Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VestaCP hit with zeroday exploit [May 19 Security Update] - Page 7
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

VestaCP hit with zeroday exploit [May 19 Security Update]

15791011

Comments

  • solairesolaire Member
    edited April 2018

    akb said: Is it just a coincidence that two of the most stable panels, one free (webmin/virtualmin) and other commercial (cpanel) are both perl based? :-)

    Yes, I'd say so. Programming language is rarely, if ever, related to stability and security, that's all in the hands of the engineer (apart from exploits that are related to e.g. JVM or the PHP process itself).

    However, I do agree that programming languages that tend to more or less enforce a standard are more commonly used by capable engineers and therefore likely less prone to issues on a larger scale (e.g. C/C++/Golang/Perl). PHP enforces basically nothing, and you can do whatever you want without running into a lot of issues during compilation. That's great for some purposes, but to my experience so far, too many people that program in PHP have no clue as to what they're actually programming, they just copy/paste a bunch of snippets that use different standards and call it a program. Same for JavaScript and all the NodeJS crap that pops up nowadays.

    That said, I quickly skimmed through the VestaCP source. It truly saddens me to see that they use "escapeshellarg" to escape $_SERVER['REMOTE_ADDR'], which holds the clients IP address and is set by the webserver (and therefore is safe as it is not user input). But at the same time they do not call the same function over a $_POST variable that does hold user input (in this presumed exploit, the password) but rather pass it to /bin/bash with root privileges. I guess I'm switching to a different panel, I like the simplicity of Vesta, but it comes at a cost apparently.

  • angstromangstrom Moderator
    edited April 2018

    @akb said:

    sin said: I would personally stick with Webmin/Virtualmin (mainly because they've been around for a long time and regularly update/maintain the project).

    Is it just a coincidence that two of the most stable panels, one free (webmin/virtualmin) and other commercial (cpanel) are both perl based? :-)

    Probably has more to do with how Vesta was written (the actual PHP code) than with the language per se. But it may also be true that PHP applications are more often targeted nowadays than Perl applications.

  • HxxxHxxx Member
    edited April 2018

    Yikes, dump that shit, is not worth. At least you were smart enough to inspect the code and determine it sucks. Can't say the same for some of the clueless people in this thread.

    @solaire said:

    akb said: Is it just a coincidence that two of the most stable panels, one free (webmin/virtualmin) and other commercial (cpanel) are both perl based? :-)

    Yes, I'd say so. Programming language is rarely, if ever, related to stability and security, that's all in the hands of the engineer (apart from exploits that are related to e.g. JVM or the PHP process itself).

    However, I do agree that programming languages that tend to more or less enforce a standard are more commonly used by capable engineers and therefore likely less prone to issues on a larger scale (e.g. C/C++/Golang/Perl). PHP enforces basically nothing, and you can do whatever you want without running into a lot of issues during compilation. That's great for some purposes, but to my experience so far, too many people that program in PHP have no clue as to what they're actually programming, they just copy/paste a bunch of snippets that use different standards and call it a program. Same for JavaScript and all the NodeJS crap that pops up nowadays.

    That said, I quickly skimmed through the VestaCP source. It truly saddens me to see that they use "escapeshellarg" to escape $_SERVER['REMOTE_ADDR'], which holds the clients IP address and is set by the webserver (and therefore is safe as it is not user input). But at the same time they do not call the same function over a $_POST variable that does hold user input (in this presumed exploit, the password) but rather pass it to /bin/bash with root privileges. I guess I'm switching to a different panel, I like the simplicity of Vesta, but it comes at a cost apparently.

  • jarjar Patron Provider, Top Host, Veteran

    @angstrom said:

    @akb said:

    sin said: I would personally stick with Webmin/Virtualmin (mainly because they've been around for a long time and regularly update/maintain the project).

    Is it just a coincidence that two of the most stable panels, one free (webmin/virtualmin) and other commercial (cpanel) are both perl based? :-)

    Probably has more to do with how Vesta was written (the actual PHP code) than with the language per se. But it may also be true that PHP applications are more often targeted nowadays than Perl applications.

    I just assumed same reason cPanel was never copied, despite having fully available source code (copyright never bothered that many people). No one can read perl :P

    Thanked by 2Francisco vimalware
  • cpsdcpsd Member

    Oh I read this thread too late. I was affected three or four days ago and I couldn't find the problem :D. I thought I couldn't secure the system enough.

  • angstromangstrom Moderator

    @jarland said:

    @angstrom said:

    @akb said:

    sin said: I would personally stick with Webmin/Virtualmin (mainly because they've been around for a long time and regularly update/maintain the project).

    Is it just a coincidence that two of the most stable panels, one free (webmin/virtualmin) and other commercial (cpanel) are both perl based? :-)

    Probably has more to do with how Vesta was written (the actual PHP code) than with the language per se. But it may also be true that PHP applications are more often targeted nowadays than Perl applications.

    I just assumed same reason cPanel was never copied, despite having fully available source code (copyright never bothered that many people). No one can read perl :P

    Yeah, that's interesting.

    In any case, PHP is much more a go-to language for web applications than Perl ever was.

    At the same time, I'll admit that I've always kind of liked webmin/usermin/virtualmin (when I've wanted to install a panel).

  • @deanhills said:
    Thank you for the feedback and the note about the infection migrating. I'm worried that if I should use SSH when I access my system to shut the panel down, I may trigger an infection that is already there but dormant, waiting for me to access the system at the root level. Is that logically possible? If it is as serious as you say it is, wouldn't it be better to reload the OS and start from scratch without VestaCP?

    I would not be worried about using SSH as no one has noticed any triggered events to date. I would however download clam av, run a freshclam on it to update, and scan the whole server.

    If you are unaffected, I would not do a reload or do anything else except turn the panel off and run the av scan. Wait a couple of weeks to let them sort it all out. Some level of patience is in order. And, while the Vesta team needs to put an obvious priority on security, the truth is a zero day could happen to almost any project.

    Thanked by 2Shazan deanhills
  • For all the perl hype do realize that Webmin, Usermin, and Webmin all have had security exploits. Perl doesn't instantly fix your security.

    PHP is a great tool, in the right hands.
    Perl is a great tool, in the right hands.
    Javascript is a great tool, in the right hands.

    You can create a security exploit on; PHP, Perl, Javascript, and all the others to. It comes down to how you write your code.

    Thanked by 3Shazan PremiumN iKeyZ
  • rafaelscsrafaelscs Member
    edited April 2018

    i trust they will find the problem and solve it and life will continue...
    and come on other bugs like any software

    do I have to stop using windows if I caught virus in it one day?

  • HxxxHxxx Member

    Well I mean it depends. Have a look at the code. I would recommend to avoid any panel if you dont really depend on it. If you truly need a panel, go with cPanel for sure. At least they apply patches proactively and also compensate security researchers which is good for the product.

  • @rafaelscs said:

    do I have to stop using windows if I caught virus in it one day?

    Yes, pen and paper are better!

  • Wow, VestaCP is so bad. I mean, so, so, so bad.

    I have already found several root level exploits in LITERALLY less than 15 minutes and I'm typing with one hand while I eat with the other lol.

    I'm making a list of everything, I'll send off to their developers at some point...

  • MikePTMikePT Veteran

    @Patrick!!!! Didn't know you were here <3 (MrGeneral here!).

    You guys spent time with this? How can they afford? :P

  • @SecNinja said:
    Wow, VestaCP is so bad. I mean, so, so, so bad.

    I have already found several root level exploits in LITERALLY less than 15 minutes and I'm typing with one hand while I eat with the other lol.

    I'm making a list of everything, I'll send off to their developers at some point...

    Thank you so much for your input.

    Based on your experience. Which panel would your prefer ( other than cpanel / plesk )
    I understand that having no panel at all is the better option.

  • nepsneps Member

    @psycholyzern said:
    Someone said to me, "The best control panel is no control panel".

    Amen.

  • RazzaRazza Member
    edited April 2018

    MikePT said: You guys spent time with this? How can they afford?

    They might be just reviewed the code of Vesta on their own accord, I doubt Vesta dev team got the money to get someone else to audit there code for security issue but I might be wrong.

    Thanked by 1MikePT
  • CrossBoxCrossBox Member, Patron Provider

    @neps said:

    @psycholyzern said:
    Someone said to me, "The best control panel is no control panel".

    Amen.

    Even though you don't use a control panel, you still use at least 10 services like exim, dovecot, nginx, etc... and even more libraries. A critical bug in any of these will also make you as vulnerable as any other control panel.

    Control panels just make more room for exploits, especially open sourced ones.

  • joepie91joepie91 Member, Patron Provider
    edited April 2018

    solaire said: Yes, I'd say so. Programming language is rarely, if ever, related to stability and security, that's all in the hands of the engineer (apart from exploits that are related to e.g. JVM or the PHP process itself).

    This is a completely wrong yet frustratingly common belief. The design of a language and its standard library absolutely do play a significant role in the security of the code that is produced with it. Yes, competence of the developer is also a factor, but not the only one.

    Simply put: the less footguns there are in a language, the more secure the resulting code will be on average - because every developer makes mistakes, regardless of their competence.

    solaire said: However, I do agree that programming languages that tend to more or less enforce a standard are more commonly used by capable engineers and therefore likely less prone to issues on a larger scale (e.g. C/C++/Golang/Perl).

    C and C++ software are notorious for memory-related vulnerabilities, and that remains one of the top vulnerability categories (if not the most common one). It's definitely not 'less prone to issues on a larger scale', it's just a different category of issues from the 'web-based vulnerabilities' that people commonly think of. Neither of these languages are likely to produce secure code.

    (Perl is a more complicated topic. Go is mostly fine from that perspective.)

  • CrossBox said: Control panels just make more room for exploits, especially open sourced ones

    Free but closed-source control panel maintained by single person could be a disaster

  • joepie91joepie91 Member, Patron Provider

    CrossBox said: Control panels just make more room for exploits, especially open sourced ones.

    Why "especially open sourced ones"?

  • deankdeank Member, Troll

    What we need is L(ow)E(nd) panel, an open source control panel by LET.

  • @CrossBox said:

    @neps said:

    @psycholyzern said:
    Someone said to me, "The best control panel is no control panel".

    Amen.

    Even though you don't use a control panel, you still use at least 10 services like exim, dovecot, nginx, etc... and even more libraries. A critical bug in any of these will also make you as vulnerable as any other control panel.

    Control panels just make more room for exploits, especially open sourced ones.

    When has nginx, php-fpm, or mariadb ever been the direct cause of a root exploit?

    Outside of server admin stupidity.

  • deankdeank Member, Troll

    And stupidity is aplenty.

  • I really don't want to move to an enitrely different control panel, but I like the ease of Let's Encrypt setup.

    Is there any good suggestions on an open source web panel with good lets encrypt support, or a paid one that is reasonable cost.

    I have gotten a bit lazier, as I used to just run bare bones.

  • @AlyssaD said:
    I really don't want to move to an enitrely different control panel, but I like the ease of Let's Encrypt setup.

    Is there any good suggestions on an open source web panel with good lets encrypt support, or a paid one that is reasonable cost.

    I have gotten a bit lazier, as I used to just run bare bones.

    Honestly, you will eventually realize a control panel just seems easier, but in the long run bare bones is easier.

    I'm lazy, and I hate panels. For various reasons, first being exploits.

  • @YokedEgg said:

    @AlyssaD said:
    I really don't want to move to an enitrely different control panel, but I like the ease of Let's Encrypt setup.

    Is there any good suggestions on an open source web panel with good lets encrypt support, or a paid one that is reasonable cost.

    I have gotten a bit lazier, as I used to just run bare bones.

    Honestly, you will eventually realize a control panel just seems easier, but in the long run bare bones is easier.

    I'm lazy, and I hate panels. For various reasons, first being exploits.

    Been there before. They add some complications, yes. However it is still a bunch loads easier with a control panel, at least for me.

  • solairesolaire Member
    edited April 2018

    AlyssaD said: Is there any good suggestions on an open source web panel with good lets encrypt support, or a paid one that is reasonable cost.

    ISPConfig might be a good fit for you, it has Let's encrypt support, out of the box since v3.1 I believe.

  • AidanAidan Member

    solaire said: Yes, I'd say so. Programming language is rarely, if ever, related to stability and security, that's all in the hands of the engineer (apart from exploits that are related to e.g. JVM or the PHP process itself).

    COBOL disagrees.

  • FHRFHR Member, Host Rep
    edited April 2018

    […] it’s possible to exploit the unsanitized, user-controlled “_uid” parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence

    Although it could theoretically be abused to place a file on the server, you can't really do anything with just IMAP commands.

Sign In or Register to comment.