Page 1 of 2
VestaCP 0DAY
Posted: Wed Mar 18, 2020 5:27 pm
by dreiggy
Re: VestaCP 0DAY
Posted: Wed Mar 18, 2020 8:51 pm
by tecob
Here's a perfect opportunity to prove this project is still alive and responding to critical issues!
Come on!
Re: VestaCP 0DAY
Posted: Thu Mar 19, 2020 8:06 am
by JuzaoftheClouds
I really hope for a fix that'll solve this issue!
I can hide panel exposure on my personal host, but I think for who can't...
Re: VestaCP 0DAY
Posted: Thu Mar 19, 2020 8:56 am
by tecob
I think that even hiding panel exposure is not enough in this case.
If you've got a vulnerable website in your server and a malicious person installs a remote console then he will be able to modify ~/.bash_logout for example as explained here:
https://pentest.blog/vesta-control-pane ... -analysis/
then on running backup the hack is done.
Well, I think this could be possible.
Re: VestaCP 0DAY
Posted: Thu Mar 19, 2020 2:02 pm
by BartMan__X
i fixed mine ... i installed virtualmin pro .... ill pay $6.00 for a maintained control panel
Re: VestaCP 0DAY
Posted: Thu Mar 19, 2020 2:19 pm
by exclu254
Oh boy! This is damn bad. ;(
Re: VestaCP 0DAY
Posted: Thu Mar 19, 2020 2:24 pm
by ScIT
I already pointed on github to a fix for this problem:
https://github.com/serghey-rodin/vesta/ ... -600795634
Re: VestaCP 0DAY
Posted: Thu Mar 19, 2020 2:26 pm
by tecob
Thanks @SciT, let's see if VestaCP developers react.
Re: VestaCP 0DAY
Posted: Thu Mar 19, 2020 2:58 pm
by exclu254
Thanks, ScIT, that is quite fast.
Re: VestaCP 0DAY
Posted: Thu Mar 19, 2020 3:20 pm
by ScIT
You maybe missunderstood me: The fix was implemented for our fork called HestiaCP and is already older than a half year. I just pointed it for the vesta devs, so they can take a look - I do not have any contact to them, also the mod status I have here should have been removed since a longer time :).
It is still the part of vesta devs, to analyze our commit and implement a fix for itself.