Headline
CVE-2023-39966: Release v1.5.0 · 1Panel-dev/1Panel
1Panel is an open source Linux server operation and maintenance management panel. In version 1.4.3, an arbitrary file write vulnerability could lead to direct control of the server. In the api/v1/file.go file, there is a function called SaveContentthat,Itrecieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations. Version 1.5.0 contains a patch for this issue.
一、安装和升级****1.1 一键安装
CentOS/RHEL
curl -sSL https://resource.fit2cloud.com/1panel/package/quick_start.sh -o quick_start.sh && sh quick_start.sh
Ubuntu
curl -sSL https://resource.fit2cloud.com/1panel/package/quick_start.sh -o quick_start.sh && sudo bash quick_start.sh
Debian
curl -sSL https://resource.fit2cloud.com/1panel/package/quick_start.sh -o quick_start.sh && bash quick_start.sh
1.2 在线升级
登录 1Panel Web 控制台,在页面右下角点击 【检查更新】 进行在线升级。
更多信息请查阅在线文档:https://1panel.cn/docs/
二、更新日志****2.1 新特性
- 【网站】支持 PHP 运行环境类型网站切换版本。 by @zhengkunwang223 in #1748
- 【网站】支持网站设置重定向。 by @zhengkunwang223 in #1731
- 【数据库】支持添加 MySQL 远程数据库。 by @ssongliu in #1744
- 【主机】增加进程守护管理。 by @zhengkunwang223 in #1786
2.2 功能优化
- 【网站】网站设置 IPv6 功能优化。 by @zhengkunwang223 in #1732
- 【网站】网站防盗链页面样式优化。 by @zhengkunwang223 in #1807
- 【网站】网站设置页面添加反向代理时支持用户选择传输协议。 by @zhengkunwang223 in #1832
- 【网站】编辑 PHP 运行环境后增加关联应用重建的提示信息。 by @zhengkunwang223 in #1896
- 【应用商店】应用升级时增加备份选项。 by @zhengkunwang223 in #1750
- 【应用商店】已安装应用列表增加 HTTPS 类型端口的跳转功能。 by @zhengkunwang223 in #1870
- 【应用商店】全部应用和已安装应用列表页面样式优化。 by @zhengkunwang223 in #1895
- 【应用商店】应用依赖 Redis 时,创建页面自动填充 Redis 密码。 by @zhengkunwang223 in #1826
- 【数据库】数据库密码校验规则优化。 by @ssongliu in #1815
- 【数据库】数据库连接信息样式优化。 by @ssongliu in #1857
- 【容器】容器创建页面部分字段翻译优化。 by @SkyAerope in #1797
- 【主机】文件列表记录文件浏览器最后一次访问的路径。 by @zhengkunwang223 in #1753
- 【主机】文件列表页面适配移动端。 by @wangdan-fit2cloud in #1730
- 【主机】监控页面调整数据默认采集间隔和保存时间。 by @ssongliu in #1795
- 【面板设置】创建系统快照前停止所有定时任务。 by @ssongliu in #1888
- 【面板设置】服务器地址支持设置域名。 by @ssongliu in #1778
- 【面板设置】备份账号页面部分按钮样式优化。 by @ssongliu in #1893
- 【面板设置】创建快照逻辑优化。 by @ssongliu in #1805
- 【系统】登录页增加切换语言选项。 by @zhengkunwang223 in #1752
- 【系统】部分页面样式适配移动端。 by @wangdan-fit2cloud in #1891
- 【系统】移除不必要的 SSH Session 连接。 by @LeeEirc in #1780
- 【系统】部分页面分页排序样式优化。 by @ssongliu in #1821
- 【系统】创建抽屉页面不再动态显示名称。 by @ssongliu in #1777
2.3 问题修复
- 【网站】修复了部分场景下创建 PHP 运行环境异常的问题。 by @zhengkunwang223 in #1882
- 【应用商店】修复了应用升级后无法编辑最新配置的问题。 by @zhengkunwang223 in #1824
- 【应用商店】修复了更新应用列表后可能出现多个同名应用的问题。 by @zhengkunwang223 in #1827
- 【应用商店】修复了 Cloudreve 升级后数据丢失的问题。 by @zhengkunwang223 in #1822
- 【应用商店】修复了编辑应用时关闭高级设置之后没有提示端口放开的问题。 by @zhengkunwang223 in #1887
- 【应用商店】修复了安装应用时数据库密码包含 & $ 等特殊字符时提示错误的问题。 by @zhengkunwang223 in #1809
- 【数据库】修复了数据库日志监听未刷新的问题。 by @ssongliu in #1823
- 【容器】修复了编辑容器时不显示手动挂载的挂载卷的问题。 by @ssongliu in #1783
- 【容器】修复了编辑容器时由于端口冲突导致容器被删除的问题。 by @ssongliu in #1770
- 【主机】修复了文件压缩时无法选择文件夹的问题。 by @zhengkunwang223 in #1802
- 【主机】修复了当 SSH 登录日志涉及多个年份时导致数据异常的问题。 by @ssongliu in #1785
- 【面板设置】修复了同步快照路径错误的问题。 by @ssongliu in #1863
- 【系统】修复了系统安装在根目录时导致升级失败的问题。 by @ssongliu in #1776
2.4 应用商店
- 新增 JumpServer。 by @wojiushixiaobai in 1Panel-dev/appstore#238
- 新增 SFTPGo。 by @wanghe-fit2cloud in 1Panel-dev/appstore#269
- 新增 PGAdmin4。 by @wojiushixiaobai in 1Panel-dev/appstore#246
- 新增 frp。 by @okxlin in 1Panel-dev/appstore#299
- 新增 Discuz。 by @okxlin in 1Panel-dev/appstore#227
- 新增 Nextcloud。 by @okxlin in 1Panel-dev/appstore#299
- 新增 Domain Admin。 by @mouday in 1Panel-dev/appstore#278
- 新增 emlog。 by @emlog in 1Panel-dev/appstore#276
- 新增 ZFile。 by @okxlin in 1Panel-dev/appstore#299
- 新增 MeiliSearch。 by @CyJaySong in 1Panel-dev/appstore#219
- 新增 ChatGPT Web。 by @okxlin in 1Panel-dev/appstore#274
- 新增 Home Assistant。 by @okxlin in 1Panel-dev/appstore#299
- AdGuardHome 版本升级至 v0.107.36。 by @renovate in 1Panel-dev/appstore#293
- OpenResty 版本升级至 1.21.4.2-0。 by @wuhang2003 in 1Panel-dev/appstore#300
- Tailchat 版本升级至 v1.8.8。 by @renovate in 1Panel-dev/appstore#305
- 青龙 版本升级至 v2.16.0。 by @renovate in 1Panel-dev/appstore#306
- ddns-go 版本升级至 v5.6.0。 by @renovate in 1Panel-dev/appstore#307
- Memos 版本升级至 v0.14.3。 by @renovate in 1Panel-dev/appstore#304
- Jenkins 版本升级至 v2.418。 by @renovate in 1Panel-dev/appstore#312
- Cloudreve 版本升级至 v3.8.2。 by @renovate in 1Panel-dev/appstore#308
- Alist 版本升级至 v3.25.1。 by @renovate in 1Panel-dev/appstore#309
2.5 安全更新
- 修复了部分文件接口存在任意文件读取漏洞的问题。 (CVE-2023-39964)
- 修复了部分文件接口存在任意文件下载漏洞的问题。 (CVE-2023-39965)
- 修复了部分文件接口存在任意文件写入漏洞的问题。 (CVE-2023-39966)
Related news
# Summary An arbitrary file write vulnerability could lead to direct control of the server # Details ## Arbitrary file creation In the api/v1/file.go file, there is a function called SaveContentthat,It recieves JSON data sent by users in the form of a POST request. And the lack of parameter filtering allows for arbitrary file write operations.It looks like this: - Vulnerable Code  # PoC - We can write the SSH public key into the /etc/.root/authorized_keys configuration file on the server.  - The server was successfully written to the public key  - Successfully connected to the target server using an SSH priv...
### Summary Any file downloading vulnerability exists in 1Panel backend. ### Details Authenticated attackers can download arbitrary files through the API interface. This code has unauthorized access.  ### PoC payload: POST /api/v1/files/download/bypath HTTP/1.1 Host: ip Content-Type: application/json {"path":"/etc/passwd"}  ### Impact Attackers can freely download the file content on the target system. This will be caused a large amount of information leakage.
### Summary Arbitrary file reads allow an attacker to read arbitrary important configuration files on the server. ### Details In the api/v1/file.go file, there is a function called LoadFromFile, which directly reads the file by obtaining the requested path parameter[path]. The request parameters are not filtered, resulting in a background arbitrary file reading vulnerability  ### PoC Request /api/v1/files/loadfile, carry /etc/passwd data to read, as shown below:  ### Impact 1Panel v1.4.3