From 6e13036780c9888e4ae912bab12cca4c806ac1cc Mon Sep 17 00:00:00 2001 From: Flat Date: Sun, 29 Nov 2015 17:19:10 +0900 Subject: [PATCH] :lock: Fix OS command injection vulnerability. --- web/add/web/index.php | 2 +- web/edit/cron/index.php | 1 + web/edit/mail/index.php | 4 ++-- web/edit/web/index.php | 6 +++--- web/login/index.php | 2 +- web/search/index.php | 2 +- 6 files changed, 9 insertions(+), 8 deletions(-) diff --git a/web/add/web/index.php b/web/add/web/index.php index 612ae547..fb8d212d 100644 --- a/web/add/web/index.php +++ b/web/add/web/index.php @@ -272,7 +272,7 @@ if (!empty($_POST['ok'])) { $fp = fopen($v_ftp_password, "w"); fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n"); fclose($fp); - exec (VESTA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var); + exec (VESTA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_user." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var); check_return_code($return_var,$output); unset($output); unlink($v_ftp_password); diff --git a/web/edit/cron/index.php b/web/edit/cron/index.php index d78b4eb6..8c309f70 100644 --- a/web/edit/cron/index.php +++ b/web/edit/cron/index.php @@ -53,6 +53,7 @@ if (!empty($_POST['save'])) { } $v_username = $user; + $v_job = escapeshellarg($_GET['job']); $v_min = escapeshellarg($_POST['v_min']); $v_hour = escapeshellarg($_POST['v_hour']); $v_day = escapeshellarg($_POST['v_day']); diff --git a/web/edit/mail/index.php b/web/edit/mail/index.php index 1010b07f..28d4da9b 100644 --- a/web/edit/mail/index.php +++ b/web/edit/mail/index.php @@ -233,7 +233,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco $result = array_diff($aliases, $valiases); foreach ($result as $alias) { if ((empty($_SESSION['error_msg'])) && (!empty($alias))) { - exec (VESTA_CMD."v-add-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var); + exec (VESTA_CMD."v-add-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." ".escapeshellarg($alias), $output, $return_var); check_return_code($return_var,$output); unset($output); } @@ -259,7 +259,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco $result = array_diff($fwd, $vfwd); foreach ($result as $forward) { if ((empty($_SESSION['error_msg'])) && (!empty($forward))) { - exec (VESTA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var); + exec (VESTA_CMD."v-add-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." ".escapeshellarg($forward), $output, $return_var); check_return_code($return_var,$output); unset($output); } diff --git a/web/edit/web/index.php b/web/edit/web/index.php index c0d1f6f8..e28aa713 100644 --- a/web/edit/web/index.php +++ b/web/edit/web/index.php @@ -188,14 +188,14 @@ if (!empty($_POST['save'])) { $restart_web = 'yes'; $restart_proxy = 'yes'; $v_template = escapeshellarg($_POST['v_template']); - exec (VESTA_CMD."v-add-web-domain-alias ".$v_username." ".$v_domain." '".$alias."' 'no'", $output, $return_var); + exec (VESTA_CMD."v-add-web-domain-alias ".$v_username." ".$v_domain." ".escapeshellarg($alias)." 'no'", $output, $return_var); check_return_code($return_var,$output); unset($output); if (empty($_SESSION['error_msg'])) { exec (VESTA_CMD."v-list-dns-domain ".$v_username." ".$v_domain, $output, $return_var); unset($output); if ($return_var == 0) { - exec (VESTA_CMD."v-add-dns-on-web-alias ".$v_username." ".$alias." ".$v_ip." no", $output, $return_var); + exec (VESTA_CMD."v-add-dns-on-web-alias ".$v_username." ".escapeshellarg($alias)." ".$v_ip." no", $output, $return_var); check_return_code($return_var,$output); unset($output); $restart_dns = 'yes'; @@ -520,7 +520,7 @@ if (!empty($_POST['save'])) { $fp = fopen($v_ftp_password, "w"); fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n"); fclose($fp); - exec (VESTA_CMD."v-add-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var); + exec (VESTA_CMD."v-add-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_user." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var); check_return_code($return_var,$output); if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) { $to = $v_ftp_user_data['v_ftp_email']; diff --git a/web/login/index.php b/web/login/index.php index f084ae17..253b8ac9 100644 --- a/web/login/index.php +++ b/web/login/index.php @@ -44,7 +44,7 @@ if (isset($_POST['user']) && isset($_POST['password'])) { fclose($fp); // Check user & password - exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'", $output, $return_var); + exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." ".escapeshellarg($_SERVER['REMOTE_ADDR']), $output, $return_var); unset($output); // Remove tmp file diff --git a/web/search/index.php b/web/search/index.php index fc5ffd06..e885cd7a 100644 --- a/web/search/index.php +++ b/web/search/index.php @@ -28,8 +28,8 @@ $lang = 'ru_RU.utf8'; //setlocale(LC_ALL, $lang); // Data +$q = escapeshellarg($q); if ($_SESSION['user'] == 'admin') { - $q = escapeshellarg($q); exec (VESTA_CMD."v-search-object ".$q." json", $output, $return_var); $data = json_decode(implode('', $output), true); include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/list_search.html');