|
Message-ID: <6r72dyrNdwjxo1dgsBt91YejfCOBjVGrLFzleahj0qi34idDnBgHp0vaThERN_YzWF2kfW08Z2xhuNNaY5B2diStx_mPwFrHsNqOMF1SdNw=@pusic.com> Date: Wed, 21 Dec 2016 17:10:54 -0500 From: Luka Pusic <luka@...ic.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> Subject: CVE request - Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Vendor Homepage: http://vestacp.com/ Software Link: https://github.com/serghey-rodin/vesta Affected Versions: 0.9.7 and up to including 0.9.8-16 Description: Vesta CP default install script adds /usr/local/vesta/bin/ directory into /etc/sudoers.d with the NOPASSWD option for the default "admin" user. All programs in /usr/local/vesta/bin/ directory can therefore be run as root. A command injection vulnerability in "v-get-web-domain-value" script can be exploited to run arbitrary commands and escalate from admin user to root. Vulnerability: Parameter $3 (key) in v-get-web-domain-value is not properly sanitized before being passed to bash eval. GitHub issue: https://github.com/serghey-rodin/vesta/issues/906 GitHub fix commit: https://github.com/serghey-rodin/vesta/commit/56182cecf414a0dd833ea3db07d589be88ca5e64 Fix: Remove "v-get-web-domain-value" script file, because it is not used anymore.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.