From 7603cdea7a5c9441c434e654a0c99ef49b51400c Mon Sep 17 00:00:00 2001 From: Sergio Date: Sun, 21 Apr 2019 00:11:36 +0200 Subject: [PATCH 1/3] Add the validation of the CSRF token. It is missing in some cases when it is sent by GET or POST. --- web/add/cron/autoupdate/index.php | 6 ++++++ web/add/cron/reports/index.php | 6 ++++++ web/add/firewall/banlist/index.php | 6 ++++++ web/delete/cron/autoupdate/index.php | 6 ++++++ web/delete/cron/reports/index.php | 6 ++++++ web/restart/service/index.php | 6 ++++++ web/restart/system/index.php | 6 ++++++ web/templates/admin/list_services.html | 2 +- web/update/vesta/index.php | 6 ++++++ 9 files changed, 49 insertions(+), 1 deletion(-) diff --git a/web/add/cron/autoupdate/index.php b/web/add/cron/autoupdate/index.php index 53d50c05..90854d9b 100644 --- a/web/add/cron/autoupdate/index.php +++ b/web/add/cron/autoupdate/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + if ($_SESSION['user'] == 'admin') { exec (VESTA_CMD."v-add-cron-vesta-autoupdate", $output, $return_var); $_SESSION['error_msg'] = __('Autoupdate has been successfully enabled'); diff --git a/web/add/cron/reports/index.php b/web/add/cron/reports/index.php index 4b0424e3..197c5760 100644 --- a/web/add/cron/reports/index.php +++ b/web/add/cron/reports/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + exec (VESTA_CMD."v-add-cron-reports ".$user, $output, $return_var); $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled'); unset($output); diff --git a/web/add/firewall/banlist/index.php b/web/add/firewall/banlist/index.php index 774421e6..a9f616a2 100644 --- a/web/add/firewall/banlist/index.php +++ b/web/add/firewall/banlist/index.php @@ -15,6 +15,12 @@ if ($_SESSION['user'] != 'admin') { // Check POST request if (!empty($_POST['ok'])) { + // Check token + if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { + header('location: /login/'); + exit(); + } + // Check empty fields if (empty($_POST['v_chain'])) $errors[] = __('banlist'); if (empty($_POST['v_ip'])) $errors[] = __('ip address'); diff --git a/web/delete/cron/autoupdate/index.php b/web/delete/cron/autoupdate/index.php index ad670ef0..a58064c0 100644 --- a/web/delete/cron/autoupdate/index.php +++ b/web/delete/cron/autoupdate/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + if ($_SESSION['user'] == 'admin') { exec (VESTA_CMD."v-delete-cron-vesta-autoupdate", $output, $return_var); $_SESSION['error_msg'] = __('Autoupdate has been successfully disabled'); diff --git a/web/delete/cron/reports/index.php b/web/delete/cron/reports/index.php index af7df20f..10d422a8 100644 --- a/web/delete/cron/reports/index.php +++ b/web/delete/cron/reports/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + exec (VESTA_CMD."v-delete-cron-reports ".$user, $output, $return_var); $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully disabled'); unset($output); diff --git a/web/restart/service/index.php b/web/restart/service/index.php index 5f42e5e5..eb07e856 100644 --- a/web/restart/service/index.php +++ b/web/restart/service/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + if ($_SESSION['user'] == 'admin') { if (!empty($_GET['srv'])) { if ($_GET['srv'] == 'iptables') { diff --git a/web/restart/system/index.php b/web/restart/system/index.php index 4facc5a5..4e09745e 100644 --- a/web/restart/system/index.php +++ b/web/restart/system/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + if ($_SESSION['user'] == 'admin') { if (!empty($_GET['hostname'])) { exec (VESTA_CMD."v-restart-system yes", $output, $return_var); diff --git a/web/templates/admin/list_services.html b/web/templates/admin/list_services.html index 346370e6..6012d2a3 100644 --- a/web/templates/admin/list_services.html +++ b/web/templates/admin/list_services.html @@ -54,7 +54,7 @@
 ↵
-
 R
+
 R
diff --git a/web/update/vesta/index.php b/web/update/vesta/index.php index a025c7bf..fa7ca2c4 100644 --- a/web/update/vesta/index.php +++ b/web/update/vesta/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + if ($_SESSION['user'] == 'admin') { if (!empty($_GET['pkg'])) { $v_pkg = escapeshellarg($_GET['pkg']); From 0831a198b86a4760e83c0eaec78d84bab7098e6c Mon Sep 17 00:00:00 2001 From: Sergio Date: Sun, 21 Apr 2019 01:51:29 +0200 Subject: [PATCH 2/3] Fixed several Command Injection. --- web/edit/db/index.php | 2 ++ web/edit/mail/index.php | 7 +++++-- web/edit/web/index.php | 6 ++++-- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/web/edit/db/index.php b/web/edit/db/index.php index 21d394f0..763717bc 100644 --- a/web/edit/db/index.php +++ b/web/edit/db/index.php @@ -42,6 +42,8 @@ if ( $v_suspended == 'yes' ) { $v_status = 'active'; } +$v_database = escapeshellarg($_GET['database']); + // Check POST request if (!empty($_POST['save'])) { $v_username = $user; diff --git a/web/edit/mail/index.php b/web/edit/mail/index.php index 6c673118..6424e3ab 100644 --- a/web/edit/mail/index.php +++ b/web/edit/mail/index.php @@ -70,6 +70,9 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { $v_date = $data[$v_account]['DATE']; $v_time = $data[$v_account]['TIME']; + $v_domain = escapeshellarg($_GET['domain']); + $v_account = escapeshellarg($_GET['account']); + // Parse autoreply if ( $v_autoreply == 'yes' ) { exec (VESTA_CMD."v-list-mail-account-autoreply ".$user." '".$v_domain."' '".$v_account."' json", $output, $return_var); @@ -228,7 +231,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco $result = array_diff($valiases, $aliases); foreach ($result as $alias) { if ((empty($_SESSION['error_msg'])) && (!empty($alias))) { - exec (VESTA_CMD."v-delete-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var); + exec (VESTA_CMD."v-delete-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".escapeshellarg($alias)."'", $output, $return_var); check_return_code($return_var,$output); unset($output); } @@ -254,7 +257,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco $result = array_diff($vfwd, $fwd); foreach ($result as $forward) { if ((empty($_SESSION['error_msg'])) && (!empty($forward))) { - exec (VESTA_CMD."v-delete-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var); + exec (VESTA_CMD."v-delete-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".escapeshellarg($forward)."'", $output, $return_var); check_return_code($return_var,$output); unset($output); } diff --git a/web/edit/web/index.php b/web/edit/web/index.php index edf29e9d..a1d2d70b 100644 --- a/web/edit/web/index.php +++ b/web/edit/web/index.php @@ -36,7 +36,7 @@ $v_cgi = $data[$v_domain]['CGI']; $v_elog = $data[$v_domain]['ELOG']; $v_ssl = $data[$v_domain]['SSL']; if (!empty($v_ssl)) { - exec (VESTA_CMD."v-list-web-domain-ssl ".$user." '".$v_domain."' json", $output, $return_var); + exec (VESTA_CMD."v-list-web-domain-ssl ".$user." '".escapeshellarg($v_domain)."' json", $output, $return_var); $ssl_str = json_decode(implode('', $output), true); unset($output); $v_ssl_crt = $ssl_str[$v_domain]['CRT']; @@ -129,6 +129,7 @@ if (!empty($_POST['save'])) { exec (VESTA_CMD."v-list-dns-domain ".$v_username." ".$v_domain." json", $output, $return_var); unset($output); if ($return_var == 0 ) { + $v_ip = escapeshellarg($_POST['v_ip']); exec (VESTA_CMD."v-change-dns-domain-ip ".$v_username." ".$v_domain." ".$v_ip." 'no'", $output, $return_var); check_return_code($return_var,$output); unset($output); @@ -142,6 +143,7 @@ if (!empty($_POST['save'])) { exec (VESTA_CMD."v-list-dns-domain ".$v_username." '".$v_alias."' json", $output, $return_var); unset($output); if ($return_var == 0 ) { + $v_ip = escapeshellarg($_POST['v_ip']); exec (VESTA_CMD."v-change-dns-domain-ip ".$v_username." '".$v_alias."' ".$v_ip, $output, $return_var); check_return_code($return_var,$output); unset($output); @@ -367,7 +369,7 @@ if (!empty($_POST['save'])) { // Add Lets Encrypt support if ((!empty($_POST['v_ssl'])) && ( $v_letsencrypt == 'no' ) && (!empty($_POST['v_letsencrypt'])) && empty($_SESSION['error_msg'])) { $l_aliases = str_replace("\n", ',', $v_aliases); - exec (VESTA_CMD."v-add-letsencrypt-domain ".$user." ".$v_domain." '".$l_aliases."' 'no'", $output, $return_var); + exec (VESTA_CMD."v-add-letsencrypt-domain ".$user." ".$v_domain." '".escapeshellarg($l_aliases)."' 'no'", $output, $return_var); check_return_code($return_var,$output); unset($output); $v_letsencrypt = 'yes'; From 7226a8991f7908825c869f78231107370cb05b21 Mon Sep 17 00:00:00 2001 From: Sergio Date: Sun, 21 Apr 2019 02:18:24 +0200 Subject: [PATCH 3/3] Fix some XSS. --- web/list/directory/index.php | 4 ++-- web/templates/admin/list_dns_rec.html | 4 ++-- web/templates/admin/list_mail_acc.html | 6 +++--- web/templates/user/list_mail_acc.html | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/web/list/directory/index.php b/web/list/directory/index.php index 737e19db..12919b14 100644 --- a/web/list/directory/index.php +++ b/web/list/directory/index.php @@ -24,8 +24,8 @@ if (empty($panel)) { $panel = json_decode(implode('', $output), true); } -$path_a = !empty($_REQUEST['dir_a']) ? $_REQUEST['dir_a'] : ''; -$path_b = !empty($_REQUEST['dir_b']) ? $_REQUEST['dir_b'] : ''; +$path_a = !empty($_REQUEST['dir_a']) ? htmlentities($_REQUEST['dir_a']) : ''; +$path_b = !empty($_REQUEST['dir_b']) ? htmlentities($_REQUEST['dir_b']) : ''; $GLOBAL_JS = ''; $GLOBAL_JS .= ''; $GLOBAL_JS .= ''; diff --git a/web/templates/admin/list_dns_rec.html b/web/templates/admin/list_dns_rec.html index a74b8574..24f28103 100644 --- a/web/templates/admin/list_dns_rec.html +++ b/web/templates/admin/list_dns_rec.html @@ -74,11 +74,11 @@ v_unit_id="" v_section="dns_rec">
-
 ↵
+
 ↵
- + diff --git a/web/templates/admin/list_mail_acc.html b/web/templates/admin/list_mail_acc.html index 5433d732..13495ff6 100644 --- a/web/templates/admin/list_mail_acc.html +++ b/web/templates/admin/list_mail_acc.html @@ -90,11 +90,11 @@ sort-star="
-
 ↵
+
 ↵
- + @@ -104,7 +104,7 @@ sort-star=" - + diff --git a/web/templates/user/list_mail_acc.html b/web/templates/user/list_mail_acc.html index c7334fa1..8c5ef567 100644 --- a/web/templates/user/list_mail_acc.html +++ b/web/templates/user/list_mail_acc.html @@ -88,11 +88,11 @@ sort-star="
-
 ↵
+
 ↵
- +