New exploit vestacp_exec

dimahna · Post by **dimahna** » Tue Apr 14, 2020 5:12 pm

hello
SOS any fix for this exploit
https://packetstormsecurity.com/files/1 ... xec.rb.txt

Post by **ScIT** » Wed Apr 15, 2020 8:08 pm

Basicly, dpeca has already patched the issues on github, but Serghey seems to be offline since a long time - he's the only one who can publish a new version to the repository.

Disclaimer: I stopped any work on vesta due to my work on my own fork - just want that users are aware of the possible fixes of the current exploits.

viewtopic.php?f=10&t=19714

hasoid · Post by **hasoid** » Sat Apr 25, 2020 8:05 am

I see video for this exploit. I think to use this exploit you must have on server user account and ftp service. It correct? If yes - no problem for single-user server.

Post by **ScIT** » Sat Apr 25, 2020 8:09 am

Then there is a second exploit, which allows you to overwrite the link in password reset mail, combine this two exploits and a bit luck (or blindness of an user) and you're in...

Vesta Control Panel - Forum