Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

Security: VestaCP Certificate world readable

https://forum.vestacp.com/viewtopic.php?f=10&t=4967

Page 1 of 1

Security: VestaCP Certificate world readable

Posted: Wed Apr 23, 2014 12:35 pm
by my816797
Hi,

Don't know if this is the right place, but I just found a security issue in the default install of VestaCP.

The SSL certificate (cert + key) for the control-panel are stored (on Ubuntu anyway) in:
/usr/local/vesta/ssl/

The files present are certificate.crt and certificate.key. Default they look like this:

Code: Select all

4.0K -rw-r--r-- 1 root root 1.9K Apr 23 14:27 /usr/local/vesta/ssl/certificate.crt
4.0K -rw-r--r-- 1 root root 1.7K Apr 23 14:27 /usr/local/vesta/ssl/certificate.key
User + Other users have READ permissions (644 !!) so any shared hosting user can fetch your certificate with a little script like:

Code: Select all

echo `ls /usr/local/vesta/ssl/certificate.key`;
echo `cat /usr/local/vesta/ssl/certificate.key`;
These files should be chmodded to 400 (r--) to prevent shared hosting users stealing your certificate, right?

Re: Security: VestaCP Certificate world readable

Posted: Thu Apr 24, 2014 8:31 am
by skid
Thank you Wietse. We will this in next release.

Re: Security: VestaCP Certificate world readable

Posted: Tue Apr 29, 2014 2:31 pm
by demlasjr
chmod 400 is not good, without chown the file. Otherwise, exim can't read the file !
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/