Skip to content

Commit

Permalink
Fix XXS issues (#2432)
Browse files Browse the repository at this point in the history 
* XSS patches

* Reslove XSS vulnrebilty

* Resolve XSS vulnrebility

* Prevent showing edit form from non exsiting records

* Improve error handling message

Create a function

* Make sure $user from $_SESSION is escapeshellarg

Prevent double escapeshellarg in Edit/web/index

* Enable translateable errors in /inc/main.php

Fix  "White" screen issue when trying to loginas non existing user

* Prevent double escapeshellarg()

* Do not remove unset($output)

* Resolve linting errors
  • Loading branch information
@jaapmarcus
jaapmarcus committed Feb 22, 2022
1 parent 4e0c670 commit ee10e22
Show file tree
Hide file tree
Showing 89 changed files with 233 additions and 697 deletions.
6 changes: 5 additions & 1 deletion install/deb/phpmyadmin/hestia-sso.php
View file
Expand Up @@ -147,7 +147,11 @@ function session_invalid()
$user = $_GET['user'];
$host = 'localhost';
$token = $_GET['hestia_token'];
$time = $_GET['exp'];
if(is_numeric($_GET['exp'])){
$time = $_GET['exp'];
}else{
$time = 0;
}

if ($time + 60 > time()) {
//note: Possible issues with cloudflare due to ip obfuscation
Expand Down
5 changes: 2 additions & 3 deletions web/delete/backup/exclusion/index.php
View file
Expand Up @@ -4,16 +4,15 @@
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
$user=$_GET['user'];
$user=escapeshellarg($_GET['user']);
}

// Check token
verify_csrf($_GET);

if (!empty($_GET['system'])) {
$v_username = escapeshellarg($user);
$v_system = escapeshellarg($_GET['system']);
exec(HESTIA_CMD."v-delete-user-backup-exclusions ".$v_username." ".$v_system, $output, $return_var);
exec(HESTIA_CMD."v-delete-user-backup-exclusions ".$user." ".$v_system, $output, $return_var);
}
check_return_code($return_var, $output);
unset($output);
Expand Down
5 changes: 2 additions & 3 deletions web/delete/backup/index.php
View file
Expand Up @@ -4,16 +4,15 @@
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
$user=$_GET['user'];
$user=escapeshellarg($_GET['user']);
}

// Check token
verify_csrf($_GET);

if (!empty($_GET['backup'])) {
$v_username = escapeshellarg($user);
$v_backup = escapeshellarg($_GET['backup']);
exec(HESTIA_CMD."v-delete-user-backup ".$v_username." ".$v_backup, $output, $return_var);
exec(HESTIA_CMD."v-delete-user-backup ".$user." ".$v_backup, $output, $return_var);
}
check_return_code($return_var, $output);
unset($output);
Expand Down
4 changes: 2 additions & 2 deletions web/delete/cron/index.php
View file
Expand Up @@ -4,7 +4,7 @@
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
$user=$_GET['user'];
$user=escapeshellarg($_GET['user']);
}

// Check token
Expand All @@ -13,7 +13,7 @@
if (!empty($_GET['job'])) {
$v_username = escapeshellarg($user);
$v_job = escapeshellarg($_GET['job']);
exec(HESTIA_CMD."v-delete-cron-job ".$v_username." ".$v_job, $output, $return_var);
exec(HESTIA_CMD."v-delete-cron-job ".$user." ".$v_job, $output, $return_var);
}
check_return_code($return_var, $output);
unset($output);
Expand Down
5 changes: 2 additions & 3 deletions web/delete/db/index.php
View file
Expand Up @@ -4,16 +4,15 @@
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
$user=$_GET['user'];
$user=escapeshellarg($_GET['user']);
}

// Check token
verify_csrf($_GET);

if (!empty($_GET['database'])) {
$v_username = escapeshellarg($user);
$v_database = escapeshellarg($_GET['database']);
exec(HESTIA_CMD."v-delete-database ".$v_username." ".$v_database, $output, $return_var);
exec(HESTIA_CMD."v-delete-database ".$user." ".$v_database, $output, $return_var);
}
check_return_code($return_var, $output);
unset($output);
Expand Down
15 changes: 10 additions & 5 deletions web/delete/dns/index.php
View file
Expand Up @@ -5,17 +5,16 @@

// Delete as someone else?
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
$user=$_GET['user'];
$user=escapeshellarg($_GET['user']);
}

// Check token
verify_csrf($_GET);

// DNS domain
if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
$v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
exec(HESTIA_CMD."v-delete-dns-domain ".$v_username." ".$v_domain, $output, $return_var);
exec(HESTIA_CMD."v-delete-dns-domain ".$user." ".$v_domain, $output, $return_var);
check_return_code($return_var, $output);
unset($output);

Expand All @@ -41,8 +40,14 @@
header("Location: ".$back);
exit;
}
header("Location: /list/dns/?domain=".$_GET['domain']);
exit;
if($return_var > 0){
header("Location: /list/dns/");
exit;
}else{
header("Location: /list/dns/?domain=".$_GET['domain']);
exit;
}

}

$back = $_SESSION['back'];
Expand Down
5 changes: 2 additions & 3 deletions web/delete/key/index.php
View file
Expand Up @@ -7,13 +7,12 @@
verify_csrf($_GET);

if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
$user = $_GET['user'];
$user=escapeshellarg($_GET['user']);
}

if (!empty($_GET['key'])) {
$v_key = escapeshellarg(trim($_GET['key']));
$v_user = escapeshellarg(trim($user));
exec(HESTIA_CMD."v-delete-user-ssh-key ".$v_user." ".$v_key);
exec(HESTIA_CMD."v-delete-user-ssh-key ".$user." ".$v_key);
check_return_code($return_var, $output);
}

Expand Down
7 changes: 3 additions & 4 deletions web/delete/log/auth/index.php
View file
Expand Up @@ -7,13 +7,12 @@

// Check if administrator is viewing system log (currently 'admin' user)
if (($_SESSION['userContext'] === "admin") && (isset($_GET['user']))) {
$user=$_GET['user'];
$user=escapeshellarg($_GET['user']);
$token=$_SESSION['token'];
}

// Clear log
$v_username = escapeshellarg($user);
exec(HESTIA_CMD."v-delete-user-auth-log ".$v_username, $output, $return_var);
exec(HESTIA_CMD."v-delete-user-auth-log ".$user, $output, $return_var);
check_return_code($return_var, $output);
unset($output);

Expand All @@ -32,7 +31,7 @@

// Add current user session back to log unless impersonating another user
if (!isset($_SESSION['look'])) {
exec(HESTIA_CMD."v-log-user-login ".$v_username." ".$v_ip." success ".$v_session_id." ".$v_user_agent, $output, $return_var);
exec(HESTIA_CMD."v-log-user-login ".$user." ".$v_ip." success ".$v_session_id." ".$v_user_agent, $output, $return_var);
}

// Flush session messages
Expand Down
23 changes: 13 additions & 10 deletions web/delete/log/index.php
View file
Expand Up @@ -7,24 +7,27 @@

// Check if administrator is viewing system log (currently 'admin' user)
if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
$user=$_GET['user'];
$user=escapeshellarg($_GET['user']);
$token=$_SESSION['token'];
}

// Set correct page reload target
if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
header("Location: /list/log/?user=$user&token=$token");
} else {
header("Location: /list/log/");
}

// Clear log
$v_username = escapeshellarg($user);
exec(HESTIA_CMD."v-delete-user-log ".$v_username." ".$output, $return_var);
exec(HESTIA_CMD."v-delete-user-log ".$user." ".$output, $return_var);
check_return_code($return_var, $output);
unset($output);
unset($token);

if($return_var > 0){
header("Location: /list/log/");
}else{
// Set correct page reload target
if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
header("Location: /list/log/?user=$user&token=$token");
} else {
header("Location: /list/log/");
}
}

// Render page
render_page($user, $TAB, 'list_log');

Expand Down
14 changes: 10 additions & 4 deletions web/delete/mail/index.php
View file
Expand Up @@ -5,7 +5,7 @@

// Delete as someone else?
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
$user=$_GET['user'];
$user=scapeshellarg($user);

This comment has been minimized.

Sign in to view

Copy link
@TriggerLab

TriggerLab Feb 22, 2022

Contributor

mistake commit :)

This comment has been minimized.

Sign in to view

Copy link
@jaapmarcus

jaapmarcus Feb 22, 2022

Author Member

Resolved in staging branch
}

// Check token
Expand All @@ -15,10 +15,13 @@
if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
$v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
exec(HESTIA_CMD."v-delete-mail-domain ".$v_username." ".$v_domain, $output, $return_var);
exec(HESTIA_CMD."v-delete-mail-domain ".$user." ".$v_domain, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
$back = $_SESSION['back'];
if($return_var > 0){
header("Location: /list/mail/");
}
if (!empty($back)) {
header("Location: ".$back);
exit;
Expand All @@ -29,19 +32,22 @@

// Mail account
if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
$v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
$v_account = escapeshellarg($_GET['account']);
exec(HESTIA_CMD."v-delete-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
exec(HESTIA_CMD."v-delete-mail-account ".$user." ".$v_domain." ".$v_account, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
if($return_var > 0){
header("Location: /list/mail/");
}else{
$back = $_SESSION['back'];
if (!empty($back)) {
header("Location: ".$back);
exit;
}
header("Location: /list/mail/?domain=".$_GET['domain']);
exit;
}
}

$back = $_SESSION['back'];
Expand Down
5 changes: 2 additions & 3 deletions web/delete/notification/index.php
View file
Expand Up @@ -6,15 +6,14 @@
verify_csrf($_GET);

if ($_GET['delete'] == 1) {
$v_username = escapeshellarg($user);

This comment has been minimized.

Sign in to view

Copy link
@TriggerLab

TriggerLab Feb 22, 2022

Contributor

missing variable ($user)

This comment has been minimized.

Sign in to view

Copy link
@jaapmarcus

jaapmarcus Feb 22, 2022

Author Member

$user is allready set in /inc/main.php so is escapeshellarg. So can be removed...

👍🏼
$v_id = escapeshellarg((int)$_GET['notification_id']);
exec(HESTIA_CMD."v-delete-user-notification ".$v_username." ".$v_id, $output, $return_var);
exec(HESTIA_CMD."v-delete-user-notification ".$user." ".$v_id, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
} else {
$v_username = escapeshellarg($user);
$v_id = escapeshellarg((int)$_GET['notification_id']);
exec(HESTIA_CMD."v-acknowledge-user-notification ".$v_username." ".$v_id, $output, $return_var);
exec(HESTIA_CMD."v-acknowledge-user-notification ".$user." ".$v_id, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
}
Expand Down
5 changes: 2 additions & 3 deletions web/delete/web/cache/index.php
View file
Expand Up @@ -8,13 +8,12 @@

// Delete as someone else?
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
$user=$_GET['user'];
$user=escapeshellarg($_GET['user']);
}

if (!empty($_GET['domain'])) {
$v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
exec(HESTIA_CMD."v-purge-nginx-cache ".$v_username." ".$v_domain, $output, $return_var);
exec(HESTIA_CMD."v-purge-nginx-cache ".$user." ".$v_domain, $output, $return_var);
check_return_code($return_var, $output);
}
$_SESSION['ok_msg'] = _('Nginx cache has been successfully purged');
Expand Down
5 changes: 2 additions & 3 deletions web/delete/web/index.php
View file
Expand Up @@ -8,13 +8,12 @@

// Delete as someone else?
if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
$user = $_GET['user'];
$user = escapeshellarg($user);
}

if (!empty($_GET['domain'])) {
$v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET['domain']);
exec(HESTIA_CMD . 'v-delete-web-domain ' . $v_username . ' ' . $v_domain . " 'yes'", $output, $return_var);
exec(HESTIA_CMD . 'v-delete-web-domain ' . $user . ' ' . $v_domain . " 'yes'", $output, $return_var);
check_return_code($return_var, $output);
unset($output);
}
Expand Down
3 changes: 1 addition & 2 deletions web/download/backup/index.php
View file
Expand Up @@ -9,9 +9,8 @@
$backup = $_GET['backup'];

if (!file_exists('/backup/'.$backup)) {
$v_username = escapeshellarg($user);
$backup = escapeshellarg($_GET['backup']);
exec(HESTIA_CMD."v-schedule-user-backup-download ".$v_username." ".$backup, $output, $return_var);
exec(HESTIA_CMD."v-schedule-user-backup-download ".$user." ".$backup, $output, $return_var);
if ($return_var == 0) {
$_SESSION['error_msg'] = _('BACKUP_DOWNLOAD_SCHEDULED');
} else {
Expand Down
2 changes: 1 addition & 1 deletion web/edit/cron/index.php
View file
Expand Up @@ -19,7 +19,7 @@
// List cron job
$v_job = escapeshellarg($_GET['job']);
exec(HESTIA_CMD."v-list-cron-job ".$user." ".$v_job." 'json'", $output, $return_var);
check_return_code($return_var, $output);
check_return_code_redirect($return_var, $output, '/list/cron/');

$data = json_decode(implode('', $output), true);
unset($output);
Expand Down
2 changes: 1 addition & 1 deletion web/edit/db/index.php
View file
Expand Up @@ -20,7 +20,7 @@
// List datbase
$v_database = $_GET['database'];
exec(HESTIA_CMD."v-list-database ".$user." ".escapeshellarg($v_database)." 'json'", $output, $return_var);
check_return_code($return_var, $output);
check_return_code_redirect($return_var, $output, '/list/db/');
$data = json_decode(implode('', $output), true);
unset($output);

Expand Down
9 changes: 6 additions & 3 deletions web/edit/dns/index.php
View file
Expand Up @@ -26,7 +26,7 @@
if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
$v_domain = escapeshellarg($_GET['domain']);
exec(HESTIA_CMD."v-list-dns-domain ".$user." ".$v_domain." json", $output, $return_var);
check_return_code($return_var, $output);
check_return_code_redirect($return_var, $output,'/list/dns/');
$data = json_decode(implode('', $output), true);
unset($output);

Expand Down Expand Up @@ -58,10 +58,9 @@
$v_domain = escapeshellarg($_GET['domain']);
$v_record_id = escapeshellarg($_GET['record_id']);
exec(HESTIA_CMD."v-list-dns-records ".$user." ".$v_domain." 'json'", $output, $return_var);
check_return_code($return_var, $output);
check_return_code_redirect($return_var, $output,'/list/dns/');
$data = json_decode(implode('', $output), true);
unset($output);

// Parse dns record
$v_username = $user;
$v_domain = $_GET['domain'];
Expand Down Expand Up @@ -206,6 +205,10 @@
// Display body for dns domain
render_page($user, $TAB, 'edit_dns');
} else {
if(empty($data[$_GET['record_id']])){
header("Location: /list/dns/");
$_SESSION['error_msg'] = _("Unknown record ID");
}
// Display body for dns record
render_page($user, $TAB, 'edit_dns_rec');
}
Expand Down
2 changes: 1 addition & 1 deletion web/edit/firewall/index.php
View file
Expand Up @@ -21,7 +21,7 @@
// List rule
$v_rule = escapeshellarg($_GET['rule']);
exec(HESTIA_CMD."v-list-firewall-rule ".$v_rule." 'json'", $output, $return_var);
check_return_code($return_var, $output);
check_return_code_redirect($return_var, $output,'/list/firewall');
$data = json_decode(implode('', $output), true);
unset($output);

Expand Down
2 changes: 1 addition & 1 deletion web/edit/ip/index.php
View file
Expand Up @@ -21,7 +21,7 @@
// List ip
$v_ip = escapeshellarg($_GET['ip']);
exec(HESTIA_CMD."v-list-sys-ip ".$v_ip." 'json'", $output, $return_var);
check_return_code($return_var, $output);
check_return_code_redirect($return_var, $output,'/list/ip');
$data = json_decode(implode('', $output), true);
unset($output);

Expand Down

0 comments on commit ee10e22

Please sign in to comment.