We are starting CHRISTMAS Sale. Get 30% OFF on lifetime licenses with code: FYSKK72

Vesta XSS at logs

Section with modification and patches for Vesta
vestingpanel
Posts: 2
Joined: Sat Apr 02, 2016 7:09 pm

Vesta XSS at logs

Postby vestingpanel » Sat Apr 02, 2016 7:37 pm

Hello!

I've been using VestaCP for a month. This is my very first post. I find this panel great. It has a complete set of features very useful for webmasters and end users. However, I was concern about its security risks. So I looked the web for breaches, hacks and stuff. And sadly, i found this online:

https://www.exploit-db.com/exploits/39468/

I tested it, and the XSS works!!!!

This should be fixed intermediately in the main distribution of VestaCP.

The fix is pretty easy. Just use htmlentities for the files output before they are sent to the browser:

Code: Select all

 nano /usr/local/vesta/web/list/web-log/index.php


There, find the line:

Code: Select all

echo $file . "\n";

and change it for:

Code: Select all

echo htmlentities($file) . "\n";


Now, I'm concern about others security breaches as this that we have not found yet. :( I know it is a long process...

What other things have you done to harden your VestaCP installation?

I'm implementing a way offer two factors authentication (password + SMS code). I hope to have something working soon. This will be a nice add-in for VestaCP.

I hope this help others to prevent nasty situations with their panels.

Regards

jonn
Posts: 72
Joined: Sun Jun 08, 2014 12:18 pm

Re: Vesta XSS at logs

Postby jonn » Sat Apr 02, 2016 9:36 pm


skurudo
VestaCP Team
Posts: 7807
Joined: Fri Dec 26, 2014 2:23 pm
Location: Moscow
Contact:

Re: Vesta XSS at logs

Postby skurudo » Mon Apr 04, 2016 1:31 pm

jonn wrote:can you add a pull request


Already is.. and will be in new version:
https://github.com/serghey-rodin/vesta/pull/639
-> DigitalOcean competition - please, support us
-> fix for phpmyadmin - nice and sweet now

skamasle
Collaborator
Posts: 384
Joined: Mon Feb 29, 2016 6:36 pm

Re: Vesta XSS at logs

Postby skamasle » Tue Apr 05, 2016 12:04 pm

skurudo wrote:
jonn wrote:can you add a pull request


Already is.. and will be in new version:
https://github.com/serghey-rodin/vesta/pull/639


Is critical bug, you need put micro updates to fix this, so there are a lot of vestacp there whit critical bug.

What is the estimated time to new versión ?

skurudo
VestaCP Team
Posts: 7807
Joined: Fri Dec 26, 2014 2:23 pm
Location: Moscow
Contact:

Re: Vesta XSS at logs

Postby skurudo » Tue Apr 05, 2016 1:41 pm

skamasle wrote:Is critical bug, you need put micro updates to fix this, so there are a lot of vestacp there whit critical bug.


It's will be possible after this version and after code refactoring.

skamasle wrote:What is the estimated time to new versión ?


Refactoring - done,
now bugs and test and here we go.
I think it's about two weeks.
-> DigitalOcean competition - please, support us
-> fix for phpmyadmin - nice and sweet now

skamasle
Collaborator
Posts: 384
Joined: Mon Feb 29, 2016 6:36 pm

Re: Vesta XSS at logs

Postby skamasle » Tue Apr 05, 2016 1:53 pm

skurudo wrote:
skamasle wrote:Is critical bug, you need put micro updates to fix this, so there are a lot of vestacp there whit critical bug.


It's will be possible after this version and after code refactoring.

skamasle wrote:What is the estimated time to new versión ?


Refactoring - done,
now bugs and test and here we go.
I think it's about two weeks.


Code refactoring :/ a lot of changes may be ?

So its posible some of my scripts dont working ( cpanel importer )

Can I test your new versión ? maybe be a betatester ?

skurudo
VestaCP Team
Posts: 7807
Joined: Fri Dec 26, 2014 2:23 pm
Location: Moscow
Contact:

Re: Vesta XSS at logs

Postby skurudo » Tue Apr 05, 2016 2:16 pm

skamasle wrote:Code refactoring :/ a lot of changes may be ?


Well, skid say - works a much faster.

skamasle wrote:So its posible some of my scripts dont working ( cpanel importer )
Can I test your new versión ? maybe be a betatester ?


Dunno, sorry.
It's needs to test, but don't think so.
Sorry, there no beta-testers yet, we think about beta-practice, but a bit later.
-> DigitalOcean competition - please, support us
-> fix for phpmyadmin - nice and sweet now

skamasle
Collaborator
Posts: 384
Joined: Mon Feb 29, 2016 6:36 pm

Re: Vesta XSS at logs

Postby skamasle » Tue Apr 05, 2016 7:22 pm

Ok dont worry, I wait new version :D

skurudo
VestaCP Team
Posts: 7807
Joined: Fri Dec 26, 2014 2:23 pm
Location: Moscow
Contact:

Re: Vesta XSS at logs

Postby skurudo » Thu Apr 07, 2016 6:50 am

-> DigitalOcean competition - please, support us
-> fix for phpmyadmin - nice and sweet now


Return to “Modification & Patches”



Who is online

Users browsing this forum: No registered users and 3 guests

cron