Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hi,
there is a reflected XSS on https://github.com/serghey-rodin/vesta/blob/master/web/view/file/index.php line 40, $path.
The issue can be used to upload a PHP file, hence gaining RCE. Despite during a "normal" file upload https://github.com/serghey-rodin/vesta/blob/master/web/upload/UploadHandler.php calls "v-copy-fs-file" (line 1130) and https://github.com/serghey-rodin/vesta/blob/master/bin/v-copy-fs-file controls that the destination path is in /tmp or /home/$user/, an attacker could upload an existing file, this way triggering file_put_contents() (line 1120/1121) and gaining the ability to write wherever PHP can.
The text was updated successfully, but these errors were encountered:
CVE-2018–10686 has been assigned for this + https://medium.com/@ndrbasi/cve-2018-10686-vestacp-rce-d96d95c2bde2 article about it with few more details.
Sorry, something went wrong.
Vesta CP 0.9.8–20 rXSS to RCE / solves #1558
dd2a57e
Thanks for help @r0xen
Additional rXSS fix / closes #1558
c80c4c4
serghey-rodin
No branches or pull requests
Hi,
there is a reflected XSS on https://github.com/serghey-rodin/vesta/blob/master/web/view/file/index.php line 40, $path.
The issue can be used to upload a PHP file, hence gaining RCE. Despite during a "normal" file upload https://github.com/serghey-rodin/vesta/blob/master/web/upload/UploadHandler.php calls "v-copy-fs-file" (line 1130) and https://github.com/serghey-rodin/vesta/blob/master/bin/v-copy-fs-file controls that the destination path is in /tmp or /home/$user/, an attacker could upload an existing file, this way triggering file_put_contents() (line 1120/1121) and gaining the ability to write wherever PHP can.
The text was updated successfully, but these errors were encountered: