Page 3 of 3

Re: Security discussion

Posted: Tue Oct 09, 2018 6:11 pm
by Spheerys
@imperio make an answer here.
The project is not dead \o/

Re: Security discussion

Posted: Tue Oct 09, 2018 6:13 pm
by ScIT
Spheerys wrote:
Tue Oct 09, 2018 6:11 pm
@imperio make an answer here.
The project is not dead \o/
Yes, have seen it already - thats a really good news!!! Let's take vesta alive - don't want to work without!

Re: Security discussion

Posted: Tue Oct 09, 2018 6:34 pm
by alexcy
Very good news!

Re: Security discussion

Posted: Tue Oct 09, 2018 10:38 pm
by neto737
I really agree with you @ctrlpac

I think that VestaCP could use password_hash and password_verify instead of md5, sha-512 and DES as well. The code could be cleaner than now and maybe it can be faster too.

I think the web interface needs to be refactored completely. Why using 1 folder for every URL? Never heard about url rewriting? So, I guess the PHP needs to be out from the front-end, like using a PHP framework or something else.

The team need to be open to getting help from us, and maybe the Vesta will grow up in sometime...

Re: Security discussion

Posted: Wed Apr 03, 2019 1:44 am
by R_O
ctrlpac wrote:
Tue Sep 25, 2018 7:30 pm
A lot of redundant code was written using PHP. Example:

Code: Select all

	if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
    		$v_user = escapeshellarg($_POST['user']);
    		$user = $_POST['user'];
    		$cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
    		exec ($cmd." ".$v_user." json", $output, $return_var);
    		...
    		...
May you explain why this is not safe.

Re: Security discussion

Posted: Wed Apr 03, 2019 1:56 pm
by pothi
R_O wrote:
Wed Apr 03, 2019 1:44 am
ctrlpac wrote:
Tue Sep 25, 2018 7:30 pm
A lot of redundant code was written using PHP. Example:

Code: Select all

	if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
    		$v_user = escapeshellarg($_POST['user']);
    		$user = $_POST['user'];
    		$cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
    		exec ($cmd." ".$v_user." json", $output, $return_var);
    		...
    		...
May you explain why this is not safe.
No escape for user input on the line

Code: Select all

$user = $_POST['user'];
and on the "if" condition. The general practice is to never trust any user input.

Re: Security discussion

Posted: Thu Apr 04, 2019 2:36 am
by R_O

Code: Select all

	if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
    		...
    		...
ctrlpac wrote:
Tue Sep 25, 2018 7:30 pm
and on the "if" condition. The general practice is to never trust any user input.
Yes, I miss the 'user' assignation, but regarding the 'if', forgive my ignorance but Is there a vulnerability of the "empty" command. The manual tells it is just a Boolean for any validation since PHP 5.5. How can this affect the process if you sanitise the content right after you know that exists?