Vesta XSS at logs Topic is solved
-
vestingpanel
- Posts: 2
- Joined: Sat Apr 02, 2016 7:09 pm
Vesta XSS at logs
Hello!
I've been using VestaCP for a month. This is my very first post. I find this panel great. It has a complete set of features very useful for webmasters and end users. However, I was concern about its security risks. So I looked the web for breaches, hacks and stuff. And sadly, i found this online:
https://www.exploit-db.com/exploits/39468/
I tested it, and the XSS works!!!!
This should be fixed intermediately in the main distribution of VestaCP.
The fix is pretty easy. Just use htmlentities for the files output before they are sent to the browser:
There, find the line:
and change it for:
Now, I'm concern about others security breaches as this that we have not found yet. :( I know it is a long process...
What other things have you done to harden your VestaCP installation?
I'm implementing a way offer two factors authentication (password + SMS code). I hope to have something working soon. This will be a nice add-in for VestaCP.
I hope this help others to prevent nasty situations with their panels.
Regards
I've been using VestaCP for a month. This is my very first post. I find this panel great. It has a complete set of features very useful for webmasters and end users. However, I was concern about its security risks. So I looked the web for breaches, hacks and stuff. And sadly, i found this online:
https://www.exploit-db.com/exploits/39468/
I tested it, and the XSS works!!!!
This should be fixed intermediately in the main distribution of VestaCP.
The fix is pretty easy. Just use htmlentities for the files output before they are sent to the browser:
Code: Select all
nano /usr/local/vesta/web/list/web-log/index.phpCode: Select all
echo $file . "\n";Code: Select all
echo htmlentities($file) . "\n";What other things have you done to harden your VestaCP installation?
I'm implementing a way offer two factors authentication (password + SMS code). I hope to have something working soon. This will be a nice add-in for VestaCP.
I hope this help others to prevent nasty situations with their panels.
Regards
Re: Vesta XSS at logs
can you add a pull request
https://github.com/serghey-rodin/vesta/pulls
https://github.com/serghey-rodin/vesta/pulls
Re: Vesta XSS at logs
Already is.. and will be in new version:jonn wrote:can you add a pull request
https://github.com/serghey-rodin/vesta/pull/639
Re: Vesta XSS at logs
Is critical bug, you need put micro updates to fix this, so there are a lot of vestacp there whit critical bug.skurudo wrote:Already is.. and will be in new version:jonn wrote:can you add a pull request
https://github.com/serghey-rodin/vesta/pull/639
What is the estimated time to new versión ?
Re: Vesta XSS at logs
It's will be possible after this version and after code refactoring.skamasle wrote: Is critical bug, you need put micro updates to fix this, so there are a lot of vestacp there whit critical bug.
Refactoring - done,skamasle wrote:What is the estimated time to new versión ?
now bugs and test and here we go.
I think it's about two weeks.
Re: Vesta XSS at logs
Code refactoring :/ a lot of changes may be ?skurudo wrote:It's will be possible after this version and after code refactoring.skamasle wrote: Is critical bug, you need put micro updates to fix this, so there are a lot of vestacp there whit critical bug.
Refactoring - done,skamasle wrote:What is the estimated time to new versión ?
now bugs and test and here we go.
I think it's about two weeks.
So its posible some of my scripts dont working ( cpanel importer )
Can I test your new versión ? maybe be a betatester ?
Re: Vesta XSS at logs
Well, skid say - works a much faster.skamasle wrote: Code refactoring :/ a lot of changes may be ?
Dunno, sorry.skamasle wrote:So its posible some of my scripts dont working ( cpanel importer )
Can I test your new versión ? maybe be a betatester ?
It's needs to test, but don't think so.
Sorry, there no beta-testers yet, we think about beta-practice, but a bit later.
Re: Vesta XSS at logs
Ok dont worry, I wait new version :D