Date: Wed, 21 Dec 2016 17:10:54 -0500 From: Luka Pusic <luka@...ic.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE request - Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Vendor Homepage: http://vestacp.com/ Software Link: https://github.com/serghey-rodin/vesta Affected Versions: 0.9.7 and up to including 0.9.8-16 Description: Vesta CP default install script adds /usr/local/vesta/bin/ directory into /etc/sudoers.d with the NOPASSWD option for the default "admin" user. All programs in /usr/local/vesta/bin/ directory can therefore be run as root. A command injection vulnerability in "v-get-web-domain-value" script can be exploited to run arbitrary commands and escalate from admin user to root. Vulnerability: Parameter $3 (key) in v-get-web-domain-value is not properly sanitized before being passed to bash eval. GitHub issue: https://github.com/serghey-rodin/vesta/issues/906 GitHub fix commit: https://github.com/serghey-rodin/vesta/commit/56182cecf414a0dd833ea3db07d589be88ca5e64 Fix: Remove "v-get-web-domain-value" script file, because it is not used anymore.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ