Vesta Control Panel - Forum

Community Forum

Skip to content

Advanced search
  • Quick links
    • Main site
    • Github repo
    • Google Search
  • FAQ
  • Login
  • Register
  • Board index Main Section General Discussion
  • Search

Security: VestaCP Certificate world readable

General questions about VestaCP
Locked
  • Print view
Advanced search
3 posts • Page 1 of 1
my816797
Posts: 1
Joined: Wed Apr 23, 2014 12:32 pm

Security: VestaCP Certificate world readable

Post by my816797 » Wed Apr 23, 2014 12:35 pm

Hi,

Don't know if this is the right place, but I just found a security issue in the default install of VestaCP.

The SSL certificate (cert + key) for the control-panel are stored (on Ubuntu anyway) in:
/usr/local/vesta/ssl/

The files present are certificate.crt and certificate.key. Default they look like this:

Code: Select all

4.0K -rw-r--r-- 1 root root 1.9K Apr 23 14:27 /usr/local/vesta/ssl/certificate.crt
4.0K -rw-r--r-- 1 root root 1.7K Apr 23 14:27 /usr/local/vesta/ssl/certificate.key
User + Other users have READ permissions (644 !!) so any shared hosting user can fetch your certificate with a little script like:

Code: Select all

echo `ls /usr/local/vesta/ssl/certificate.key`;
echo `cat /usr/local/vesta/ssl/certificate.key`;
These files should be chmodded to 400 (r--) to prevent shared hosting users stealing your certificate, right?
Top

skid
VestaCP Team
Posts: 1476
Joined: Wed Apr 06, 2011 11:12 pm

Re: Security: VestaCP Certificate world readable

Post by skid » Thu Apr 24, 2014 8:31 am

Thank you Wietse. We will this in next release.
Top

demlasjr
Posts: 74
Joined: Thu Feb 27, 2014 8:50 pm

Re: Security: VestaCP Certificate world readable

Post by demlasjr » Tue Apr 29, 2014 2:31 pm

chmod 400 is not good, without chown the file. Otherwise, exim can't read the file !
Top


Locked
  • Print view

3 posts • Page 1 of 1

Return to “General Discussion”



  • Board index
  • All times are UTC
  • Delete all board cookies
  • The team
Powered by phpBB® Forum Software © phpBB Limited
*Original Author: Brad Veryard
*Updated to 3.2 by MannixMD
 

 

Login  •  Register

I forgot my password