From 40b34fdadbc8a3593287007f0620b3639e678590 Mon Sep 17 00:00:00 2001 From: zapalm Date: Wed, 24 Dec 2014 10:31:19 +1100 Subject: [PATCH 01/10] updated apache template 'basedir' for allowing writing access to the user's temporary directory --- install/debian/templates/web/apache2/basedir.stpl | 4 +++- install/debian/templates/web/apache2/basedir.tpl | 4 +++- install/rhel/templates/web/httpd/basedir.stpl | 4 +++- install/rhel/templates/web/httpd/basedir.tpl | 4 +++- install/ubuntu/templates/web/apache2/basedir.stpl | 4 +++- install/ubuntu/templates/web/apache2/basedir.tpl | 4 +++- 6 files changed, 18 insertions(+), 6 deletions(-) diff --git a/install/debian/templates/web/apache2/basedir.stpl b/install/debian/templates/web/apache2/basedir.stpl index 96de57af..269c0971 100755 --- a/install/debian/templates/web/apache2/basedir.stpl +++ b/install/debian/templates/web/apache2/basedir.stpl @@ -15,7 +15,9 @@ AllowOverride All SSLRequireSSL Options +Includes -Indexes +ExecCGI - php_admin_value open_basedir %docroot% + php_admin_value open_basedir %docroot%:%home%/%user%/tmp + php_admin_value upload_tmp_dir %home%/%user%/tmp + php_admin_value session.save_path %home%/%user%/tmp AllowOverride All diff --git a/install/debian/templates/web/apache2/basedir.tpl b/install/debian/templates/web/apache2/basedir.tpl index 07ec38c9..c24b1279 100755 --- a/install/debian/templates/web/apache2/basedir.tpl +++ b/install/debian/templates/web/apache2/basedir.tpl @@ -14,7 +14,9 @@ AllowOverride All Options +Includes -Indexes +ExecCGI - php_admin_value open_basedir %docroot% + php_admin_value open_basedir %docroot%:%home%/%user%/tmp + php_admin_value upload_tmp_dir %home%/%user%/tmp + php_admin_value session.save_path %home%/%user%/tmp AllowOverride All diff --git a/install/rhel/templates/web/httpd/basedir.stpl b/install/rhel/templates/web/httpd/basedir.stpl index d568276d..cd4a8c88 100755 --- a/install/rhel/templates/web/httpd/basedir.stpl +++ b/install/rhel/templates/web/httpd/basedir.stpl @@ -15,7 +15,9 @@ AllowOverride All SSLRequireSSL Options +Includes -Indexes +ExecCGI - php_admin_value open_basedir %docroot% + php_admin_value open_basedir %docroot%:%home%/%user%/tmp + php_admin_value upload_tmp_dir %home%/%user%/tmp + php_admin_value session.save_path %home%/%user%/tmp AllowOverride All diff --git a/install/rhel/templates/web/httpd/basedir.tpl b/install/rhel/templates/web/httpd/basedir.tpl index 41b77334..94288db0 100755 --- a/install/rhel/templates/web/httpd/basedir.tpl +++ b/install/rhel/templates/web/httpd/basedir.tpl @@ -14,7 +14,9 @@ AllowOverride All Options +Includes -Indexes +ExecCGI - php_admin_value open_basedir %docroot% + php_admin_value open_basedir %docroot%:%home%/%user%/tmp + php_admin_value upload_tmp_dir %home%/%user%/tmp + php_admin_value session.save_path %home%/%user%/tmp AllowOverride All diff --git a/install/ubuntu/templates/web/apache2/basedir.stpl b/install/ubuntu/templates/web/apache2/basedir.stpl index 96de57af..269c0971 100755 --- a/install/ubuntu/templates/web/apache2/basedir.stpl +++ b/install/ubuntu/templates/web/apache2/basedir.stpl @@ -15,7 +15,9 @@ AllowOverride All SSLRequireSSL Options +Includes -Indexes +ExecCGI - php_admin_value open_basedir %docroot% + php_admin_value open_basedir %docroot%:%home%/%user%/tmp + php_admin_value upload_tmp_dir %home%/%user%/tmp + php_admin_value session.save_path %home%/%user%/tmp AllowOverride All diff --git a/install/ubuntu/templates/web/apache2/basedir.tpl b/install/ubuntu/templates/web/apache2/basedir.tpl index 07ec38c9..c24b1279 100755 --- a/install/ubuntu/templates/web/apache2/basedir.tpl +++ b/install/ubuntu/templates/web/apache2/basedir.tpl @@ -14,7 +14,9 @@ AllowOverride All Options +Includes -Indexes +ExecCGI - php_admin_value open_basedir %docroot% + php_admin_value open_basedir %docroot%:%home%/%user%/tmp + php_admin_value upload_tmp_dir %home%/%user%/tmp + php_admin_value session.save_path %home%/%user%/tmp AllowOverride All From 2a426c5fd313ac49054b9e6315e6caf5eb3ecf72 Mon Sep 17 00:00:00 2001 From: James Alvarez Date: Sun, 11 Jan 2015 00:30:17 +0800 Subject: [PATCH 02/10] Fixed line 59 - should append the account only --- bin/v-add-mail-account-fwd-only | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/v-add-mail-account-fwd-only b/bin/v-add-mail-account-fwd-only index 303ab79f..5be21965 100755 --- a/bin/v-add-mail-account-fwd-only +++ b/bin/v-add-mail-account-fwd-only @@ -56,7 +56,7 @@ fi # Adding account to fwd_only if [[ "$MAIL_SYSTEM" =~ exim ]]; then - echo "$account" > $HOMEDIR/$user/conf/mail/$domain/fwd_only + echo "$account" >> $HOMEDIR/$user/conf/mail/$domain/fwd_only chown -R $MAIL_USER:mail $HOMEDIR/$user/conf/mail/$domain/fwd_only fi From c0d5b3765a3e4328ec3851b62f18e8324cc760ab Mon Sep 17 00:00:00 2001 From: INVENT Date: Mon, 19 Jan 2015 15:14:15 +0300 Subject: [PATCH 03/10] Auth bypass vulnerability fix --- web/api/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/api/index.php b/web/api/index.php index c0b420db..078ef1bd 100644 --- a/web/api/index.php +++ b/web/api/index.php @@ -17,7 +17,7 @@ if (isset($_POST['user']) || isset($_POST['hash'])) { exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'", $output, $auth_code); } else { $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']); - if (file_exists($key)) { + if (file_exists($key) && is_file($key)) { $auth_code = '0'; } } From 9c59a69b1ad9624efcae9db2c13098cf2c7eacf8 Mon Sep 17 00:00:00 2001 From: INVENT Date: Mon, 19 Jan 2015 15:22:53 +0300 Subject: [PATCH 04/10] Buffer overflow vulnerability fix --- src/v-check-user-password.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/v-check-user-password.c b/src/v-check-user-password.c index 38fcad4f..1cca5717 100755 --- a/src/v-check-user-password.c +++ b/src/v-check-user-password.c @@ -45,10 +45,16 @@ int main (int argc, char** argv) { /* open log file */ FILE* pFile = fopen ("/usr/local/vesta/log/auth.log","a+"); if (NULL == pFile) { - printf("Error: can not open file %s \n", argv[0]); + printf("Error: can not open file /usr/local/vesta/log/auth.log \n"); exit(12); } + int len = 0; + if(strlen(argv[1]) >= 100) { + printf("Too long username\n"); + exit(1); + } + /* parse user argument */ struct passwd* userinfo = getpwnam(argv[1]); if (NULL != userinfo) { From 512283e52800f2e276a022662605de9642d165f3 Mon Sep 17 00:00:00 2001 From: INVENT Date: Mon, 19 Jan 2015 15:51:46 +0300 Subject: [PATCH 05/10] Potential remote code execution vulnerability fix. Can be exploitable, when we have X-Forwarded-For->X-Real-IP transformation. --- web/api/index.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/web/api/index.php b/web/api/index.php index 078ef1bd..c938512a 100644 --- a/web/api/index.php +++ b/web/api/index.php @@ -14,7 +14,8 @@ if (isset($_POST['user']) || isset($_POST['hash'])) { $v_user = escapeshellarg($_POST['user']); $v_password = escapeshellarg($_POST['password']); - exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'", $output, $auth_code); + $v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]); + exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code); } else { $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']); if (file_exists($key) && is_file($key)) { From 4d36c9106c2b15d8a12afd6a76a492c9473b5da5 Mon Sep 17 00:00:00 2001 From: ThomasG Date: Thu, 22 Jan 2015 21:37:10 +0000 Subject: [PATCH 06/10] Fix spelling mistake Noticed when redesigning template --- web/templates/admin/add_ip.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/templates/admin/add_ip.html b/web/templates/admin/add_ip.html index 94ec7423..23a67933 100644 --- a/web/templates/admin/add_ip.html +++ b/web/templates/admin/add_ip.html @@ -147,4 +147,4 @@ - + From 602198801d55d687813e669ab13c7acd52e873b7 Mon Sep 17 00:00:00 2001 From: Leonid Suprun Date: Fri, 23 Jan 2015 14:43:00 +0300 Subject: [PATCH 07/10] Little typo --- src/bash_coding_style.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bash_coding_style.txt b/src/bash_coding_style.txt index 4cf1e622..80d4ac63 100644 --- a/src/bash_coding_style.txt +++ b/src/bash_coding_style.txt @@ -41,7 +41,7 @@ Contents: } # -3. Coments +3. Comments The total length of a line (including comment) must not exceed more than 80 characters. Every file must be documented with an introductory comment that provides shorthand information on the file name and its contents. From 7bfb3870925852d5d87352a46210ca1c17b35156 Mon Sep 17 00:00:00 2001 From: Leonid Suprun Date: Fri, 23 Jan 2015 14:50:55 +0300 Subject: [PATCH 08/10] Fix possible type --- src/bash_coding_style.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/bash_coding_style.txt b/src/bash_coding_style.txt index 80d4ac63..e8fed9dc 100644 --- a/src/bash_coding_style.txt +++ b/src/bash_coding_style.txt @@ -5,7 +5,7 @@ Contents: 1. Introduction 2. Naming Convention - 3. Coments + 3. Comments 4. Coding Styles 5. Basic formating 6. If, For, and While From 3924ede8bba18013ac14bb7b14ac350d7983d293 Mon Sep 17 00:00:00 2001 From: Leonid Suprun Date: Sat, 24 Jan 2015 11:32:03 +0300 Subject: [PATCH 09/10] Do not overwrite default sudoers config --- install/ubuntu/sudoers.conf | 31 ----------------------------- install/ubuntu/sudoers.vestacp.conf | 1 + install/vst-install-ubuntu.sh | 4 ++-- 3 files changed, 3 insertions(+), 33 deletions(-) delete mode 100644 install/ubuntu/sudoers.conf create mode 100644 install/ubuntu/sudoers.vestacp.conf diff --git a/install/ubuntu/sudoers.conf b/install/ubuntu/sudoers.conf deleted file mode 100644 index 0e3058d1..00000000 --- a/install/ubuntu/sudoers.conf +++ /dev/null @@ -1,31 +0,0 @@ -# -# This file MUST be edited with the 'visudo' command as root. -# -# Please consider adding local content in /etc/sudoers.d/ instead of -# directly modifying this file. -# -# See the man page for details on how to write a sudoers file. -# -Defaults env_reset -Defaults mail_badpass -Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -Defaults env_keep="VESTA" - -# Host alias specification - -# User alias specification - -# Cmnd alias specification - -# User privilege specification -root ALL=(ALL:ALL) ALL - -# Members of the admin group may gain root privileges -%admin ALL=(ALL) ALL - -# Allow members of group sudo to execute any command -%sudo ALL=(ALL:ALL) ALL - -# See sudoers(5) for more information on "#include" directives: - -#includedir /etc/sudoers.d diff --git a/install/ubuntu/sudoers.vestacp.conf b/install/ubuntu/sudoers.vestacp.conf new file mode 100644 index 00000000..fc178228 --- /dev/null +++ b/install/ubuntu/sudoers.vestacp.conf @@ -0,0 +1 @@ +Defaults env_keep="VESTA" diff --git a/install/vst-install-ubuntu.sh b/install/vst-install-ubuntu.sh index cc461577..25e0c64d 100644 --- a/install/vst-install-ubuntu.sh +++ b/install/vst-install-ubuntu.sh @@ -535,9 +535,9 @@ echo 'LS_COLORS="$LS_COLORS:di=00;33"' >> /etc/profile echo "/sbin/nologin" >> /etc/shells # Sudo configuration -wget $CHOST/$VERSION/sudoers.conf -O /etc/sudoers +wget $CHOST/$VERSION/sudoers.vestacp.conf -O /etc/sudoers.d/vestacp wget $CHOST/$VERSION/sudoers.admin.conf -O /etc/sudoers.d/admin -chmod 440 /etc/sudoers +chmod 440 /etc/sudoers.d/vestacp chmod 440 /etc/sudoers.d/admin # NTP Synchronization From 57b91043699e58fa163d96229bba110a367219f2 Mon Sep 17 00:00:00 2001 From: Leonid Suprun Date: Sat, 24 Jan 2015 11:37:26 +0300 Subject: [PATCH 10/10] /etc/sudoers not modified during installation --- install/vst-install-ubuntu.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/install/vst-install-ubuntu.sh b/install/vst-install-ubuntu.sh index 25e0c64d..7f05f58d 100644 --- a/install/vst-install-ubuntu.sh +++ b/install/vst-install-ubuntu.sh @@ -300,11 +300,6 @@ mkdir -p $vst_backups/bind mkdir -p $vst_backups/vesta mkdir -p $vst_backups/home -# Backup sudoers -if [ -e '/etc/sudoers' ]; then - cp /etc/sudoers $vst_backups/ -fi - # Backup nginx service nginx stop > /dev/null 2>&1 if [ -e '/etc/nginx/nginx.conf' ]; then