From c0d5b3765a3e4328ec3851b62f18e8324cc760ab Mon Sep 17 00:00:00 2001 From: INVENT Date: Mon, 19 Jan 2015 15:14:15 +0300 Subject: [PATCH 1/3] Auth bypass vulnerability fix --- web/api/index.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/web/api/index.php b/web/api/index.php index c0b420dbe..078ef1bd6 100644 --- a/web/api/index.php +++ b/web/api/index.php @@ -17,7 +17,7 @@ if (isset($_POST['user']) || isset($_POST['hash'])) { exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'", $output, $auth_code); } else { $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']); - if (file_exists($key)) { + if (file_exists($key) && is_file($key)) { $auth_code = '0'; } } From 9c59a69b1ad9624efcae9db2c13098cf2c7eacf8 Mon Sep 17 00:00:00 2001 From: INVENT Date: Mon, 19 Jan 2015 15:22:53 +0300 Subject: [PATCH 2/3] Buffer overflow vulnerability fix --- src/v-check-user-password.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/v-check-user-password.c b/src/v-check-user-password.c index 38fcad4ff..1cca5717c 100755 --- a/src/v-check-user-password.c +++ b/src/v-check-user-password.c @@ -45,10 +45,16 @@ int main (int argc, char** argv) { /* open log file */ FILE* pFile = fopen ("/usr/local/vesta/log/auth.log","a+"); if (NULL == pFile) { - printf("Error: can not open file %s \n", argv[0]); + printf("Error: can not open file /usr/local/vesta/log/auth.log \n"); exit(12); } + int len = 0; + if(strlen(argv[1]) >= 100) { + printf("Too long username\n"); + exit(1); + } + /* parse user argument */ struct passwd* userinfo = getpwnam(argv[1]); if (NULL != userinfo) { From 512283e52800f2e276a022662605de9642d165f3 Mon Sep 17 00:00:00 2001 From: INVENT Date: Mon, 19 Jan 2015 15:51:46 +0300 Subject: [PATCH 3/3] Potential remote code execution vulnerability fix. Can be exploitable, when we have X-Forwarded-For->X-Real-IP transformation. --- web/api/index.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/web/api/index.php b/web/api/index.php index 078ef1bd6..c938512a5 100644 --- a/web/api/index.php +++ b/web/api/index.php @@ -14,7 +14,8 @@ if (isset($_POST['user']) || isset($_POST['hash'])) { $v_user = escapeshellarg($_POST['user']); $v_password = escapeshellarg($_POST['password']); - exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'", $output, $auth_code); + $v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]); + exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code); } else { $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']); if (file_exists($key) && is_file($key)) {