New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I would recommend to switch to a different panel or just use the Shell without a panel.
Been poking around for an hour or so to try and produce something workable from the /api/index.php endpoint and can't really get anywhere - so not entirely sure what the point of attack was.
Short answer:
Version 20 secured the API endpoint.
However no direct attack was seen, or logged. It was based upon a guess on that being the issue.
Still suggested to keep the control panel off the internet currently.
Patched or not patched you will see above that Patrick located at least another 3 vulnerabilities that could lead to root compromise so you should keep VestaCP down until VestaCP patches them.
Thanks for taking the time to dig through the panel. Keep us posted if you hear anything back.
Unfortunately haven't seen any security-related commits on the VestaCP Github since you commented here... https://github.com/serghey-rodin/vesta/commits/master
Smell of conspiracy by commercial competitors against VestCP.
Freed up some time to take a closer look, definitely don't use it for the time being. E.g. it seems they forgot that their change password functionality is just as vulnerable as their login functionality once was. Though this can only be exploited once logged in, in a shared hosting environment, this is still extremely bad and easy root access.
No one smells it except you though and we're on page 5 already.
What is fucking wrong with you? Grow up...
Ah yes, how were we so blind as not to see the truth that was right in front of us? It's all so clear now... cPanel and Plesk, in the brink of bankrupcy due to a lack of clients, have formed a coalition to take down the giant that is VestaCP. Wake the hell up people! #resist
I did not say anything for cPanel or Plesk. Don't use auto assumption™.
Well, the patch was just a guess.
As long they did not found the cause, keep it offline.
The attacker won't be that stupid, they wait a while and go again on the hunt.
This sounds like reactive security - just patching problems that have been found when they're found, and never reevaluating the approach that led to those problems in the first place, nor reviewing other code proactively.
I'd recommend staying away from anything that has that policy, open-source or otherwise. It's just going to be an endless fountain of security issues. No matter how many of them get fixed, new ones will be introduced faster than the old ones can get found and patched.
(This applies more broadly to any software where the same kind of issues are repeatedly found.)
Isn't AutoBoot powered by that?
Honestly I cannot find a point of attack in the API endpoint, yes, it was passing unfiltered input to a shell script, but it was loaded via a file and not directly passed, so I'm really not sure that was the point of attack.
OT: Sounds a lot like the Orange West Wing.
Anyone suggesting / contributing to security or bugs should kindly send mail to [email protected]. It is mailing list for core developers. That way, at least, they will get email and will patch flaws ASAP.
So please send them to
[email protected]
Have you gotten any response from the dev team as confirmation that they have seen your email?
@mehargags confirmed to me awhile back that they did receive it.
Is it safe to use VestaCP now?
Giving the attitude to implementing security patches i’d avoid It.
Sad, just sad... VestaCP like zPanel.
I have changed 8083 port and updated.
Probably just as safe as it was a month ago.
Setup the admin port to only respond to localhost, and use ssh tunnels to connect to it. Or do a proxy, and block all other IPs from accessing.
Currently there is word of at least 3 root level compromises in it. Not patched yet.
Thanks for that piece of advice I will possibly try that when have time, that would be an opportunity for me to learn new things. I don't use vestaCP and I am supposed to try it, but then the exploit happened.
Thanks. I set up a proxy a while ago as well just to be safe. Surprised they haven't fixed things by now.
Hello to my website at times it causes the 502 bad gateway nginx, can this attack be causing my website?
No. Why do you think so?
I know... I am bumping a thread... However, the update is live.