VestaCP - vulnerbility CVE-2020-10808

mikhomikho AdministratorHosting ProviderOG

I'm late to the party but since we had a discussion last year about a major security incident involving VestaCP, I thought this was a proper topic to post.

If you haven't already secured your own installation of VestaCP, please do asap.

Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring followed by shell metacharacters.

Keep an eye out for updates here: https://forum.vestacp.com/viewforum.php?f=25

I won't post links to blog posts about how to exploit it, I'm sure you who are interested will find them soon enough.

On a personal note, I liked VestaCP, it was a nice, simple panel that had the features that I needed for my daily web hosting (personal) business....

Today, I don't need more things giving me headaches and trouble sleeping at night.

Thanked by (2)g4m3r Asim
Tagged:

Comments

  • mikhomikho AdministratorHosting ProviderOG

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    Thanked by (2)InceptionHosting Ympker
  • InceptionHostingInceptionHosting Hosting ProviderOG

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    LOL and you never looked back right?

    Thanked by (1)Ympker

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • mikhomikho AdministratorHosting ProviderOG

    @AnthonySmith said:

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    LOL and you never looked back right?

    If I pay for something, I must find a reason to use it... else it would end up with my gym card and other electrical tools :)

    On a serious note. Yeah, using it on two servers and planning on a third very soon.

  • YmpkerYmpker OGContent Writer

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    I guess that's cool, too :)

  • iandkiandk Hosting ProviderOG

    I can recommend Keyhelp
    It's rock stable
    http://keyhelp.de/en

    Thanked by (2)Ympker g4m3r

    https://canvay.io - A simple webhosting platform
    https://v6node.com - Affordable IPv6 only KVMs

  • seriesnseriesn Hosting ProviderOG

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    How is it sir? Comparing to DA/Cpanel?

  • mikhomikho AdministratorHosting ProviderOG

    @seriesn said:

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    How is it sir? Comparing to DA/Cpanel?

    Runcloud is NOT a shared hosting control panel.

    It’s a single user web UI to control your server.
    Install web-apps (so far, only Wordpress is available as a 1-click installer).
    Handle iptables, ssh keys, file manager, backups, updates.

    My main usage is as one UI for multiple servers.

    Thanked by (1)seriesn
  • InceptionHostingInceptionHosting Hosting ProviderOG

    This forum runs via runcloud.

    Thanked by (1)seriesn

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • seriesnseriesn Hosting ProviderOG

    @mikho said:

    @seriesn said:

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    How is it sir? Comparing to DA/Cpanel?

    Runcloud is NOT a shared hosting control panel.

    It’s a single user web UI to control your server.
    Install web-apps (so far, only Wordpress is available as a 1-click installer).
    Handle iptables, ssh keys, file manager, backups, updates.

    My main usage is as one UI for multiple servers.

    Anything much difference comparing to Webuzor/Softacolous?

  • mikhomikho AdministratorHosting ProviderOG

    @seriesn said:

    @mikho said:

    @seriesn said:

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    How is it sir? Comparing to DA/Cpanel?

    Runcloud is NOT a shared hosting control panel.

    It’s a single user web UI to control your server.
    Install web-apps (so far, only Wordpress is available as a 1-click installer).
    Handle iptables, ssh keys, file manager, backups, updates.

    My main usage is as one UI for multiple servers.

    Anything much difference comparing to Webuzor/Softacolous?

    Webuzo is closer to cPanel then runcloud.
    Runcloud is more ”server management” then hosting panel.

    The runcloud service is a cloud service and configuration is done by ssh connecting to your server and executing commands.

  • seriesnseriesn Hosting ProviderOG

    @mikho said:

    @seriesn said:

    @mikho said:

    @seriesn said:

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    How is it sir? Comparing to DA/Cpanel?

    Runcloud is NOT a shared hosting control panel.

    It’s a single user web UI to control your server.
    Install web-apps (so far, only Wordpress is available as a 1-click installer).
    Handle iptables, ssh keys, file manager, backups, updates.

    My main usage is as one UI for multiple servers.

    Anything much difference comparing to Webuzor/Softacolous?

    Webuzo is closer to cPanel then runcloud.
    Runcloud is more ”server management” then hosting panel.

    The runcloud service is a cloud service and configuration is done by ssh connecting to your server and executing commands.

    Webuzo is more for single user though? Cloud hosted sounds fun. And Meant Serverly, not Softacolous. Still waking up ?.

    Sorry to derail the thread.

  • InceptionHostingInceptionHosting Hosting ProviderOG

    @seriesn said: Webuzo is more for single user though? Cloud hosted sounds fun. And Meant Serverly, not Softacolous. Still waking up ?.

    Sorry to derail the thread.

    So are underpants, does not make it the same thing :)

    There is a free tier, give it a go you will see why it is not the same.

    Thanked by (2)seriesn mikho

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • seriesnseriesn Hosting ProviderOG

    @AnthonySmith said:

    @seriesn said: Webuzo is more for single user though? Cloud hosted sounds fun. And Meant Serverly, not Softacolous. Still waking up ?.

    Sorry to derail the thread.

    So are underpants, does not make it the same thing :)

    ???

  • WSSWSS Retired

    @AnthonySmith said:
    So are underpants, does not make it the same thing :)

    Are you sure you're married?

    I really wish VestaCP would finally die. About a quarter of the rooted services I have to deal with daily have something to do with VestaCP or some magical Chinese-installed-script where they're trying to get BBR magic numbers on a shared box in North Yemen.

    FUCK BEZOS VESTACP.

    My pronouns are asshole/asshole/asshole. I will give you the same courtesy.

  • InceptionHostingInceptionHosting Hosting ProviderOG

    @WSS said: Are you sure you're married?

    Never been married :)

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • WSSWSS Retired

    @AnthonySmith said:

    @WSS said: Are you sure you're married?

    Never been married :)

    Shacked up, then? Eh, eh? She a goer? Know what I mean, know what I mean?

    Thanked by (1)bikegremlin

    My pronouns are asshole/asshole/asshole. I will give you the same courtesy.

  • InceptionHostingInceptionHosting Hosting ProviderOG

    @WSS said:

    @AnthonySmith said:

    @WSS said: Are you sure you're married?

    Never been married :)

    Shacked up, then? Eh, eh? She a goer? Know what I mean, know what I mean?

    Note exactly industry news.

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • WSSWSS Retired

    @AnthonySmith said:

    @WSS said:

    @AnthonySmith said:

    @WSS said: Are you sure you're married?

    Never been married :)

    Shacked up, then? Eh, eh? She a goer? Know what I mean, know what I mean?

    Note exactly industry news.

    Thanked by (1)bikegremlin

    My pronouns are asshole/asshole/asshole. I will give you the same courtesy.

  • mikhomikho AdministratorHosting ProviderOG

    This thread got taken over, just like VestaCP installation.

  • WSSWSS Retired

    C'mon, we're still talking about rooted boxes. It's a lateral translation.

    My pronouns are asshole/asshole/asshole. I will give you the same courtesy.

  • FranciscoFrancisco Hosting ProviderOG

    Seriously.

    There's so many decent hosts out there that include DA in their plans. Why bother using VestaCP?

    The thing needs a top/down audit.

    Francisco

  • @Francisco said:
    Seriously.

    There's so many decent hosts out there that include DA in their plans. Why bother using VestaCP?

    The thing needs a top/down audit.

    Francisco

    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    Most people prefer the friendlier interface and automated scripts to set everything up for them, and don't weigh the security concerns as heavily when making this type of decision.

    See Zoom vs. Cisco WebEx, GoToMeeting, or Jitsi for another example of this occurrence.

    Thanked by (1)Abdullah
  • @Pwner said:
    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    and FREE

    Thanked by (2)mikho Pwner
  • RahulRahul OG
    edited April 2020

    @hey said:

    @Pwner said:
    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    and FREE

    Software is like sex: it's better when it's free.
    - Linus Torvalds

  • WSSWSS Retired

    @Rahul said:

    @hey said:

    @Pwner said:
    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    and FREE

    Software is like sex: it's better when it's free.
    - Linus Torvalds

    ... and rootable.

    My pronouns are asshole/asshole/asshole. I will give you the same courtesy.

  • Not that good if the free sex bring you aids.> @Rahul said:

    @hey said:

    @Pwner said:
    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    and FREE

    Software is like sex: it's better when it's free.
    - Linus Torvalds

    Not that good if the free sex bring you aids.

    Action and Reaction in history

  • @hey said:

    @Pwner said:
    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    and FREE

    A better option is to use those free DirectAdmin shared hosting. I bet it with come with better user experience.

    Action and Reaction in history

Sign In or Register to comment.

This Site is currently in maintenance mode.
Please check back here later.

→ Site Settings