Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vesta CP 0.9.8–20 rXSS to RCE #1558

Closed
r0xen opened this issue May 4, 2018 · 2 comments
Closed

Vesta CP 0.9.8–20 rXSS to RCE #1558

r0xen opened this issue May 4, 2018 · 2 comments
Assignees

Comments

@r0xen
Copy link

r0xen commented May 4, 2018

Hi,

there is a reflected XSS on https://github.com/serghey-rodin/vesta/blob/master/web/view/file/index.php line 40, $path.

The issue can be used to upload a PHP file, hence gaining RCE. Despite during a "normal" file upload https://github.com/serghey-rodin/vesta/blob/master/web/upload/UploadHandler.php calls "v-copy-fs-file" (line 1130) and https://github.com/serghey-rodin/vesta/blob/master/bin/v-copy-fs-file controls that the destination path is in /tmp or /home/$user/, an attacker could upload an existing file, this way triggering file_put_contents() (line 1120/1121) and gaining the ability to write wherever PHP can.

@serghey-rodin serghey-rodin self-assigned this May 4, 2018
@r0xen
Copy link
Author

r0xen commented May 6, 2018

CVE-2018–10686 has been assigned for this + https://medium.com/@ndrbasi/cve-2018-10686-vestacp-rce-d96d95c2bde2 article about it with few more details.

@serghey-rodin
Copy link
Owner

Thanks for help @r0xen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants