Security: VestaCP Certificate world readable
Posted: Wed Apr 23, 2014 12:35 pm
Hi,
Don't know if this is the right place, but I just found a security issue in the default install of VestaCP.
The SSL certificate (cert + key) for the control-panel are stored (on Ubuntu anyway) in:
/usr/local/vesta/ssl/
The files present are certificate.crt and certificate.key. Default they look like this:
User + Other users have READ permissions (644 !!) so any shared hosting user can fetch your certificate with a little script like:
These files should be chmodded to 400 (r--) to prevent shared hosting users stealing your certificate, right?
Don't know if this is the right place, but I just found a security issue in the default install of VestaCP.
The SSL certificate (cert + key) for the control-panel are stored (on Ubuntu anyway) in:
/usr/local/vesta/ssl/
The files present are certificate.crt and certificate.key. Default they look like this:
Code: Select all
4.0K -rw-r--r-- 1 root root 1.9K Apr 23 14:27 /usr/local/vesta/ssl/certificate.crt
4.0K -rw-r--r-- 1 root root 1.7K Apr 23 14:27 /usr/local/vesta/ssl/certificate.key
Code: Select all
echo `ls /usr/local/vesta/ssl/certificate.key`;
echo `cat /usr/local/vesta/ssl/certificate.key`;