From b178b9719bb2c98cf8a6db70065086f596afad81 Mon Sep 17 00:00:00 2001
From: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com>
Date: Thu, 4 Aug 2022 18:18:04 +0200
Subject: [PATCH] Fix security issues in v-add-web-domain-redirect + Sync up
main with release (#2814)
* Fix v-add-web-domain-redirect
* Remove sudo permission admin group on new setups
We delete the group before install anyway
* Block "sudo" from
* Add missing slash
* Update changelog
* Update versions
---
CHANGELOG.md | 22 +++++++++++++++++++++-
README.md | 2 +-
bin/v-add-user | 3 ++-
bin/v-add-web-domain-redirect | 17 +++++++----------
install/hst-install-debian.sh | 2 +-
install/hst-install-ubuntu.sh | 4 +++-
install/upgrade/versions/1.6.7.sh | 22 ++++++++++++++++++++++
src/deb/hestia/control | 2 +-
8 files changed, 58 insertions(+), 16 deletions(-)
create mode 100644 install/upgrade/versions/1.6.7.sh
diff --git a/CHANGELOG.md b/CHANGELOG.md
index b98a908e72..127ff26f0b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,26 @@
# Changelog
All notable changes to this project will be documented in this file.
+## [1.6.6] - Service release
+
+### Bugfixes
+
+- Update DNS templates with CNAME for ftp, www and webmail (#2808)
+- Fix name server A record validation error (#2807)
+- Fixed issue with renaming domains and config files not properly removed (#2803)
+- Add loading indicator after clicking save button (#2740)
+- Improve hostname detection in mail-wrapper (#2805 @clarkchentw)
+
+### Security
+
+- Fixed an vulnerability in v-add-web-domain-redirect (CVE-2022-2636)
+- Fixed an vulnerability in Ubuntu that can lead in privilege escalation for admin to root user (CVE-2022-2626)
+
+### Dependencies
+
+- Update Roundcube to 1.6.0
+- Update Dokuwiki to "2022-07-31" Igor (#2811)
+
## [1.6.5] - Service release
### Bugfixes
@@ -13,7 +33,7 @@ All notable changes to this project will be documented in this file.
- Improve random bytes generator (#2774)
- Don't allow /inc/2fa/secret.php called from the web browser directly (#2784 @mayappear)
- Improve CSRF Origin Check Bypass (#2785 @mayappear)
-- Fix vulnerability in Docuwiki Quick Install App @redstarp2 (CVE 2022-xxx-xxx)
+- Fix vulnerability in Docuwiki Quick Install App @redstarp2 (CVE-2022-2550)
### Dependencies
diff --git a/README.md b/README.md
index ff43f0f967..5473bb654d 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
[Hestia Control Panel](https://www.hestiacp.com/)
==================================================
-**Latest stable release:** Version 1.6.5 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [](https://drone.hestiacp.com/hestiacp/hestiacp)
+**Latest stable release:** Version 1.6.6 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [](https://drone.hestiacp.com/hestiacp/hestiacp)
**Web:** [www.hestiacp.com](https://www.hestiacp.com/)
**Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)
diff --git a/bin/v-add-user b/bin/v-add-user
index 7ee0b2a0a5..e4ef8500c3 100755
--- a/bin/v-add-user
+++ b/bin/v-add-user
@@ -31,8 +31,9 @@ source_conf "$HESTIA/conf/hestia.conf"
is_user_free() {
# these names may cause issues with MariaDB/MySQL database names and should be reserved:
+ # sudo has been added due to Privilege escalation as sudo group has always sudo permission
check_sysuser=$(php -r '$reserved_names=array("aria", "aria_log", "mysql", "mysql_upgrade", "ib", "ib_buffer",
- "ddl", "ddl_recovery", "performance"); if(in_array(strtolower($argv[1]), $reserved_names, true)){echo implode(", ", $reserved_names);}' "$user" );
+ "ddl", "ddl_recovery", "performance", "sudo"); if(in_array(strtolower($argv[1]), $reserved_names, true)){echo implode(", ", $reserved_names);}' "$user" );
if [ -n "$check_sysuser" ]; then
check_result "$E_INVALID" "The user name '$user' is reserved and cannot be used. List of reserved names: $check_sysuser"
return
diff --git a/bin/v-add-web-domain-redirect b/bin/v-add-web-domain-redirect
index 4346716c74..742ccf07dc 100755
--- a/bin/v-add-web-domain-redirect
+++ b/bin/v-add-web-domain-redirect
@@ -42,21 +42,18 @@ is_object_unsuspended 'user' 'USER' "$user"
is_object_valid 'web' 'DOMAIN' "$domain"
is_object_unsuspended 'web' 'DOMAIN' "$domain"
-scheme=0
if [[ "$3" =~ http://|https:// ]]; then
scheme=1
- regex='(https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]'
- if ! [[ "$3" =~ $regex ]]; then
- echo "Invalid redirect"
- exit 2;
+ isValidUrl=$(php -r '$url=$argv[1]; $url=filter_var($url,FILTER_VALIDATE_URL); echo $url;' "$3")
+ if [ -z "$isValidUrl" ]; then
+ check_result $E_INVALID "Invalid redirect"
fi
else
- regex='[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]'
- if ! [[ "$3" =~ $regex ]]; then
- echo "Invalid redirect"
- exit 2;
+ isValidUrl=$(php -r '$url=$argv[1]; $url=filter_var($url,FILTER_VALIDATE_URL); echo $url;' "http://$3")
+ if [ -z "$isValidUrl" ]; then
+ check_result $E_INVALID "Invalid redirect"
fi
-fi
+fi
# Perform verification if read-only mode is enabled
check_hestia_demo_mode
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
index cdad587ff9..8da0f767df 100755
--- a/install/hst-install-debian.sh
+++ b/install/hst-install-debian.sh
@@ -32,7 +32,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
VERBOSE='no'
# Define software versions
-HESTIA_INSTALL_VER='1.6.6~alpha'
+HESTIA_INSTALL_VER='1.6.7~alpha'
# Dependencies
multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1")
fpm_v="8.0"
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
index 69516b9550..8099a70846 100755
--- a/install/hst-install-ubuntu.sh
+++ b/install/hst-install-ubuntu.sh
@@ -32,7 +32,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
VERBOSE='no'
# Define software versions
-HESTIA_INSTALL_VER='1.6.6~alpha'
+HESTIA_INSTALL_VER='1.6.7~alpha'
# Dependencies
multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1")
fpm_v="8.0"
@@ -1335,6 +1335,8 @@ fi
if [ -n "$(grep ^admin: /etc/group)" ] && [ "$force" = 'yes' ]; then
groupdel admin > /dev/null 2>&1
fi
+# Remove sudo "default" sudo permission admin user group should not exists any way
+sed -i "s/%admin ALL=(ALL) ALL/#%admin ALL=(ALL) ALL/g" /etc/sudoers
# Enable sftp jail
echo "[ * ] Enable SFTP jail..."
diff --git a/install/upgrade/versions/1.6.7.sh b/install/upgrade/versions/1.6.7.sh
new file mode 100644
index 0000000000..1c46faf66b
--- /dev/null
+++ b/install/upgrade/versions/1.6.7.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.6.7
+
+#######################################################################################
+####### Place additional commands below. #######
+#######################################################################################
+####### Pass through information to the end user in case of a issue or problem #######
+####### #######
+####### Use add_upgrade_message "My message here" to include a message #######
+####### in the upgrade notification email. Example: #######
+####### #######
+####### add_upgrade_message "My message here" #######
+####### #######
+####### You can use \n within the string to create new lines. #######
+#######################################################################################
+
+upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'no'
+upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'no'
+upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'no'
+upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'no'
+upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
\ No newline at end of file
diff --git a/src/deb/hestia/control b/src/deb/hestia/control
index e13d7842f0..3cd068fbd2 100644
--- a/src/deb/hestia/control
+++ b/src/deb/hestia/control
@@ -1,7 +1,7 @@
Source: hestia
Package: hestia
Priority: optional
-Version: 1.6.6~alpha
+Version: 1.6.7~alpha
Section: admin
Maintainer: HestiaCP
Homepage: https://www.hestiacp.com