From 7603cdea7a5c9441c434e654a0c99ef49b51400c Mon Sep 17 00:00:00 2001 From: Sergio Date: Sun, 21 Apr 2019 00:11:36 +0200 Subject: [PATCH] Add the validation of the CSRF token. It is missing in some cases when it is sent by GET or POST. --- web/add/cron/autoupdate/index.php | 6 ++++++ web/add/cron/reports/index.php | 6 ++++++ web/add/firewall/banlist/index.php | 6 ++++++ web/delete/cron/autoupdate/index.php | 6 ++++++ web/delete/cron/reports/index.php | 6 ++++++ web/restart/service/index.php | 6 ++++++ web/restart/system/index.php | 6 ++++++ web/templates/admin/list_services.html | 2 +- web/update/vesta/index.php | 6 ++++++ 9 files changed, 49 insertions(+), 1 deletion(-) diff --git a/web/add/cron/autoupdate/index.php b/web/add/cron/autoupdate/index.php index 53d50c05..90854d9b 100644 --- a/web/add/cron/autoupdate/index.php +++ b/web/add/cron/autoupdate/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + if ($_SESSION['user'] == 'admin') { exec (VESTA_CMD."v-add-cron-vesta-autoupdate", $output, $return_var); $_SESSION['error_msg'] = __('Autoupdate has been successfully enabled'); diff --git a/web/add/cron/reports/index.php b/web/add/cron/reports/index.php index 4b0424e3..197c5760 100644 --- a/web/add/cron/reports/index.php +++ b/web/add/cron/reports/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + exec (VESTA_CMD."v-add-cron-reports ".$user, $output, $return_var); $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled'); unset($output); diff --git a/web/add/firewall/banlist/index.php b/web/add/firewall/banlist/index.php index 774421e6..a9f616a2 100644 --- a/web/add/firewall/banlist/index.php +++ b/web/add/firewall/banlist/index.php @@ -15,6 +15,12 @@ if ($_SESSION['user'] != 'admin') { // Check POST request if (!empty($_POST['ok'])) { + // Check token + if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) { + header('location: /login/'); + exit(); + } + // Check empty fields if (empty($_POST['v_chain'])) $errors[] = __('banlist'); if (empty($_POST['v_ip'])) $errors[] = __('ip address'); diff --git a/web/delete/cron/autoupdate/index.php b/web/delete/cron/autoupdate/index.php index ad670ef0..a58064c0 100644 --- a/web/delete/cron/autoupdate/index.php +++ b/web/delete/cron/autoupdate/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + if ($_SESSION['user'] == 'admin') { exec (VESTA_CMD."v-delete-cron-vesta-autoupdate", $output, $return_var); $_SESSION['error_msg'] = __('Autoupdate has been successfully disabled'); diff --git a/web/delete/cron/reports/index.php b/web/delete/cron/reports/index.php index af7df20f..10d422a8 100644 --- a/web/delete/cron/reports/index.php +++ b/web/delete/cron/reports/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + exec (VESTA_CMD."v-delete-cron-reports ".$user, $output, $return_var); $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully disabled'); unset($output); diff --git a/web/restart/service/index.php b/web/restart/service/index.php index 5f42e5e5..eb07e856 100644 --- a/web/restart/service/index.php +++ b/web/restart/service/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + if ($_SESSION['user'] == 'admin') { if (!empty($_GET['srv'])) { if ($_GET['srv'] == 'iptables') { diff --git a/web/restart/system/index.php b/web/restart/system/index.php index 4facc5a5..4e09745e 100644 --- a/web/restart/system/index.php +++ b/web/restart/system/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + if ($_SESSION['user'] == 'admin') { if (!empty($_GET['hostname'])) { exec (VESTA_CMD."v-restart-system yes", $output, $return_var); diff --git a/web/templates/admin/list_services.html b/web/templates/admin/list_services.html index 346370e6..6012d2a3 100644 --- a/web/templates/admin/list_services.html +++ b/web/templates/admin/list_services.html @@ -54,7 +54,7 @@
 ↵
-
 R
+
 R
diff --git a/web/update/vesta/index.php b/web/update/vesta/index.php index a025c7bf..fa7ca2c4 100644 --- a/web/update/vesta/index.php +++ b/web/update/vesta/index.php @@ -5,6 +5,12 @@ ob_start(); session_start(); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); +// Check token +if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) { + header('location: /login/'); + exit(); +} + if ($_SESSION['user'] == 'admin') { if (!empty($_GET['pkg'])) { $v_pkg = escapeshellarg($_GET['pkg']);