Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 21 Dec 2016 17:10:54 -0500
From: Luka Pusic <luka@...ic.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE request - Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation

Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation
Vendor Homepage: http://vestacp.com/
Software Link: https://github.com/serghey-rodin/vesta
Affected Versions: 0.9.7 and up to including 0.9.8-16

Description:
Vesta CP default install script adds /usr/local/vesta/bin/ directory into /etc/sudoers.d with the NOPASSWD option for the default "admin" user. All programs in /usr/local/vesta/bin/ directory can therefore be run as root. A command injection vulnerability in "v-get-web-domain-value" script can be exploited to run arbitrary commands and escalate from admin user to root.

Vulnerability:
Parameter $3 (key) in v-get-web-domain-value is not properly sanitized before being passed to bash eval.

GitHub issue: https://github.com/serghey-rodin/vesta/issues/906
GitHub fix commit: https://github.com/serghey-rodin/vesta/commit/56182cecf414a0dd833ea3db07d589be88ca5e64

Fix:
Remove "v-get-web-domain-value" script file, because it is not used anymore.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ