github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-19 04:50:47 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Vesta CP 0.9.8–20 rXSS to RCE / solves #1558

Browse source
This commit is contained in:
Serghey Rodin 2018-05-11 16:17:23 +03:00
commit dd2a57e408
2 changed files with 6 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

35
web/upload/UploadHandler.php
View file

@ -1117,37 +1117,12 @@ class UploadHandler
$append_file = $content_range && is_file($file_path) && $append_file = $content_range && is_file($file_path) &&
$file->size > $this->get_file_size($file_path); $file->size > $this->get_file_size($file_path);
if ($uploaded_file && is_uploaded_file($uploaded_file)) { if ($uploaded_file && is_uploaded_file($uploaded_file)) {
// multipart/formdata uploads (POST method uploads) chmod($uploaded_file, 0644);
if ($append_file) { exec (VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} '{$file_path}'", $output, $return_var);
file_put_contents( $error = check_return_code($return_var, $output);
$file_path, if ($return_var != 0) {
fopen($uploaded_file, 'r'), $file->error = 'Error while saving file ';
FILE_APPEND
);
} else {
chmod($uploaded_file, 0644);
// move_uploaded_file($uploaded_file, $file_path);
exec (VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} '{$file_path}'", $output, $return_var);
$error = check_return_code($return_var, $output);
if ($return_var != 0) {
//var_dump(VESTA_CMD . "v-copy-fs-file {$user} {$fn} {$path}");
//var_dump($path);
//var_dump($output);
$file->error = 'Error while saving file ';
// var_dump(VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} {$file_path}");
// var_dump($return_var);
// var_dump($output);
// exit();
}
} }
} else {
// Non-multipart uploads (PUT method support)
file_put_contents(
$file_path,
fopen('php://input', 'r'),
$append_file ? FILE_APPEND : 0
);
} }
$file_size = $this->get_file_size($file_path, $append_file); $file_size = $this->get_file_size($file_path, $append_file);

2
web/view/file/index.php
View file

@ -16,7 +16,7 @@ if (!empty($_REQUEST['path'])) {
$path = $_REQUEST['path']; $path = $_REQUEST['path'];
if (!empty($_REQUEST['raw'])) { if (!empty($_REQUEST['raw'])) {
header('content-type: image/jpeg'); header('content-type: image/jpeg');
passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg($_REQUEST['path'])); passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg(htmlspecialchars($_REQUEST['path'], ENT_QUOTES, 'UTF-8')));
exit; exit;
} }
} }