Vesta XSS at logs
Posted: Sat Apr 02, 2016 7:37 pm
Hello!
I've been using VestaCP for a month. This is my very first post. I find this panel great. It has a complete set of features very useful for webmasters and end users. However, I was concern about its security risks. So I looked the web for breaches, hacks and stuff. And sadly, i found this online:
https://www.exploit-db.com/exploits/39468/
I tested it, and the XSS works!!!!
This should be fixed intermediately in the main distribution of VestaCP.
The fix is pretty easy. Just use htmlentities for the files output before they are sent to the browser:
There, find the line:
and change it for:
Now, I'm concern about others security breaches as this that we have not found yet. :( I know it is a long process...
What other things have you done to harden your VestaCP installation?
I'm implementing a way offer two factors authentication (password + SMS code). I hope to have something working soon. This will be a nice add-in for VestaCP.
I hope this help others to prevent nasty situations with their panels.
Regards
I've been using VestaCP for a month. This is my very first post. I find this panel great. It has a complete set of features very useful for webmasters and end users. However, I was concern about its security risks. So I looked the web for breaches, hacks and stuff. And sadly, i found this online:
https://www.exploit-db.com/exploits/39468/
I tested it, and the XSS works!!!!
This should be fixed intermediately in the main distribution of VestaCP.
The fix is pretty easy. Just use htmlentities for the files output before they are sent to the browser:
Code: Select all
nano /usr/local/vesta/web/list/web-log/index.php
Code: Select all
echo $file . "\n";
Code: Select all
echo htmlentities($file) . "\n";
What other things have you done to harden your VestaCP installation?
I'm implementing a way offer two factors authentication (password + SMS code). I hope to have something working soon. This will be a nice add-in for VestaCP.
I hope this help others to prevent nasty situations with their panels.
Regards