From 61c42a30b4d50a4caa89b56384ac88f0bf337922 Mon Sep 17 00:00:00 2001
From: JMSolo <jmsolodesigns@gmail.com>
Date: Fri, 10 Dec 2021 10:37:49 -0600
Subject: [PATCH] security: patch privilege escalation

---
 dashboard/inc/config.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/dashboard/inc/config.php b/dashboard/inc/config.php
index db5e3ec1..0f7b4a71 100644
--- a/dashboard/inc/config.php
+++ b/dashboard/inc/config.php
@@ -406,7 +406,7 @@ function isEnabled($process, $username){
 
 /* enable & start services */
 case 66:
-  $process = $_GET['serviceenable'];
+  $process = escapeshellarg($_GET['serviceenable']);
     if ($process == "resilio-sync"){
       shell_exec("sudo systemctl enable $process");
       shell_exec("sudo systemctl start $process");
@@ -455,7 +455,7 @@ function isEnabled($process, $username){
 
 /* disable & stop services */
 case 77:
-  $process = $_GET['servicedisable'];
+  $process = escapeshellarg($_GET['servicedisable']);
     if ($process == "resilio-sync"){
       shell_exec("sudo systemctl stop $process");
       shell_exec("sudo systemctl disable $process");
@@ -504,7 +504,7 @@ function isEnabled($process, $username){
 
 /* restart services */
 case 88:
-  $process = $_GET['servicestart'];
+  $process = escapeshellarg($_GET['servicestart']);
     if ($process == "resilio-sync"){
       shell_exec("sudo systemctl enable $process");
       shell_exec("sudo systemctl restart $process");