We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Security: VestaCP Certificate world readable
Security: VestaCP Certificate world readable
Hi,
Don't know if this is the right place, but I just found a security issue in the default install of VestaCP.
The SSL certificate (cert + key) for the control-panel are stored (on Ubuntu anyway) in:
/usr/local/vesta/ssl/
The files present are certificate.crt and certificate.key. Default they look like this:
User + Other users have READ permissions (644 !!) so any shared hosting user can fetch your certificate with a little script like:
These files should be chmodded to 400 (r--) to prevent shared hosting users stealing your certificate, right?
Don't know if this is the right place, but I just found a security issue in the default install of VestaCP.
The SSL certificate (cert + key) for the control-panel are stored (on Ubuntu anyway) in:
/usr/local/vesta/ssl/
The files present are certificate.crt and certificate.key. Default they look like this:
Code: Select all
4.0K -rw-r--r-- 1 root root 1.9K Apr 23 14:27 /usr/local/vesta/ssl/certificate.crt
4.0K -rw-r--r-- 1 root root 1.7K Apr 23 14:27 /usr/local/vesta/ssl/certificate.key
Code: Select all
echo `ls /usr/local/vesta/ssl/certificate.key`;
echo `cat /usr/local/vesta/ssl/certificate.key`;
Re: Security: VestaCP Certificate world readable
Thank you Wietse. We will this in next release.
Re: Security: VestaCP Certificate world readable
chmod 400 is not good, without chown the file. Otherwise, exim can't read the file !