We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Security discussion
Re: Security discussion
@imperio make an answer here.
The project is not dead \o/
The project is not dead \o/
Re: Security discussion
Yes, have seen it already - thats a really good news!!! Let's take vesta alive - don't want to work without!
Re: Security discussion
Very good news!
Re: Security discussion
I really agree with you @ctrlpac
I think that VestaCP could use password_hash and password_verify instead of md5, sha-512 and DES as well. The code could be cleaner than now and maybe it can be faster too.
I think the web interface needs to be refactored completely. Why using 1 folder for every URL? Never heard about url rewriting? So, I guess the PHP needs to be out from the front-end, like using a PHP framework or something else.
The team need to be open to getting help from us, and maybe the Vesta will grow up in sometime...
I think that VestaCP could use password_hash and password_verify instead of md5, sha-512 and DES as well. The code could be cleaner than now and maybe it can be faster too.
I think the web interface needs to be refactored completely. Why using 1 folder for every URL? Never heard about url rewriting? So, I guess the PHP needs to be out from the front-end, like using a PHP framework or something else.
The team need to be open to getting help from us, and maybe the Vesta will grow up in sometime...
Re: Security discussion
May you explain why this is not safe.ctrlpac wrote: ↑Tue Sep 25, 2018 7:30 pmA lot of redundant code was written using PHP. Example:Code: Select all
if ((!empty($_POST['user'])) && (empty($_POST['code']))) { $v_user = escapeshellarg($_POST['user']); $user = $_POST['user']; $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user"; exec ($cmd." ".$v_user." json", $output, $return_var); ... ...
Re: Security discussion
No escape for user input on the lineR_O wrote: ↑Wed Apr 03, 2019 1:44 amMay you explain why this is not safe.ctrlpac wrote: ↑Tue Sep 25, 2018 7:30 pmA lot of redundant code was written using PHP. Example:Code: Select all
if ((!empty($_POST['user'])) && (empty($_POST['code']))) { $v_user = escapeshellarg($_POST['user']); $user = $_POST['user']; $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user"; exec ($cmd." ".$v_user." json", $output, $return_var); ... ...
Code: Select all
$user = $_POST['user'];
Re: Security discussion
Code: Select all
if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
...
...
Yes, I miss the 'user' assignation, but regarding the 'if', forgive my ignorance but Is there a vulnerability of the "empty" command. The manual tells it is just a Boolean for any validation since PHP 5.5. How can this affect the process if you sanitise the content right after you know that exists?