Security: VestaCP Certificate world readable
Security: VestaCP Certificate world readable
Hi,
Don't know if this is the right place, but I just found a security issue in the default install of VestaCP.
The SSL certificate (cert + key) for the control-panel are stored (on Ubuntu anyway) in:
/usr/local/vesta/ssl/
The files present are certificate.crt and certificate.key. Default they look like this:
User + Other users have READ permissions (644 !!) so any shared hosting user can fetch your certificate with a little script like:
These files should be chmodded to 400 (r--) to prevent shared hosting users stealing your certificate, right?
Don't know if this is the right place, but I just found a security issue in the default install of VestaCP.
The SSL certificate (cert + key) for the control-panel are stored (on Ubuntu anyway) in:
/usr/local/vesta/ssl/
The files present are certificate.crt and certificate.key. Default they look like this:
Code: Select all
4.0K -rw-r--r-- 1 root root 1.9K Apr 23 14:27 /usr/local/vesta/ssl/certificate.crt
4.0K -rw-r--r-- 1 root root 1.7K Apr 23 14:27 /usr/local/vesta/ssl/certificate.key
Code: Select all
echo `ls /usr/local/vesta/ssl/certificate.key`;
echo `cat /usr/local/vesta/ssl/certificate.key`;
Re: Security: VestaCP Certificate world readable
Thank you Wietse. We will this in next release.
Re: Security: VestaCP Certificate world readable
chmod 400 is not good, without chown the file. Otherwise, exim can't read the file !