VestaCP - vulnerbility CVE-2020-10808

mikhomikho AdministratorOG

I'm late to the party but since we had a discussion last year about a major security incident involving VestaCP, I thought this was a proper topic to post.

If you haven't already secured your own installation of VestaCP, please do asap.

Vesta Control Panel (VestaCP) through 0.9.8-26 allows Command Injection via the schedule/backup Backup Listing Endpoint. The attacker must be able to create a crafted filename on the server, as demonstrated by an FTP session that renames .bash_logout to a .bash_logout' substring followed by shell metacharacters.

Keep an eye out for updates here: https://forum.vestacp.com/viewforum.php?f=25

I won't post links to blog posts about how to exploit it, I'm sure you who are interested will find them soon enough.

On a personal note, I liked VestaCP, it was a nice, simple panel that had the features that I needed for my daily web hosting (personal) business....

Today, I don't need more things giving me headaches and trouble sleeping at night.

Thanked by (2)g4m3r Asim

“Technology is best when it brings people together.” – Matt Mullenweg

Tagged:

Comments

  • YmpkerYmpker OGContent Writer

    Try ISPConfig for personal, mate ;)

  • mikhomikho AdministratorOG

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    Thanked by (2)InceptionHosting Ympker

    “Technology is best when it brings people together.” – Matt Mullenweg

  • InceptionHostingInceptionHosting Hosting ProviderOG

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    LOL and you never looked back right?

    Thanked by (1)Ympker

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • mikhomikho AdministratorOG

    @AnthonySmith said:

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    LOL and you never looked back right?

    If I pay for something, I must find a reason to use it... else it would end up with my gym card and other electrical tools :)

    On a serious note. Yeah, using it on two servers and planning on a third very soon.

    “Technology is best when it brings people together.” – Matt Mullenweg

  • YmpkerYmpker OGContent Writer

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    I guess that's cool, too :)

  • iandkiandk Hosting ProviderOG

    I can recommend Keyhelp
    It's rock stable
    http://keyhelp.de/en

    Thanked by (2)Ympker g4m3r

    AMD EPYC / NVMe / 10GBPs KVM in Frankfurt - https://v6node.com
    Looking for an unbeatable AMD EPYC Baremetal Server in Frankfurt? Drop me a PM

  • @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    How is it sir? Comparing to DA/Cpanel?

  • mikhomikho AdministratorOG

    @seriesn said:

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    How is it sir? Comparing to DA/Cpanel?

    Runcloud is NOT a shared hosting control panel.

    It’s a single user web UI to control your server.
    Install web-apps (so far, only Wordpress is available as a 1-click installer).
    Handle iptables, ssh keys, file manager, backups, updates.

    My main usage is as one UI for multiple servers.

    Thanked by (1)seriesn

    “Technology is best when it brings people together.” – Matt Mullenweg

  • InceptionHostingInceptionHosting Hosting ProviderOG

    This forum runs via runcloud.

    Thanked by (1)seriesn

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • @mikho said:

    @seriesn said:

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    How is it sir? Comparing to DA/Cpanel?

    Runcloud is NOT a shared hosting control panel.

    It’s a single user web UI to control your server.
    Install web-apps (so far, only Wordpress is available as a 1-click installer).
    Handle iptables, ssh keys, file manager, backups, updates.

    My main usage is as one UI for multiple servers.

    Anything much difference comparing to Webuzor/Softacolous?

  • mikhomikho AdministratorOG

    @seriesn said:

    @mikho said:

    @seriesn said:

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    How is it sir? Comparing to DA/Cpanel?

    Runcloud is NOT a shared hosting control panel.

    It’s a single user web UI to control your server.
    Install web-apps (so far, only Wordpress is available as a 1-click installer).
    Handle iptables, ssh keys, file manager, backups, updates.

    My main usage is as one UI for multiple servers.

    Anything much difference comparing to Webuzor/Softacolous?

    Webuzo is closer to cPanel then runcloud.
    Runcloud is more ”server management” then hosting panel.

    The runcloud service is a cloud service and configuration is done by ssh connecting to your server and executing commands.

    “Technology is best when it brings people together.” – Matt Mullenweg

  • @mikho said:

    @seriesn said:

    @mikho said:

    @seriesn said:

    @mikho said:

    @Ympker said:
    Try ISPConfig for personal, mate ;)

    @AnthonySmith "forced" me to buy a license for Runcloud, using that from now on. ;)

    How is it sir? Comparing to DA/Cpanel?

    Runcloud is NOT a shared hosting control panel.

    It’s a single user web UI to control your server.
    Install web-apps (so far, only Wordpress is available as a 1-click installer).
    Handle iptables, ssh keys, file manager, backups, updates.

    My main usage is as one UI for multiple servers.

    Anything much difference comparing to Webuzor/Softacolous?

    Webuzo is closer to cPanel then runcloud.
    Runcloud is more ”server management” then hosting panel.

    The runcloud service is a cloud service and configuration is done by ssh connecting to your server and executing commands.

    Webuzo is more for single user though? Cloud hosted sounds fun. And Meant Serverly, not Softacolous. Still waking up ?.

    Sorry to derail the thread.

  • InceptionHostingInceptionHosting Hosting ProviderOG

    @seriesn said: Webuzo is more for single user though? Cloud hosted sounds fun. And Meant Serverly, not Softacolous. Still waking up ?.

    Sorry to derail the thread.

    So are underpants, does not make it the same thing :)

    There is a free tier, give it a go you will see why it is not the same.

    Thanked by (2)seriesn mikho

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • @AnthonySmith said:

    @seriesn said: Webuzo is more for single user though? Cloud hosted sounds fun. And Meant Serverly, not Softacolous. Still waking up ?.

    Sorry to derail the thread.

    So are underpants, does not make it the same thing :)

    ???

  • @AnthonySmith said:
    So are underpants, does not make it the same thing :)

    Are you sure you're married?

    I really wish VestaCP would finally die. About a quarter of the rooted services I have to deal with daily have something to do with VestaCP or some magical Chinese-installed-script where they're trying to get BBR magic numbers on a shared box in North Yemen.

    FUCK BEZOS VESTACP.

    My pronouns are like/subscribe.

  • InceptionHostingInceptionHosting Hosting ProviderOG

    @WSS said: Are you sure you're married?

    Never been married :)

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • @AnthonySmith said:

    @WSS said: Are you sure you're married?

    Never been married :)

    Shacked up, then? Eh, eh? She a goer? Know what I mean, know what I mean?

    Thanked by (1)bikegremlin

    My pronouns are like/subscribe.

  • InceptionHostingInceptionHosting Hosting ProviderOG

    @WSS said:

    @AnthonySmith said:

    @WSS said: Are you sure you're married?

    Never been married :)

    Shacked up, then? Eh, eh? She a goer? Know what I mean, know what I mean?

    Note exactly industry news.

    https://inceptionhosting.com
    Please do not use the PM system here for Inception Hosting support issues.

  • @AnthonySmith said:

    @WSS said:

    @AnthonySmith said:

    @WSS said: Are you sure you're married?

    Never been married :)

    Shacked up, then? Eh, eh? She a goer? Know what I mean, know what I mean?

    Note exactly industry news.

    Thanked by (1)bikegremlin

    My pronouns are like/subscribe.

  • mikhomikho AdministratorOG

    This thread got taken over, just like VestaCP installation.

    “Technology is best when it brings people together.” – Matt Mullenweg

  • C'mon, we're still talking about rooted boxes. It's a lateral translation.

    My pronouns are like/subscribe.

  • FranciscoFrancisco Hosting ProviderOG

    Seriously.

    There's so many decent hosts out there that include DA in their plans. Why bother using VestaCP?

    The thing needs a top/down audit.

    Francisco

  • @Francisco said:
    Seriously.

    There's so many decent hosts out there that include DA in their plans. Why bother using VestaCP?

    The thing needs a top/down audit.

    Francisco

    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    Most people prefer the friendlier interface and automated scripts to set everything up for them, and don't weigh the security concerns as heavily when making this type of decision.

    See Zoom vs. Cisco WebEx, GoToMeeting, or Jitsi for another example of this occurrence.

    Thanked by (1)Abdullah
  • @Pwner said:
    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    and FREE

    Thanked by (2)mikho Pwner
  • RahulRahul OG
    edited April 2020

    @hey said:

    @Pwner said:
    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    and FREE

    Software is like sex: it's better when it's free.
    - Linus Torvalds

  • @Rahul said:

    @hey said:

    @Pwner said:
    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    and FREE

    Software is like sex: it's better when it's free.
    - Linus Torvalds

    ... and rootable.

    My pronouns are like/subscribe.

  • Not that good if the free sex bring you aids.> @Rahul said:

    @hey said:

    @Pwner said:
    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    and FREE

    Software is like sex: it's better when it's free.
    - Linus Torvalds

    Not that good if the free sex bring you aids.

    Action and Reaction in history

  • @hey said:

    @Pwner said:
    If I had to take a guess why (I messed with a number of these different panels in the past), I would say VestaCP is probably one of the easiest to install and configure, as well as having an easier interface.

    and FREE

    A better option is to use those free DirectAdmin shared hosting. I bet it with come with better user experience.

    Action and Reaction in history

Sign In or Register to comment.