Vesta Control Panel - Forum

Posted: **Sat Apr 02, 2016 7:37 pm**

Hello!

I've been using VestaCP for a month. This is my very first post. I find this panel great. It has a complete set of features very useful for webmasters and end users. However, I was concern about its security risks. So I looked the web for breaches, hacks and stuff. And sadly, i found this online:

https://www.exploit-db.com/exploits/39468/

I tested it, and the XSS works!!!!

This should be fixed intermediately in the main distribution of VestaCP.

The fix is pretty easy. Just use htmlentities for the files output before they are sent to the browser:

Code: Select all

 nano /usr/local/vesta/web/list/web-log/index.php

There, find the line:

Code: Select all

echo $file . "\n";

and change it for:

Code: Select all

echo htmlentities($file) . "\n";

Now, I'm concern about others security breaches as this that we have not found yet. :( I know it is a long process...

What other things have you done to harden your VestaCP installation?

I'm implementing a way offer two factors authentication (password + SMS code). I hope to have something working soon. This will be a nice add-in for VestaCP.

I hope this help others to prevent nasty situations with their panels.

Regards

Posted: **Sat Apr 02, 2016 9:36 pm**

can you add a pull request
https://github.com/serghey-rodin/vesta/pulls

Posted: **Mon Apr 04, 2016 1:31 pm**

jonn wrote:can you add a pull request

Already is.. and will be in new version:
https://github.com/serghey-rodin/vesta/pull/639

Posted: **Tue Apr 05, 2016 12:04 pm**

skurudo wrote:
jonn wrote:can you add a pull request
Already is.. and will be in new version:
https://github.com/serghey-rodin/vesta/pull/639

Is critical bug, you need put micro updates to fix this, so there are a lot of vestacp there whit critical bug.

What is the estimated time to new versión ?

Posted: **Tue Apr 05, 2016 1:41 pm**

skamasle wrote: Is critical bug, you need put micro updates to fix this, so there are a lot of vestacp there whit critical bug.

It's will be possible after this version and after code refactoring.

skamasle wrote:What is the estimated time to new versión ?

Refactoring - done,
now bugs and test and here we go.
I think it's about two weeks.

Posted: **Tue Apr 05, 2016 1:53 pm**

skurudo wrote:
skamasle wrote: Is critical bug, you need put micro updates to fix this, so there are a lot of vestacp there whit critical bug.
It's will be possible after this version and after code refactoring.

skamasle wrote:What is the estimated time to new versión ?
Refactoring - done,
now bugs and test and here we go.
I think it's about two weeks.

Code refactoring :/ a lot of changes may be ?

So its posible some of my scripts dont working ( cpanel importer )

Can I test your new versión ? maybe be a betatester ?

Posted: **Tue Apr 05, 2016 2:16 pm**

skamasle wrote: Code refactoring :/ a lot of changes may be ?

Well, skid say - works a much faster.

skamasle wrote:So its posible some of my scripts dont working ( cpanel importer )
Can I test your new versión ? maybe be a betatester ?

Dunno, sorry.
It's needs to test, but don't think so.
Sorry, there no beta-testers yet, we think about beta-practice, but a bit later.

Posted: **Tue Apr 05, 2016 7:22 pm**

Ok dont worry, I wait new version :D

Posted: **Thu Apr 07, 2016 6:50 am**

FIX
https://github.com/serghey-rodin/vesta/pull/639

Vesta Control Panel - Forum

Vesta XSS at logs

Vesta XSS at logs

Re: Vesta XSS at logs

Re: Vesta XSS at logs

Re: Vesta XSS at logs

Re: Vesta XSS at logs

Re: Vesta XSS at logs

Re: Vesta XSS at logs

Re: Vesta XSS at logs

Re: Vesta XSS at logs