VestaCP - vulnerbility CVE-2020-10808
mikho
AdministratorOG
I'm late to the party but since we had a discussion last year about a major security incident involving VestaCP, I thought this was a proper topic to post.
If you haven't already secured your own installation of VestaCP, please do asap.
Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring followed by shell metacharacters.
Keep an eye out for updates here: https://forum.vestacp.com/viewforum.php?f=25
I won't post links to blog posts about how to exploit it, I'm sure you who are interested will find them soon enough.
On a personal note, I liked VestaCP, it was a nice, simple panel that had the features that I needed for my daily web hosting (personal) business....
Today, I don't need more things giving me headaches and trouble sleeping at night.
“Technology is best when it brings people together.” – Matt Mullenweg
Comments
Try ISPConfig for personal, mate
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
@AnthonySmith "forced" me to buy a license for Runcloud, using that from now on.
“Technology is best when it brings people together.” – Matt Mullenweg
LOL and you never looked back right?
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
If I pay for something, I must find a reason to use it... else it would end up with my gym card and other electrical tools
On a serious note. Yeah, using it on two servers and planning on a third very soon.
“Technology is best when it brings people together.” – Matt Mullenweg
I guess that's cool, too
Ympker's VPN LTD Comparison, Uptime.is, Ympker's GitHub.
I can recommend Keyhelp
It's rock stable
http://keyhelp.de/en
AMD EPYC / NVMe / 10GBPs KVM in Frankfurt - https://v6node.com
Looking for an unbeatable AMD EPYC Baremetal Server in Frankfurt? Drop me a PM
How is it sir? Comparing to DA/Cpanel?
Nexus Bytes Ryzen Powered NVMe VPS | NYC|Miami|LA|London|Netherlands| Singapore|Tokyo
Storage VPS | LiteSpeed Powered Web Hosting + SSH access | Switcher Special |
Runcloud is NOT a shared hosting control panel.
It’s a single user web UI to control your server.
Install web-apps (so far, only Wordpress is available as a 1-click installer).
Handle iptables, ssh keys, file manager, backups, updates.
My main usage is as one UI for multiple servers.
“Technology is best when it brings people together.” – Matt Mullenweg
This forum runs via runcloud.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Anything much difference comparing to Webuzor/Softacolous?
Nexus Bytes Ryzen Powered NVMe VPS | NYC|Miami|LA|London|Netherlands| Singapore|Tokyo
Storage VPS | LiteSpeed Powered Web Hosting + SSH access | Switcher Special |
Webuzo is closer to cPanel then runcloud.
Runcloud is more ”server management” then hosting panel.
The runcloud service is a cloud service and configuration is done by ssh connecting to your server and executing commands.
“Technology is best when it brings people together.” – Matt Mullenweg
Webuzo is more for single user though? Cloud hosted sounds fun. And Meant Serverly, not Softacolous. Still waking up ?.
Sorry to derail the thread.
Nexus Bytes Ryzen Powered NVMe VPS | NYC|Miami|LA|London|Netherlands| Singapore|Tokyo
Storage VPS | LiteSpeed Powered Web Hosting + SSH access | Switcher Special |
So are underpants, does not make it the same thing
There is a free tier, give it a go you will see why it is not the same.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
???
Nexus Bytes Ryzen Powered NVMe VPS | NYC|Miami|LA|London|Netherlands| Singapore|Tokyo
Storage VPS | LiteSpeed Powered Web Hosting + SSH access | Switcher Special |
Are you sure you're married?
I really wish VestaCP would finally die. About a quarter of the rooted services I have to deal with daily have something to do with VestaCP or some magical Chinese-installed-script where they're trying to get BBR magic numbers on a shared box in North Yemen.
FUCK BEZOS VESTACP.
My pronouns are like/subscribe.
Never been married
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
Shacked up, then? Eh, eh? She a goer? Know what I mean, know what I mean?
My pronouns are like/subscribe.
Note exactly industry news.
https://inceptionhosting.com
Please do not use the PM system here for Inception Hosting support issues.
My pronouns are like/subscribe.
This thread got taken over, just like VestaCP installation.
“Technology is best when it brings people together.” – Matt Mullenweg
C'mon, we're still talking about rooted boxes. It's a lateral translation.
My pronouns are like/subscribe.
Seriously.
There's so many decent hosts out there that include DA in their plans. Why bother using VestaCP?
The thing needs a top/down audit.
Francisco
If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.
Most people prefer the friendlier interface and automated scripts to set everything up for them, and don't weigh the security concerns as heavily when making this type of decision.
See Zoom vs. Cisco WebEx, GoToMeeting, or Jitsi for another example of this occurrence.
and FREE
Software is like sex: it's better when it's free.
- Linus Torvalds
... and rootable.
My pronouns are like/subscribe.
Not that good if the free sex bring you aids.> @Rahul said:
Not that good if the free sex bring you aids.
Action and Reaction in history
A better option is to use those free DirectAdmin shared hosting. I bet it with come with better user experience.
Action and Reaction in history