github/vesta
1
0
Fork 0
mirror of https://github.com/serghey-rodin/vesta.git synced 2025-08-20 21:34:11 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #1865 from sergio-nadal/security-fixes

Browse source 
Security fixes - CSRF / Command Injection / XSS
This commit is contained in:
Anton Reutov 2019-04-22 19:48:00 +03:00 committed by GitHub
commit 0031c93535
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 69 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

6
web/add/cron/autoupdate/index.php
View file

@ -5,6 +5,12 @@ ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check token
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
header('location: /login/');
exit();
}
if ($_SESSION['user'] == 'admin') {
exec (VESTA_CMD."v-add-cron-vesta-autoupdate", $output, $return_var);
$_SESSION['error_msg'] = __('Autoupdate has been successfully enabled');

6
web/add/cron/reports/index.php
View file

@ -5,6 +5,12 @@ ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check token
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
header('location: /login/');
exit();
}
exec (VESTA_CMD."v-add-cron-reports ".$user, $output, $return_var);
$_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled');
unset($output);

6
web/add/firewall/banlist/index.php
View file

@ -15,6 +15,12 @@ if ($_SESSION['user'] != 'admin') {
// Check POST request
if (!empty($_POST['ok'])) {
// Check token
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
header('location: /login/');
exit();
}
// Check empty fields
if (empty($_POST['v_chain'])) $errors[] = __('banlist');
if (empty($_POST['v_ip'])) $errors[] = __('ip address');

6
web/delete/cron/autoupdate/index.php
View file

@ -5,6 +5,12 @@ ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check token
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
header('location: /login/');
exit();
}
if ($_SESSION['user'] == 'admin') {
exec (VESTA_CMD."v-delete-cron-vesta-autoupdate", $output, $return_var);
$_SESSION['error_msg'] = __('Autoupdate has been successfully disabled');

6
web/delete/cron/reports/index.php
View file

@ -5,6 +5,12 @@ ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check token
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
header('location: /login/');
exit();
}
exec (VESTA_CMD."v-delete-cron-reports ".$user, $output, $return_var);
$_SESSION['error_msg'] = __('Cronjob email reporting has been successfully disabled');
unset($output);

2
web/edit/db/index.php
View file

@ -42,6 +42,8 @@ if ( $v_suspended == 'yes' ) {
$v_status = 'active';
}
$v_database = escapeshellarg($_GET['database']);
// Check POST request
if (!empty($_POST['save'])) {
$v_username = $user;

7
web/edit/mail/index.php
View file

@ -70,6 +70,9 @@ if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
$v_date = $data[$v_account]['DATE'];
$v_time = $data[$v_account]['TIME'];
$v_domain = escapeshellarg($_GET['domain']);
$v_account = escapeshellarg($_GET['account']);
// Parse autoreply
if ( $v_autoreply == 'yes' ) {
exec (VESTA_CMD."v-list-mail-account-autoreply ".$user." '".$v_domain."' '".$v_account."' json", $output, $return_var);
@ -228,7 +231,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
$result = array_diff($valiases, $aliases);
foreach ($result as $alias) {
if ((empty($_SESSION['error_msg'])) && (!empty($alias))) {
exec (VESTA_CMD."v-delete-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".$alias."'", $output, $return_var);
exec (VESTA_CMD."v-delete-mail-account-alias ".$v_username." ".$v_domain." ".$v_account." '".escapeshellarg($alias)."'", $output, $return_var);
check_return_code($return_var,$output);
unset($output);
}
@ -254,7 +257,7 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
$result = array_diff($vfwd, $fwd);
foreach ($result as $forward) {
if ((empty($_SESSION['error_msg'])) && (!empty($forward))) {
exec (VESTA_CMD."v-delete-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".$forward."'", $output, $return_var);
exec (VESTA_CMD."v-delete-mail-account-forward ".$v_username." ".$v_domain." ".$v_account." '".escapeshellarg($forward)."'", $output, $return_var);
check_return_code($return_var,$output);
unset($output);
}

6
web/edit/web/index.php
View file

@ -36,7 +36,7 @@ $v_cgi = $data[$v_domain]['CGI'];
$v_elog = $data[$v_domain]['ELOG'];
$v_ssl = $data[$v_domain]['SSL'];
if (!empty($v_ssl)) {
exec (VESTA_CMD."v-list-web-domain-ssl ".$user." '".$v_domain."' json", $output, $return_var);
exec (VESTA_CMD."v-list-web-domain-ssl ".$user." '".escapeshellarg($v_domain)."' json", $output, $return_var);
$ssl_str = json_decode(implode('', $output), true);
unset($output);
$v_ssl_crt = $ssl_str[$v_domain]['CRT'];
@ -129,6 +129,7 @@ if (!empty($_POST['save'])) {
exec (VESTA_CMD."v-list-dns-domain ".$v_username." ".$v_domain." json", $output, $return_var);
unset($output);
if ($return_var == 0 ) {
$v_ip = escapeshellarg($_POST['v_ip']);
exec (VESTA_CMD."v-change-dns-domain-ip ".$v_username." ".$v_domain." ".$v_ip." 'no'", $output, $return_var);
check_return_code($return_var,$output);
unset($output);
@ -142,6 +143,7 @@ if (!empty($_POST['save'])) {
exec (VESTA_CMD."v-list-dns-domain ".$v_username." '".$v_alias."' json", $output, $return_var);
unset($output);
if ($return_var == 0 ) {
$v_ip = escapeshellarg($_POST['v_ip']);
exec (VESTA_CMD."v-change-dns-domain-ip ".$v_username." '".$v_alias."' ".$v_ip, $output, $return_var);
check_return_code($return_var,$output);
unset($output);
@ -367,7 +369,7 @@ if (!empty($_POST['save'])) {
// Add Lets Encrypt support
if ((!empty($_POST['v_ssl'])) && ( $v_letsencrypt == 'no' ) && (!empty($_POST['v_letsencrypt'])) && empty($_SESSION['error_msg'])) {
$l_aliases = str_replace("\n", ',', $v_aliases);
exec (VESTA_CMD."v-add-letsencrypt-domain ".$user." ".$v_domain." '".$l_aliases."' 'no'", $output, $return_var);
exec (VESTA_CMD."v-add-letsencrypt-domain ".$user." ".$v_domain." '".escapeshellarg($l_aliases)."' 'no'", $output, $return_var);
check_return_code($return_var,$output);
unset($output);
$v_letsencrypt = 'yes';

4
web/list/directory/index.php
View file

@ -24,8 +24,8 @@ if (empty($panel)) {
$panel = json_decode(implode('', $output), true);
}
$path_a = !empty($_REQUEST['dir_a']) ? $_REQUEST['dir_a'] : '';
$path_b = !empty($_REQUEST['dir_b']) ? $_REQUEST['dir_b'] : '';
$path_a = !empty($_REQUEST['dir_a']) ? htmlentities($_REQUEST['dir_a']) : '';
$path_b = !empty($_REQUEST['dir_b']) ? htmlentities($_REQUEST['dir_b']) : '';
$GLOBAL_JS = '<script type="text/javascript">GLOBAL.START_DIR_A = "' . $path_a . '";</script>';
$GLOBAL_JS .= '<script type="text/javascript">GLOBAL.START_DIR_B = "' . $path_b . '";</script>';
$GLOBAL_JS .= '<script type="text/javascript">GLOBAL.ROOT_DIR = "' . $panel[$user]['HOME'] . '";</script>';

6
web/restart/service/index.php
View file

@ -5,6 +5,12 @@ ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check token
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
header('location: /login/');
exit();
}
if ($_SESSION['user'] == 'admin') {
if (!empty($_GET['srv'])) {
if ($_GET['srv'] == 'iptables') {

6
web/restart/system/index.php
View file

@ -5,6 +5,12 @@ ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check token
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
header('location: /login/');
exit();
}
if ($_SESSION['user'] == 'admin') {
if (!empty($_GET['hostname'])) {
exec (VESTA_CMD."v-restart-system yes", $output, $return_var);

4
web/templates/admin/list_dns_rec.html
View file

@ -74,11 +74,11 @@ v_unit_id="<?=$key?>" v_section="dns_rec">
<!-- l-unit-toolbar__col -->
<div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
<div class="actions-panel clearfix">
<div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/dns/?domain=<?=$_GET['domain']?>&record_id=<?=$data[$key]['ID']?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
<div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/dns/?domain=<?=htmlspecialchars($_GET['domain'])?>&record_id=<?=$data[$key]['ID']?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
<div class="actions-panel__col actions-panel__delete shortcut-delete" key-action="js">
<a id="delete_link_<?=$i?>" class="data-controls do_delete">
<?=__('delete')?> <i class="do_delete"></i>
<input type="hidden" name="delete_url" value="/delete/dns/?domain=<?=$_GET['domain']?>&record_id=<?=$data[$key]['ID']?>&token=<?=$_SESSION['token']?>" />
<input type="hidden" name="delete_url" value="/delete/dns/?domain=<?=htmlspecialchars($_GET['domain'])?>&record_id=<?=$data[$key]['ID']?>&token=<?=$_SESSION['token']?>" />
<div id="delete_dialog_<?=$i?>" class="confirmation-text-delete hidden" title="<?=__('Confirmation')?>">
<p class="confirmation"><?=__('DELETE_RECORD_CONFIRMATION',$data[$key]['RECORD'])?></p>
</div>

6
web/templates/admin/list_mail_acc.html
View file

@ -90,11 +90,11 @@ sort-star="<? if($_SESSION['favourites']['MAIL_ACC'][$key."@".$_GET['domain']] =
<!-- l-unit-toolbar__col -->
<div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
<div class="actions-panel clearfix">
<div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/mail/?domain=<?=$_GET['domain']?>&account=<?=$key?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
<div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?=$key?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
<div class="actions-panel__col actions-panel__suspend shortcut-s" key-action="js">
<a id="<?=$spnd_action ?>_link_<?=$i?>" class="data-controls do_<?=$spnd_action?>">
<?=__($spnd_action)?> <i class="do_<?=$spnd_action?>"></i>
<input type="hidden" name="<?=$spnd_action?>_url" value="/<?=$spnd_action?>/mail/?domain=<?=$_GET['domain']?>&account=<?php echo $key ?>&token=<?=$_SESSION['token']?>" />
<input type="hidden" name="<?=$spnd_action?>_url" value="/<?=$spnd_action?>/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?php echo $key ?>&token=<?=$_SESSION['token']?>" />
<div id="<?=$spnd_action?>_dialog_<?=$i?>" class="confirmation-text-suspention hidden" title="<?=__('Confirmation')?>">
<p class="confirmation"><?=__($spnd_confirmation,$key)?></p>
</div>
@ -104,7 +104,7 @@ sort-star="<? if($_SESSION['favourites']['MAIL_ACC'][$key."@".$_GET['domain']] =
<div class="actions-panel__col actions-panel__delete shortcut-delete" key-action="js">
<a id="delete_link_<?=$i?>" class="data-controls do_delete">
<?=__('delete')?> <i class="do_delete"></i>
<input type="hidden" name="delete_url" value="/delete/mail/?domain=<?=$_GET['domain']?>&account=<?=$key?>&token=<?=$_SESSION['token']?>" />
<input type="hidden" name="delete_url" value="/delete/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?=$key?>&token=<?=$_SESSION['token']?>" />
<div id="delete_dialog_<?=$i?>" class="confirmation-text-delete hidden" title="<?=__('Confirmation')?>">
<p class="confirmation"><?=__('DELETE_MAIL_ACCOUNT_CONFIRMATION',$key)?></p>
</div>

2
web/templates/admin/list_services.html
View file

@ -54,7 +54,7 @@
<div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
<div class="actions-panel clearfix">
<div class="actions-panel__col actions-panel__configure shortcut-enter" key-action="href"><a href="/edit/server/"><?=__('configure')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
<div class="actions-panel__col actions-panel__restart shortcut-r" key-action="href"><a href="/restart/system/?hostname=<?php echo $sys['sysinfo']['HOSTNAME'] ?>"><?=__('restart')?> <i></i></a><span class="shortcut">&nbsp;R</span></div>
<div class="actions-panel__col actions-panel__restart shortcut-r" key-action="href"><a href="/restart/system/?hostname=<?php echo $sys['sysinfo']['HOSTNAME'] ?>&token=<?=$_SESSION['token']?>"><?=__('restart')?> <i></i></a><span class="shortcut">&nbsp;R</span></div>
</div>
<!-- /.actions-panel -->
</div>

4
web/templates/user/list_mail_acc.html
View file

@ -88,11 +88,11 @@ sort-star="<? if($_SESSION['favourites']['MAIL_ACC'][$key."@".$_GET['domain']] =
<!-- l-unit-toolbar__col -->
<div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
<div class="actions-panel clearfix">
<div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/mail/?domain=<?=$_GET['domain']?>&account=<?=$key?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
<div class="actions-panel__col actions-panel__edit shortcut-enter" key-action="href"><a href="/edit/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?=$key?>"><?=__('edit')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
<div class="actions-panel__col actions-panel__delete shortcut-delete" key-action="js">
<a id="delete_link_<?=$i?>" class="data-controls do_delete">
<?=__('delete')?> <i class="do_delete"></i>
<input type="hidden" name="delete_url" value="/delete/mail/?domain=<?=$_GET['domain']?>&account=<?=$key?>&token=<?=$_SESSION['token']?>" />
<input type="hidden" name="delete_url" value="/delete/mail/?domain=<?=htmlspecialchars($_GET['domain'])?>&account=<?=$key?>&token=<?=$_SESSION['token']?>" />
<div id="delete_dialog_<?=$i?>" class="confirmation-text-delete hidden" title="<?=__('Confirmation')?>">
<p class="confirmation"><?=__('DELETE_MAIL_ACCOUNT_CONFIRMATION',$key)?></p>
</div>

6
web/update/vesta/index.php
View file

@ -5,6 +5,12 @@ ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Check token
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
header('location: /login/');
exit();
}
if ($_SESSION['user'] == 'admin') {
if (!empty($_GET['pkg'])) {
$v_pkg = escapeshellarg($_GET['pkg']);