VestaCP 0DAY

[dreiggy]

Here quite high 0day: https://pentest.blog/vesta-control-pane ... -analysis/

[tecob]

Here's a perfect opportunity to prove this project is still alive and responding to critical issues!
Come on!

[JuzaoftheClouds]

I really hope for a fix that'll solve this issue!

I can hide panel exposure on my personal host, but I think for who can't...

[tecob]

I think that even hiding panel exposure is not enough in this case.

If you've got a vulnerable website in your server and a malicious person installs a remote console then he will be able to modify ~/.bash_logout for example as explained here:

https://pentest.blog/vesta-control-pane ... -analysis/

then on running backup the hack is done.

Well, I think this could be possible.

[BartMan__X]

i fixed mine ... i installed virtualmin pro .... ill pay $6.00 for a maintained control panel

[exclu254]

Oh boy! This is damn bad. ;(

[ScIT]

I already pointed on github to a fix for this problem: https://github.com/serghey-rodin/vesta/ ... -600795634

[tecob]

Thanks @SciT, let's see if VestaCP developers react.

[exclu254]

I already pointed on github to a fix for this problem: https://github.com/serghey-rodin/vesta/ ... -600795634

Thanks, ScIT, that is quite fast.

[ScIT]

You maybe missunderstood me: The fix was implemented for our fork called HestiaCP and is already older than a half year. I just pointed it for the vesta devs, so they can take a look - I do not have any contact to them, also the mod status I have here should have been removed since a longer time :).

It is still the part of vesta devs, to analyze our commit and implement a fix for itself.