Security discussion

[ctrlpac]

Hello,
I'm a security engineer and a computer forensic analyst.

Since the community is frightened about the latest attack and everyone wants to have a solution, I'm opening this post as discussion for security tips.

First of all, every exploit developed by unknown is using the bad-written Web Interface. Don't you think so? I'm writing this since I want to get all the users to understand this post. Then if you have questions, please ask.

1. Passwords

https://github.com/serghey-rodin/vesta/ ... /index.php

VestaCP could use three algorithm: md5, sha-512 and des.
md5

MD5 for passwords
Using salted md5 for passwords is a bad idea. Not because of MD5's cryptographic weaknesses, but because it's fast. This means that an attacker can try billions of candidate passwords per second on a single GPU.

What you should use are deliberately slow hash constructions, such as scrypt, bcrypt and PBKDF2. Simple salted SHA-2 is not good enough because, like most general purpose hashes, it's fast. Check out How to securely hash passwords? for details on what you should use.

sha-512
https://blog.mozilla.org/security/2011/ ... ot-enough/

des

Please VestaCP team see this well-written post about "How to securely hash passwords". https://security.stackexchange.com/ques ... -passwords

Why should we worry about "issues" on the code when it's really simple to guess your passwords with brute-forcing?

2. Bad and redundant code

A lot of redundant code was written using PHP. Example:

Code: Select all

	if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
    		$v_user = escapeshellarg($_POST['user']);
    		$user = $_POST['user'];
    		$cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
    		exec ($cmd." ".$v_user." json", $output, $return_var);
    		...
    		...

That could be rewritten to:

Code: Select all

	// Suggestion sanitize! 
	$user = escapeshellarg($_POST['user']);
	$code = escapeshellarg($_POST['code']);
	if ((!empty($user)) && (empty($code)) {
    		$cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
    		exec ($cmd." ".$user." json", $output, $return_var);
    		...
    		...

3. Conclusion

Some times ago, I wanted to contribute to the development of VestaCP. It could become a great product but THERE MUST BE a professional software engineer who can check for any code redundancy, potential injection of OS command or Sql one.

I would recommend to switch to another platform as soon as VestaCP team could REALLY re-write the entire Web interface.

Cheers,

Ctrlpac

[Maverick87Shaka]

After the last breach, I'll switch to another panel for sure, or maybe going to do all my stuff manually like I do before trying vestacp

[agus]

what platform?

cheapest

[ScIT]

what platform?

cheapest

Also checked from my side, infact I'm only a mod - no dev. ispconfig or virtualmin seems to be the most discussed panels here in the board. The problem is that they are to complicated, vesta is (or maybe was?) one of the best control panel I ever worked with - light, easy, nice caching function.

[alexcy]

Vesta is/was the best panel ever. The single absolut best. It’s a shame to end like this..

[Spheerys]

Maybe a new dev team could fork the original project if the main devs don't answer ?

[alexcy]

As far as I know nobody declared interest to fork/takeover.

[ScIT]

As far as I know nobody declared interest to fork/takeover.

We're working atm to get enough people together, to create a fork of vesta. Problem is that we can't find enough devs - we are also working to find the security issue. But we aren't anyone from the core team, we just try to fight for vesta to keep it alive.

[alexcy]

Since you are somehow closer to the team than most of us, can we somehow get a word from Serghey?

[Spheerys]

Thanks ScIT !