diff --git a/web/edit/db/index.php b/web/edit/db/index.php index 21d394f0..763717bc 100644 --- a/web/edit/db/index.php +++ b/web/edit/db/index.php @@ -42,6 +42,8 @@ if ( $v_suspended == 'yes' ) { $v_status = 'active'; } +$v_database = escapeshellarg($_GET['database']); + // Check POST request if (!empty($_POST['save'])) { $v_username = $user; diff --git a/web/edit/mail/index.php b/web/edit/mail/index.php index 6c673118..6424e3ab 100644 --- a/web/edit/mail/index.php +++ b/web/edit/mail/index.php @@ -70,6 +70,9 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { $v_date = $data[$v_account]['DATE']; $v_time = $data[$v_account]['TIME']; + $v_domain = escapeshellarg($_GET['domain']); + $v_account = escapeshellarg($_GET['account']); + // Parse autoreply if ( $v_autoreply == 'yes' ) { exec (VESTA_CMD."v-list-mail-account-autoreply ".$user." '".$v_domain."' '".$v_account."' json", $output, $return_var); @@ -228,7 +231,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco $result = array_diff($valiases, $aliases); foreach ($result as $alias) { if ((empty($_SESSION['error_msg'])) && (!empty($alias))) { - exec (VESTA_CMD."v-delete-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var); + exec (VESTA_CMD."v-delete-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".escapeshellarg($alias)."'", $output, $return_var); check_return_code($return_var,$output); unset($output); } @@ -254,7 +257,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco $result = array_diff($vfwd, $fwd); foreach ($result as $forward) { if ((empty($_SESSION['error_msg'])) && (!empty($forward))) { - exec (VESTA_CMD."v-delete-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var); + exec (VESTA_CMD."v-delete-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".escapeshellarg($forward)."'", $output, $return_var); check_return_code($return_var,$output); unset($output); } diff --git a/web/edit/web/index.php b/web/edit/web/index.php index edf29e9d..a1d2d70b 100644 --- a/web/edit/web/index.php +++ b/web/edit/web/index.php @@ -36,7 +36,7 @@ $v_cgi = $data[$v_domain]['CGI']; $v_elog = $data[$v_domain]['ELOG']; $v_ssl = $data[$v_domain]['SSL']; if (!empty($v_ssl)) { - exec (VESTA_CMD."v-list-web-domain-ssl ".$user." '".$v_domain."' json", $output, $return_var); + exec (VESTA_CMD."v-list-web-domain-ssl ".$user." '".escapeshellarg($v_domain)."' json", $output, $return_var); $ssl_str = json_decode(implode('', $output), true); unset($output); $v_ssl_crt = $ssl_str[$v_domain]['CRT']; @@ -129,6 +129,7 @@ if (!empty($_POST['save'])) { exec (VESTA_CMD."v-list-dns-domain ".$v_username." ".$v_domain." json", $output, $return_var); unset($output); if ($return_var == 0 ) { + $v_ip = escapeshellarg($_POST['v_ip']); exec (VESTA_CMD."v-change-dns-domain-ip ".$v_username." ".$v_domain." ".$v_ip." 'no'", $output, $return_var); check_return_code($return_var,$output); unset($output); @@ -142,6 +143,7 @@ if (!empty($_POST['save'])) { exec (VESTA_CMD."v-list-dns-domain ".$v_username." '".$v_alias."' json", $output, $return_var); unset($output); if ($return_var == 0 ) { + $v_ip = escapeshellarg($_POST['v_ip']); exec (VESTA_CMD."v-change-dns-domain-ip ".$v_username." '".$v_alias."' ".$v_ip, $output, $return_var); check_return_code($return_var,$output); unset($output); @@ -367,7 +369,7 @@ if (!empty($_POST['save'])) { // Add Lets Encrypt support if ((!empty($_POST['v_ssl'])) && ( $v_letsencrypt == 'no' ) && (!empty($_POST['v_letsencrypt'])) && empty($_SESSION['error_msg'])) { $l_aliases = str_replace("\n", ',', $v_aliases); - exec (VESTA_CMD."v-add-letsencrypt-domain ".$user." ".$v_domain." '".$l_aliases."' 'no'", $output, $return_var); + exec (VESTA_CMD."v-add-letsencrypt-domain ".$user." ".$v_domain." '".escapeshellarg($l_aliases)."' 'no'", $output, $return_var); check_return_code($return_var,$output); unset($output); $v_letsencrypt = 'yes';