diff --git a/bin/v-add-mail-domain b/bin/v-add-mail-domain index 2676e750..6681035f 100755 --- a/bin/v-add-mail-domain +++ b/bin/v-add-mail-domain @@ -45,6 +45,7 @@ is_object_valid 'user' 'USER' "$user" is_object_unsuspended 'user' 'USER' "$user" is_domain_new 'mail' "$domain" is_package_full 'MAIL_DOMAINS' +is_dir_symlink $HOMEDIR/$user/mail #----------------------------------------------------------# diff --git a/bin/v-add-web-domain b/bin/v-add-web-domain index 018adcb4..b937330c 100755 --- a/bin/v-add-web-domain +++ b/bin/v-add-web-domain @@ -47,6 +47,7 @@ is_object_valid 'user' 'USER' "$user" is_object_unsuspended 'user' 'USER' "$user" is_package_full 'WEB_DOMAINS' 'WEB_ALIASES' is_domain_new 'web' "$domain,$aliases" +is_dir_symlink $HOMEDIR/$user/web if [ ! -z "$ip" ]; then is_ip_valid "$ip" "$user" else diff --git a/bin/v-check-user-hash b/bin/v-check-user-hash index 7fd55789..a18aba0e 100755 --- a/bin/v-check-user-hash +++ b/bin/v-check-user-hash @@ -75,15 +75,15 @@ else method='des' fi +# Checking salt if [ -z "$salt" ]; then echo "Error: password missmatch" echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log exit 9 fi -# Checking hash -result=$(grep "^$user:$hash:" /etc/shadow 2>/dev/null) -if [[ -z "$result" ]]; then +# Comparing hashes +if [[ "$shadow" != "$hash" ]]; then echo "Error: password missmatch" echo "$date $time $user $ip failed to login" >> $VESTA/log/auth.log exit 9 diff --git a/bin/v-list-user-log b/bin/v-list-user-log index f8581341..ca317f7d 100755 --- a/bin/v-list-user-log +++ b/bin/v-list-user-log @@ -23,7 +23,10 @@ json_list() { objects=$(echo "$logs" |wc -l) echo "{" for str in $logs; do - eval $str + ID=$(echo "$str" |cut -f 2 -d \') + DATE=$(echo "$str" |cut -f 4 -d \') + TIME=$(echo "$str" |cut -f 6 -d \') + CMD=$(echo "$str" |cut -f 8 -d \') CMD=${CMD//\"/\\\"} echo -n ' "'$ID'": { "CMD": "'$CMD'", @@ -46,13 +49,9 @@ shell_list() { echo "DATE~TIME~CMD" echo "----~----~---" for str in $logs; do - eval $str - if [ -z "$DATE" ]; then - DATE='no' - fi - if [ -z "$TIME" ]; then - TIME='no' - fi + DATE=$(echo "$str" |cut -f 4 -d \') + TIME=$(echo "$str" |cut -f 6 -d \') + CMD=$(echo "$str" |cut -f 8 -d \') echo "$DATE~$TIME~$CMD" done } @@ -61,7 +60,9 @@ shell_list() { plain_list() { IFS=$'\n' for str in $logs; do - eval $str + DATE=$(echo "$str" |cut -f 4 -d \') + TIME=$(echo "$str" |cut -f 6 -d \') + CMD=$(echo "$str" |cut -f 8 -d \') echo -e "$ID\t$CMD\t$UNDO\t$TIME\t$DATE" done } @@ -71,7 +72,9 @@ csv_list() { IFS=$'\n' echo "ID,CMD,UNDO,TIME,DATE" for str in $logs; do - eval $str + DATE=$(echo "$str" |cut -f 4 -d \') + TIME=$(echo "$str" |cut -f 6 -d \') + CMD=$(echo "$str" |cut -f 8 -d \') echo "$ID,\"$CMD\",\"$UNDO\",$TIME,$DATE" done } diff --git a/bin/v-update-sys-rrd-mysql b/bin/v-update-sys-rrd-mysql index aa6734e9..8c6bb75e 100755 --- a/bin/v-update-sys-rrd-mysql +++ b/bin/v-update-sys-rrd-mysql @@ -14,6 +14,7 @@ period=${1-daily} # Includes source $VESTA/func/main.sh +source $VESTA/func/db.sh source $VESTA/conf/vesta.conf @@ -66,23 +67,10 @@ for host in $hosts; do fi if [ "$period" = 'daily' ]; then - # Defining host credentials - host_str=$(grep "HOST='$host'" $conf) - for key in $host_str; do - eval ${key%%=*}=${key#*=} - done - sql="mysql -h $HOST -u $USER -p$PASSWORD -e" - - # Checking empty vars - if [ -z $HOST ] || [ -z $USER ] || [ -z $PASSWORD ]; then - echo "Error: config is broken" - log_event "$E_PARSING" "$ARGUMENTS" - exit $E_PARSING - fi - - # Parsing data - status=$($sql "SHOW GLOBAL STATUS" 2>/dev/null); code="$?" - if [ '0' -ne "$code" ]; then + mysql_connect $host + query='SHOW GLOBAL STATUS' + status=$(mysql_query "$query" 2>/dev/null) + if [ $? -ne 0 ]; then active=0 slow=0 else diff --git a/func/db.sh b/func/db.sh index d9c43031..d397dfec 100644 --- a/func/db.sh +++ b/func/db.sh @@ -47,7 +47,10 @@ mysql_connect() { } mysql_query() { - mysql --defaults-file=$mycnf -e "$1" 2>/dev/null + sql_tmp=$(mktemp) + echo "$1" > $sql_tmp + mysql --defaults-file=$mycnf < "$sql_tmp" 2>/dev/null + rm -f "$sql_tmp" } mysql_dump() { @@ -89,7 +92,10 @@ psql_connect() { } psql_query() { - psql -h $HOST -U $USER -c "$1" 2>/dev/null + sql_tmp=$(mktemp) + echo "$1" > $sql_tmp + psql -h $HOST -U $USER -f "$sql_tmp" 2>/dev/null + rm -f $sql_tmp } psql_dump() { diff --git a/func/main.sh b/func/main.sh index cbd65903..13700619 100644 --- a/func/main.sh +++ b/func/main.sh @@ -287,6 +287,13 @@ is_hash_valid() { fi } +# Check if directory is a symlink +is_dir_symlink() { + if [[ -L "$1" ]]; then + check_result $E_FORBIDEN "$1 directory is a symlink" + fi +} + # Get object value get_object_value() { object=$(grep "$2='$3'" $USER_DATA/$1.conf) diff --git a/func/rebuild.sh b/func/rebuild.sh index a6025928..9a1c0f47 100644 --- a/func/rebuild.sh +++ b/func/rebuild.sh @@ -71,6 +71,9 @@ rebuild_user_conf() { echo "$BIN/v-update-web-domains-disk $user" \ >> $VESTA/data/queue/disk.pipe + if [[ -L "$HOMEDIR/$user/web" ]]; then + rm $HOMEDIR/$user/web + fi mkdir -p $HOMEDIR/$user/conf/web mkdir -p $HOMEDIR/$user/web mkdir -p $HOMEDIR/$user/tmp @@ -105,6 +108,9 @@ rebuild_user_conf() { echo "$BIN/v-update-mail-domains-disk $user" \ >> $VESTA/data/queue/disk.pipe + if [[ -L "$HOMEDIR/$user/mail" ]]; then + rm $HOMEDIR/$user/mail + fi mkdir -p $HOMEDIR/$user/conf/mail mkdir -p $HOMEDIR/$user/mail chmod 751 $HOMEDIR/$user/mail diff --git a/src/deb/ioncube/control b/src/deb/ioncube/control index a7c5a020..607655f5 100644 --- a/src/deb/ioncube/control +++ b/src/deb/ioncube/control @@ -1,7 +1,7 @@ Source: vesta-ioncube Package: vesta-ioncube Priority: optional -Version: 0.9.8-20 +Version: 0.9.8-21 Section: admin Maintainer: Serghey Rodin Homepage: https://www.ioncube.com diff --git a/src/deb/nginx/control b/src/deb/nginx/control index 275d7185..1f17044e 100644 --- a/src/deb/nginx/control +++ b/src/deb/nginx/control @@ -1,7 +1,7 @@ Source: vesta-nginx Package: vesta-nginx Priority: optional -Version: 0.9.8-20 +Version: 0.9.8-21 Section: admin Maintainer: Serghey Rodin Homepage: http://vestacp.com diff --git a/src/deb/php/control b/src/deb/php/control index e24b55ca..ad9991e5 100644 --- a/src/deb/php/control +++ b/src/deb/php/control @@ -1,7 +1,7 @@ Source: vesta-php Package: vesta-php Priority: optional -Version: 0.9.8-20 +Version: 0.9.8-21 Section: admin Maintainer: Serghey Rodin Homepage: http://vestacp.com diff --git a/src/deb/softaculous/control b/src/deb/softaculous/control index 0c1d271e..acadc809 100644 --- a/src/deb/softaculous/control +++ b/src/deb/softaculous/control @@ -1,7 +1,7 @@ Source: vesta-softaculous Package: vesta-softaculous Priority: optional -Version: 0.9.8-20 +Version: 0.9.8-21 Section: admin Maintainer: Serghey Rodin Homepage: https://www.softaculous.com diff --git a/src/deb/vesta/control b/src/deb/vesta/control index 87ed6e49..b45b2f74 100644 --- a/src/deb/vesta/control +++ b/src/deb/vesta/control @@ -1,7 +1,7 @@ Source: vesta Package: vesta Priority: optional -Version: 0.9.8-20 +Version: 0.9.8-21 Section: admin Maintainer: Serghey Rodin Homepage: http://vestacp.com diff --git a/src/deb/vesta/postinst b/src/deb/vesta/postinst index 2c539b1d..3cba15e9 100755 --- a/src/deb/vesta/postinst +++ b/src/deb/vesta/postinst @@ -20,8 +20,12 @@ if [ -x "/usr/local/vesta/upd/fix_sessions.sh" ]; then /usr/local/vesta/upd/fix_sessions.sh fi -if [ -e /usr/local/vesta/upd/fix_nginx_auth.sh ]; then +if [ -x /usr/local/vesta/upd/fix_nginx_auth.sh ]; then /usr/local/vesta/upd/fix_nginx_auth.sh fi +if [ -x /usr/local/vesta/upd/fix_roundcube.sh ]; then + /usr/local/vesta/upd/fix_roundcube.sh +fi + exit 0 diff --git a/src/rpm/specs/vesta-ioncube.spec b/src/rpm/specs/vesta-ioncube.spec index 93e67911..aaa4cf5d 100644 --- a/src/rpm/specs/vesta-ioncube.spec +++ b/src/rpm/specs/vesta-ioncube.spec @@ -1,6 +1,6 @@ Name: vesta-ioncube Version: 0.9.8 -Release: 20 +Release: 21 Summary: ionCube Loader Group: System Environment/Base License: "Freely redistributable without restriction" diff --git a/src/rpm/specs/vesta-nginx.spec b/src/rpm/specs/vesta-nginx.spec index e6071b43..9e83f48a 100644 --- a/src/rpm/specs/vesta-nginx.spec +++ b/src/rpm/specs/vesta-nginx.spec @@ -1,6 +1,6 @@ Name: vesta-nginx Version: 0.9.8 -Release: 20 +Release: 21 Summary: Vesta Control Panel Group: System Environment/Base License: BSD-like diff --git a/src/rpm/specs/vesta-php.spec b/src/rpm/specs/vesta-php.spec index 7607ae0d..112deee1 100644 --- a/src/rpm/specs/vesta-php.spec +++ b/src/rpm/specs/vesta-php.spec @@ -1,6 +1,6 @@ Name: vesta-php Version: 0.9.8 -Release: 20 +Release: 21 Summary: Vesta Control Panel Group: System Environment/Base License: GPL diff --git a/src/rpm/specs/vesta-softaculous.spec b/src/rpm/specs/vesta-softaculous.spec index 4adfda69..15bb15b3 100644 --- a/src/rpm/specs/vesta-softaculous.spec +++ b/src/rpm/specs/vesta-softaculous.spec @@ -1,6 +1,6 @@ Name: vesta-softaculous Version: 0.9.8 -Release: 20 +Release: 21 Summary: Vesta Control Panel Group: System Environment/Base License: Softaculous License diff --git a/src/rpm/specs/vesta.spec b/src/rpm/specs/vesta.spec index 7127d37a..ea94eebd 100644 --- a/src/rpm/specs/vesta.spec +++ b/src/rpm/specs/vesta.spec @@ -1,6 +1,6 @@ Name: vesta Version: 0.9.8 -Release: 20 +Release: 21 Summary: Vesta Control Panel Group: System Environment/Base License: GPL @@ -30,18 +30,21 @@ rm -rf %{buildroot} %post if [ $1 -ge 2 ]; then - if [ -e /usr/local/vesta/upd/add_sudo.sh ]; then + if [ -x /usr/local/vesta/upd/add_sudo.sh ]; then /usr/local/vesta/upd/add_sudo.sh fi - if [ -e /usr/local/vesta/upd/add_notifications.sh ]; then + if [ -x /usr/local/vesta/upd/add_notifications.sh ]; then /usr/local/vesta/upd/add_notifications.sh fi - if [ -e /usr/local/vesta/upd/fix_sessions.sh ]; then + if [ -x /usr/local/vesta/upd/fix_sessions.sh ]; then /usr/local/vesta/upd/fix_sessions.sh fi - if [ -e /usr/local/vesta/upd/fix_nginx_auth.sh ]; then + if [ -x /usr/local/vesta/upd/fix_nginx_auth.sh ]; then /usr/local/vesta/upd/fix_nginx_auth.sh fi + if [ -x /usr/local/vesta/upd/fix_roundcube.sh ]; then + /usr/local/vesta/upd/fix_roundcube.sh + fi fi %files %{_vestadir} @@ -56,6 +59,9 @@ fi %config(noreplace) %{_vestadir}/web/css/uploadify.css %changelog +* Fri May 11 2018 Serghey Rodin - 0.9.8-21 +- Additional security fixes + * Sun Apr 08 2018 Serghey Rodin - 0.9.8-20 - Hardening password checks diff --git a/upd/add_sudo.sh b/upd/add_sudo.sh index d65ee9d7..439e3515 100755 --- a/upd/add_sudo.sh +++ b/upd/add_sudo.sh @@ -3,7 +3,7 @@ if [ ! -e '/etc/sudoers.d/admin' ]; then if [ ! -d '/etc/sudoers.d' ]; then - mkidr /etc/sudoers.d + mkdir /etc/sudoers.d chmod 750 /etc/sudoers.d fi echo '# Created by vesta update-trigger' > /etc/sudoers.d/admin diff --git a/upd/fix_roundcube.sh b/upd/fix_roundcube.sh new file mode 100755 index 00000000..621ffd2f --- /dev/null +++ b/upd/fix_roundcube.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +# Locate roundcube directory +if [ -d '/etc/roundcube' ]; then + rc_dir='/etc/roundcube' +fi +if [ -d '/etc/roundcubemail' ]; then + rc_dir='/etc/roundcubemail' +fi + +if [ -z "$rc_dir" ]; then + exit +fi + +# Check for eval +cd $rc_dir +for config in $(grep eval *.php |cut -f1 -d:); do + sed -i '/eval/d' $config +done diff --git a/web/inc/i18n/sr.php b/web/inc/i18n/sr.php index 50dc766d..dc1f315c 100644 --- a/web/inc/i18n/sr.php +++ b/web/inc/i18n/sr.php @@ -489,7 +489,7 @@ $LANG['sr'] = array( 'Welcome' => 'Dobrodošli', 'LOGGED_IN_AS' => 'Ulogovani ste kao %s', 'Error' => 'Greška', - 'Invalid username or password' => 'Pogrešani login podaci', + 'Invalid username or password' => 'Pogrešni login podaci', 'Invalid username or code' => 'Pogrešno korisničko ime ili kod', 'Passwords not match' => 'Passwordi se ne poklapaju', 'Please enter valid email address.' => 'Potrebno je uneti validnu email adresu.', @@ -512,8 +512,8 @@ $LANG['sr'] = array( 'Welcome to Vesta Control Panel' => 'Dobrodošli u Vesta kontrolni panel', 'MAIL_FROM' => 'Vesta kontrolni panel ', - 'GREETINGS_GORDON_FREEMAN' => "Poštovanje, %s %s,\n", - 'GREETINGS' => "Poštovanje,\n", + 'GREETINGS_GORDON_FREEMAN' => "Poštovani %s %s,\n", + 'GREETINGS' => "Poštovani,\n", 'ACCOUNT_READY' => "Vaš hosting nalog je kreiran i spreman za korišćenje.\n\nhttps://%s/login/\nKorisničko ime: %s\nŠifra: %s\n\n--\nVesta kontrolni panel\n", 'FTP login credentials' => 'FTP podaci', diff --git a/web/upload/UploadHandler.php b/web/upload/UploadHandler.php index 2c9de8af..a5e0b07c 100755 --- a/web/upload/UploadHandler.php +++ b/web/upload/UploadHandler.php @@ -1117,37 +1117,12 @@ class UploadHandler $append_file = $content_range && is_file($file_path) && $file->size > $this->get_file_size($file_path); if ($uploaded_file && is_uploaded_file($uploaded_file)) { - // multipart/formdata uploads (POST method uploads) - if ($append_file) { - file_put_contents( - $file_path, - fopen($uploaded_file, 'r'), - FILE_APPEND - ); - } else { - chmod($uploaded_file, 0644); -// move_uploaded_file($uploaded_file, $file_path); - exec (VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} '{$file_path}'", $output, $return_var); - - $error = check_return_code($return_var, $output); - if ($return_var != 0) { - //var_dump(VESTA_CMD . "v-copy-fs-file {$user} {$fn} {$path}"); - //var_dump($path); - //var_dump($output); - $file->error = 'Error while saving file '; -// var_dump(VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} {$file_path}"); -// var_dump($return_var); -// var_dump($output); -// exit(); - } + chmod($uploaded_file, 0644); + exec (VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} '{$file_path}'", $output, $return_var); + $error = check_return_code($return_var, $output); + if ($return_var != 0) { + $file->error = 'Error while saving file '; } - } else { - // Non-multipart uploads (PUT method support) - file_put_contents( - $file_path, - fopen('php://input', 'r'), - $append_file ? FILE_APPEND : 0 - ); } $file_size = $this->get_file_size($file_path, $append_file); diff --git a/web/view/file/index.php b/web/view/file/index.php index 6605607c..aed9523d 100644 --- a/web/view/file/index.php +++ b/web/view/file/index.php @@ -16,7 +16,7 @@ if (!empty($_REQUEST['path'])) { $path = $_REQUEST['path']; if (!empty($_REQUEST['raw'])) { header('content-type: image/jpeg'); - passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg($_REQUEST['path'])); + passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg(htmlspecialchars($_REQUEST['path'], ENT_QUOTES, 'UTF-8'))); exit; } }