VestaCP - vulnerbility CVE-2020-10808

mikhomikho AdministratorOG

I'm late to the party but since we had a discussion last year about a major security incident involving VestaCP, I thought this was a proper topic to post.

If you haven't already secured your own installation of VestaCP, please do asap.

Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring followed by shell metacharacters.

Keep an eye out for updates here: https://forum.vestacp.com/viewforum.php?f=25

I won't post links to blog posts about how to exploit it, I'm sure you who are interested will find them soon enough.

On a personal note, I liked VestaCP, it was a nice, simple panel that had the features that I needed for my daily web hosting (personal) business....

Today, I don't need more things giving me headaches and trouble sleeping at night.

“Technology is best when it brings people together.” – Matt Mullenweg

Thanked by (2)g4m3r Asim
Tagged:

Comments

Sign In or Register to comment.