorithm: md5, sha-512 and des.
md5
https://blog.mozilla.org/security/2011/ ... ot-enough/
des
Please VestaCP team see this well-written post about "How to securely hash passwords". https://security.stackexchange.com/ques ... -passwords
Why should we worry about "issues" on the code when it's really simple to guess your passwords with brute-forcing?
2. Bad and redundant code
A lot of redundant code was written using PHP. Example:
That could be rewritten to:
3. Conclusion
Some times ago, I wanted to contribute to the development of VestaCP. It could become a great product but THERE MUST BE a professional software engineer who can check for any code redundancy, potential injection of OS command or Sql one.
I would recommend to switch to another platform as soon as VestaCP team could REALLY re-write the entire Web interface.
Cheers,
Ctrlpac
I'm a security engineer and a computer forensic analyst.
Since the community is frightened about the latest attack and everyone wants to have a solution, I'm opening this post as discussion for security tips.
First of all, every exploit developed by unknown is using the bad-written Web Interface. Don't you think so? I'm writing this since I want to get all the users to understand this post. Then if you have questions, please ask.
1. Passwords
https://github.com/serghey-rodin/vesta/ ... /index.php
VestaCP could use three algorithm: md5, sha-512 and des.
md5
sha-512MD5 for passwords
Using salted md5 for passwords is a bad idea. Not because of MD5's cryptographic weaknesses, but because it's fast. This means that an attacker can try billions of candidate passwords per second on a single GPU.
What you should use are deliberately slow hash constructions, such as scrypt, bcrypt and PBKDF2. Simple salted SHA-2 is not good enough because, like most general purpose hashes, it's fast. Check out How to securely hash passwords? for details on what you should use.
https://blog.mozilla.org/security/2011/ ... ot-enough/
des
Please VestaCP team see this well-written post about "How to securely hash passwords". https://security.stackexchange.com/ques ... -passwords
Why should we worry about "issues" on the code when it's really simple to guess your passwords with brute-forcing?
2. Bad and redundant code
A lot of redundant code was written using PHP. Example:
Code: Select all
if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
$v_user = escapeshellarg($_POST['user']);
$user = $_POST['user'];
$cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
exec ($cmd." ".$v_user." json", $output, $return_var);
...
...
That could be rewritten to:
Code: Select all
// Suggestion sanitize!
$user = escapeshellarg($_POST['user']);
$code = escapeshellarg($_POST['code']);
if ((!empty($user)) && (empty($code)) {
$cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
exec ($cmd." ".$user." json", $output, $return_var);
...
...
Some times ago, I wanted to contribute to the development of VestaCP. It could become a great product but THERE MUST BE a professional software engineer who can check for any code redundancy, potential injection of OS command or Sql one.
I would recommend to switch to another platform as soon as VestaCP team could REALLY re-write the entire Web interface.
Cheers,
Ctrlpac
-
- Posts: 4
- Joined: Tue Aug 07, 2018 9:37 am
- Os: Debian 8x
- Web: nginx + php-fpm
Re: Security discussion
After the last breach, I'll switch to another panel for sure, or maybe going to do all my stuff manually like I do before trying vestacp
Re: Security discussion
what platform?
cheapest
cheapest
Re: Security discussion
Also checked from my side, infact I'm only a mod - no dev. ispconfig or virtualmin seems to be the most discussed panels here in the board. The problem is that they are to complicated, vesta is (or maybe was?) one of the best control panel I ever worked with - light, easy, nice caching function.
Re: Security discussion
Vesta is/was the best panel ever. The single absolut best. It’s a shame to end like this..
Re: Security discussion
Maybe a new dev team could fork the original project if the main devs don't answer ?
Re: Security discussion
As far as I know nobody declared interest to fork/takeover.
Re: Security discussion
We're working atm to get enough people together, to create a fork of vesta. Problem is that we can't find enough devs - we are also working to find the security issue. But we aren't anyone from the core team, we just try to fight for vesta to keep it alive.
Re: Security discussion
Since you are somehow closer to the team than most of us, can we somehow get a word from Serghey?
Re: Security discussion
Thanks ScIT !