edit-icon download-icon

[Vulnerability notice] Web SQL injection vulnerability in LuManager

Last Updated: Nov 16, 2017

Description

LuManager is a popular web server management software based on Linux/Unix systems such as FreeBSD, Debian, Centos, and Ubuntu.

LuManager has a SQL injection vulnerability that affects all LuManager versions earlier than 2.1.1. Attackers can directly access the website backend with the highest privileges to upload webshell, control the system database, and operate the virtual hosts.

Fix

  • Use LuManager online upgrade

    If you are using LuManager 2.0.45 or later, you can log on to LuManager to perform online upgrade.

    1. Log on to LuManager.
    2. Click Check for updates on the homepage.
    3. If the update fails to start, enter the password and try again.
  • Manually upgrade LuManager

    1. Download the LuManager_last.tar.gz installation package:
      1. wget http://down.zijidelu.org/LuManager_last.tar.gz
    2. Back up the previous LuManager:
      1. mv /usr/local/LuManager /usr/local/LuManager.bak
    3. Unzip LuManager_last.tar.gz:
      1. tar -zxvf LuManager_last.tar.gz
    4. Install the new LuManager:
      1. mv LuManager /usr/local/
    5. Run the lu-repair command to complete the upgrade.
Thank you! We've received your feedback.