Security discussion
Posted: Tue Sep 25, 2018 7:30 pm
Hello,
I'm a security engineer and a computer forensic analyst.
Since the community is frightened about the latest attack and everyone wants to have a solution, I'm opening this post as discussion for security tips.
First of all, every exploit developed by unknown is using the bad-written Web Interface. Don't you think so? I'm writing this since I want to get all the users to understand this post. Then if you have questions, please ask.
1. Passwords
https://github.com/serghey-rodin/vesta/ ... /index.php
VestaCP could use three algorithm: md5, sha-512 and des.
md5
https://blog.mozilla.org/security/2011/ ... ot-enough/
des
Please VestaCP team see this well-written post about "How to securely hash passwords". https://security.stackexchange.com/ques ... -passwords
Why should we worry about "issues" on the code when it's really simple to guess your passwords with brute-forcing?
2. Bad and redundant code
A lot of redundant code was written using PHP. Example:
That could be rewritten to:
3. Conclusion
Some times ago, I wanted to contribute to the development of VestaCP. It could become a great product but THERE MUST BE a professional software engineer who can check for any code redundancy, potential injection of OS command or Sql one.
I would recommend to switch to another platform as soon as VestaCP team could REALLY re-write the entire Web interface.
Cheers,
Ctrlpac
I'm a security engineer and a computer forensic analyst.
Since the community is frightened about the latest attack and everyone wants to have a solution, I'm opening this post as discussion for security tips.
First of all, every exploit developed by unknown is using the bad-written Web Interface. Don't you think so? I'm writing this since I want to get all the users to understand this post. Then if you have questions, please ask.
1. Passwords
https://github.com/serghey-rodin/vesta/ ... /index.php
VestaCP could use three algorithm: md5, sha-512 and des.
md5
sha-512MD5 for passwords
Using salted md5 for passwords is a bad idea. Not because of MD5's cryptographic weaknesses, but because it's fast. This means that an attacker can try billions of candidate passwords per second on a single GPU.
What you should use are deliberately slow hash constructions, such as scrypt, bcrypt and PBKDF2. Simple salted SHA-2 is not good enough because, like most general purpose hashes, it's fast. Check out How to securely hash passwords? for details on what you should use.
https://blog.mozilla.org/security/2011/ ... ot-enough/
des
Please VestaCP team see this well-written post about "How to securely hash passwords". https://security.stackexchange.com/ques ... -passwords
Why should we worry about "issues" on the code when it's really simple to guess your passwords with brute-forcing?
2. Bad and redundant code
A lot of redundant code was written using PHP. Example:
Code: Select all
if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
$v_user = escapeshellarg($_POST['user']);
$user = $_POST['user'];
$cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
exec ($cmd." ".$v_user." json", $output, $return_var);
...
...
That could be rewritten to:
Code: Select all
// Suggestion sanitize!
$user = escapeshellarg($_POST['user']);
$code = escapeshellarg($_POST['code']);
if ((!empty($user)) && (empty($code)) {
$cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
exec ($cmd." ".$user." json", $output, $return_var);
...
...
Some times ago, I wanted to contribute to the development of VestaCP. It could become a great product but THERE MUST BE a professional software engineer who can check for any code redundancy, potential injection of OS command or Sql one.
I would recommend to switch to another platform as soon as VestaCP team could REALLY re-write the entire Web interface.
Cheers,
Ctrlpac