Headline
CVE-2021-30070: Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont… · hestiacp/hestiacp@27556a9
An issue was discovered in HestiaCP before v1.3.5. Attackers are able to arbitrarily install packages due to values taken from the pgk [] parameter in the update request being transmitted to the operating system’s package manager.
Permalink
Browse files
Merge remote-tracking branch 'jaapmarcus/fix/prevent-install-non-cont…
…rolled-package’ into main
- Loading branch information
Kristan Kenney committed
Mar 30, 2021
2 parents 32ef8a2 + 9a1fccd commit 27556a9a43aeaf308b33be224c2e70f2011574e6
Showing 2 changed files with 7 additions and 0 deletions.
- v-update-sys-hestia
- main.sh
@@ -32,6 +32,7 @@ source $HESTIA/conf/hestia.conf
Checking arg number
check_args ‘1’ “$#” ‘PACKAGE’
is_hestia_package “hestia,hestia-nginx,hestia-php” “$package”
Perform verification if read-only mode is enabled
check_hestia_demo_mode
@@ -1154,6 +1154,12 @@ multiphp_default_version() {
echo “$sys_phpversion”
}
is_hestia_package(){
if [ -z "$(echo $1 | grep -w $2)" ]; then
check_result $E_INVALID “$2 package is not controlled by hestiacp”
fi
}
Run arbitrary cli commands with dropped privileges
Note: setpriv --init-groups is not available on debian9 (util-linux 2.29.2)
Input:
0 comments on commit 27556a9
Please sign in to comment.