From ee10e2275139684fc9a2d32169d0da702cea5ad2 Mon Sep 17 00:00:00 2001 From: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com> Date: Tue, 22 Feb 2022 12:29:46 +0100 Subject: [PATCH] Fix XXS issues (#2432) * XSS patches * Reslove XSS vulnrebilty * Resolve XSS vulnrebility * Prevent showing edit form from non exsiting records * Improve error handling message Create a function * Make sure $user from $_SESSION is escapeshellarg Prevent double escapeshellarg in Edit/web/index * Enable translateable errors in /inc/main.php Fix "White" screen issue when trying to loginas non existing user * Prevent double escapeshellarg() * Do not remove unset($output) * Resolve linting errors --- install/deb/phpmyadmin/hestia-sso.php | 6 +++- web/delete/backup/exclusion/index.php | 5 ++- web/delete/backup/index.php | 5 ++- web/delete/cron/index.php | 4 +-- web/delete/db/index.php | 5 ++- web/delete/dns/index.php | 15 +++++--- web/delete/key/index.php | 5 ++- web/delete/log/auth/index.php | 7 ++-- web/delete/log/index.php | 23 ++++++------ web/delete/mail/index.php | 14 +++++--- web/delete/notification/index.php | 5 ++- web/delete/web/cache/index.php | 5 ++- web/delete/web/index.php | 5 ++- web/download/backup/index.php | 3 +- web/edit/cron/index.php | 2 +- web/edit/db/index.php | 2 +- web/edit/dns/index.php | 9 +++-- web/edit/firewall/index.php | 2 +- web/edit/ip/index.php | 2 +- web/edit/mail/index.php | 14 ++------ web/edit/package/index.php | 1 + web/edit/user/index.php | 3 +- web/edit/web/index.php | 12 ++----- web/inc/main.php | 36 ++++++++++++++++--- web/login/index.php | 3 ++ web/suspend/cron/index.php | 3 +- web/suspend/db/index.php | 3 +- web/suspend/dns/index.php | 6 ++-- web/suspend/mail/index.php | 5 ++- web/suspend/user/index.php | 3 +- web/suspend/web/index.php | 2 +- web/templates/includes/title.html | 2 +- web/templates/pages/add_cron.html | 15 +------- web/templates/pages/add_db.html | 15 +------- web/templates/pages/add_dns.html | 15 +------- web/templates/pages/add_dns_rec.html | 15 +------- web/templates/pages/add_firewall.html | 15 +------- web/templates/pages/add_firewall_banlist.html | 15 +------- web/templates/pages/add_firewall_ipset.html | 15 +------- web/templates/pages/add_ip.html | 15 +------- web/templates/pages/add_key.html | 15 +------- web/templates/pages/add_mail.html | 15 +------- web/templates/pages/add_mail_acc.html | 23 +++--------- web/templates/pages/add_package.html | 15 +------- web/templates/pages/add_user.html | 15 +------- web/templates/pages/add_web.html | 21 +++-------- .../pages/edit_backup_exclusions.html | 15 +------- web/templates/pages/edit_cron.html | 15 +------- web/templates/pages/edit_db.html | 15 +------- web/templates/pages/edit_dns.html | 15 +------- web/templates/pages/edit_dns_rec.html | 15 +------- web/templates/pages/edit_firewall.html | 15 +------- web/templates/pages/edit_ip.html | 15 +------- web/templates/pages/edit_mail.html | 34 ++++++------------ web/templates/pages/edit_mail_acc.html | 21 +++-------- web/templates/pages/edit_package.html | 15 +------- web/templates/pages/edit_server.html | 17 +-------- web/templates/pages/edit_server_bind9.html | 15 +------- web/templates/pages/edit_server_dovecot.html | 15 +------- web/templates/pages/edit_server_httpd.html | 15 +------- web/templates/pages/edit_server_mysql.html | 15 +------- web/templates/pages/edit_server_nginx.html | 15 +------- web/templates/pages/edit_server_pgsql.html | 15 +------- web/templates/pages/edit_server_php.html | 15 +------- web/templates/pages/edit_server_service.html | 15 +------- web/templates/pages/edit_user.html | 27 ++++---------- web/templates/pages/edit_web.html | 29 +++++---------- web/templates/pages/generate_ssl.html | 15 +------- web/templates/pages/list_backup_detail.html | 3 +- web/templates/pages/list_cron.html | 4 +-- web/templates/pages/list_db.html | 4 +-- web/templates/pages/list_dns.html | 4 +-- web/templates/pages/list_dns_rec.html | 4 +-- web/templates/pages/list_mail.html | 4 +-- web/templates/pages/list_mail_acc.html | 10 +++--- web/templates/pages/list_packages.html | 5 +-- web/templates/pages/list_ssl.html | 21 +++-------- web/templates/pages/list_user.html | 4 +-- web/templates/pages/list_web.html | 4 +-- web/templates/pages/list_webapps.html | 4 +-- web/templates/pages/list_weblog.html | 2 +- web/templates/pages/login/reset_2.html | 4 +-- web/templates/pages/login/reset_3.html | 6 ++-- web/templates/pages/setup_webapp.html | 3 +- web/unsuspend/cron/index.php | 3 +- web/unsuspend/db/index.php | 3 +- web/unsuspend/dns/index.php | 6 ++-- web/unsuspend/mail/index.php | 5 ++- web/unsuspend/web/index.php | 3 +- 89 files changed, 233 insertions(+), 697 deletions(-) diff --git a/install/deb/phpmyadmin/hestia-sso.php b/install/deb/phpmyadmin/hestia-sso.php index 0db02ec1bd..be913d9a43 100644 --- a/install/deb/phpmyadmin/hestia-sso.php +++ b/install/deb/phpmyadmin/hestia-sso.php @@ -147,7 +147,11 @@ function session_invalid() $user = $_GET['user']; $host = 'localhost'; $token = $_GET['hestia_token']; - $time = $_GET['exp']; + if(is_numeric($_GET['exp'])){ + $time = $_GET['exp']; + }else{ + $time = 0; + } if ($time + 60 > time()) { //note: Possible issues with cloudflare due to ip obfuscation diff --git a/web/delete/backup/exclusion/index.php b/web/delete/backup/exclusion/index.php index 343874db37..f16abeb7fa 100644 --- a/web/delete/backup/exclusion/index.php +++ b/web/delete/backup/exclusion/index.php @@ -4,16 +4,15 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) { - $user=$_GET['user']; + $user=escapeshellarg($_GET['user']); } // Check token verify_csrf($_GET); if (!empty($_GET['system'])) { - $v_username = escapeshellarg($user); $v_system = escapeshellarg($_GET['system']); - exec(HESTIA_CMD."v-delete-user-backup-exclusions ".$v_username." ".$v_system, $output, $return_var); + exec(HESTIA_CMD."v-delete-user-backup-exclusions ".$user." ".$v_system, $output, $return_var); } check_return_code($return_var, $output); unset($output); diff --git a/web/delete/backup/index.php b/web/delete/backup/index.php index dd8bfb9af5..f7ec611a8d 100644 --- a/web/delete/backup/index.php +++ b/web/delete/backup/index.php @@ -4,16 +4,15 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) { - $user=$_GET['user']; + $user=escapeshellarg($_GET['user']); } // Check token verify_csrf($_GET); if (!empty($_GET['backup'])) { - $v_username = escapeshellarg($user); $v_backup = escapeshellarg($_GET['backup']); - exec(HESTIA_CMD."v-delete-user-backup ".$v_username." ".$v_backup, $output, $return_var); + exec(HESTIA_CMD."v-delete-user-backup ".$user." ".$v_backup, $output, $return_var); } check_return_code($return_var, $output); unset($output); diff --git a/web/delete/cron/index.php b/web/delete/cron/index.php index d41f4a92dc..78f29849f1 100644 --- a/web/delete/cron/index.php +++ b/web/delete/cron/index.php @@ -4,7 +4,7 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) { - $user=$_GET['user']; + $user=escapeshellarg($_GET['user']); } // Check token @@ -13,7 +13,7 @@ if (!empty($_GET['job'])) { $v_username = escapeshellarg($user); $v_job = escapeshellarg($_GET['job']); - exec(HESTIA_CMD."v-delete-cron-job ".$v_username." ".$v_job, $output, $return_var); + exec(HESTIA_CMD."v-delete-cron-job ".$user." ".$v_job, $output, $return_var); } check_return_code($return_var, $output); unset($output); diff --git a/web/delete/db/index.php b/web/delete/db/index.php index d5e8631f4a..8fc6fce576 100644 --- a/web/delete/db/index.php +++ b/web/delete/db/index.php @@ -4,16 +4,15 @@ include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) { - $user=$_GET['user']; + $user=escapeshellarg($_GET['user']); } // Check token verify_csrf($_GET); if (!empty($_GET['database'])) { - $v_username = escapeshellarg($user); $v_database = escapeshellarg($_GET['database']); - exec(HESTIA_CMD."v-delete-database ".$v_username." ".$v_database, $output, $return_var); + exec(HESTIA_CMD."v-delete-database ".$user." ".$v_database, $output, $return_var); } check_return_code($return_var, $output); unset($output); diff --git a/web/delete/dns/index.php b/web/delete/dns/index.php index a994a95ff0..03c68cf901 100644 --- a/web/delete/dns/index.php +++ b/web/delete/dns/index.php @@ -5,7 +5,7 @@ // Delete as someone else? if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) { - $user=$_GET['user']; + $user=escapeshellarg($_GET['user']); } // Check token @@ -13,9 +13,8 @@ // DNS domain if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) { - $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); - exec(HESTIA_CMD."v-delete-dns-domain ".$v_username." ".$v_domain, $output, $return_var); + exec(HESTIA_CMD."v-delete-dns-domain ".$user." ".$v_domain, $output, $return_var); check_return_code($return_var, $output); unset($output); @@ -41,8 +40,14 @@ header("Location: ".$back); exit; } - header("Location: /list/dns/?domain=".$_GET['domain']); - exit; + if($return_var > 0){ + header("Location: /list/dns/"); + exit; + }else{ + header("Location: /list/dns/?domain=".$_GET['domain']); + exit; + } + } $back = $_SESSION['back']; diff --git a/web/delete/key/index.php b/web/delete/key/index.php index d73e5e1994..9cc6ee81e6 100644 --- a/web/delete/key/index.php +++ b/web/delete/key/index.php @@ -7,13 +7,12 @@ verify_csrf($_GET); if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user=escapeshellarg($_GET['user']); } if (!empty($_GET['key'])) { $v_key = escapeshellarg(trim($_GET['key'])); - $v_user = escapeshellarg(trim($user)); - exec(HESTIA_CMD."v-delete-user-ssh-key ".$v_user." ".$v_key); + exec(HESTIA_CMD."v-delete-user-ssh-key ".$user." ".$v_key); check_return_code($return_var, $output); } diff --git a/web/delete/log/auth/index.php b/web/delete/log/auth/index.php index b572d38a2b..84c6a6d888 100644 --- a/web/delete/log/auth/index.php +++ b/web/delete/log/auth/index.php @@ -7,13 +7,12 @@ // Check if administrator is viewing system log (currently 'admin' user) if (($_SESSION['userContext'] === "admin") && (isset($_GET['user']))) { - $user=$_GET['user']; + $user=escapeshellarg($_GET['user']); $token=$_SESSION['token']; } // Clear log -$v_username = escapeshellarg($user); -exec(HESTIA_CMD."v-delete-user-auth-log ".$v_username, $output, $return_var); +exec(HESTIA_CMD."v-delete-user-auth-log ".$user, $output, $return_var); check_return_code($return_var, $output); unset($output); @@ -32,7 +31,7 @@ // Add current user session back to log unless impersonating another user if (!isset($_SESSION['look'])) { - exec(HESTIA_CMD."v-log-user-login ".$v_username." ".$v_ip." success ".$v_session_id." ".$v_user_agent, $output, $return_var); + exec(HESTIA_CMD."v-log-user-login ".$user." ".$v_ip." success ".$v_session_id." ".$v_user_agent, $output, $return_var); } // Flush session messages diff --git a/web/delete/log/index.php b/web/delete/log/index.php index df8f6552cf..67376ad508 100644 --- a/web/delete/log/index.php +++ b/web/delete/log/index.php @@ -7,24 +7,27 @@ // Check if administrator is viewing system log (currently 'admin' user) if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) { - $user=$_GET['user']; + $user=escapeshellarg($_GET['user']); $token=$_SESSION['token']; } -// Set correct page reload target -if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) { - header("Location: /list/log/?user=$user&token=$token"); -} else { - header("Location: /list/log/"); -} - // Clear log -$v_username = escapeshellarg($user); -exec(HESTIA_CMD."v-delete-user-log ".$v_username." ".$output, $return_var); +exec(HESTIA_CMD."v-delete-user-log ".$user." ".$output, $return_var); check_return_code($return_var, $output); unset($output); unset($token); +if($return_var > 0){ + header("Location: /list/log/"); +}else{ + // Set correct page reload target + if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) { + header("Location: /list/log/?user=$user&token=$token"); + } else { + header("Location: /list/log/"); + } +} + // Render page render_page($user, $TAB, 'list_log'); diff --git a/web/delete/mail/index.php b/web/delete/mail/index.php index c5e3124431..111295fba6 100644 --- a/web/delete/mail/index.php +++ b/web/delete/mail/index.php @@ -5,7 +5,7 @@ // Delete as someone else? if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) { - $user=$_GET['user']; + $user=scapeshellarg($user); } // Check token @@ -15,10 +15,13 @@ if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); - exec(HESTIA_CMD."v-delete-mail-domain ".$v_username." ".$v_domain, $output, $return_var); + exec(HESTIA_CMD."v-delete-mail-domain ".$user." ".$v_domain, $output, $return_var); check_return_code($return_var, $output); unset($output); $back = $_SESSION['back']; + if($return_var > 0){ + header("Location: /list/mail/"); + } if (!empty($back)) { header("Location: ".$back); exit; @@ -29,12 +32,14 @@ // Mail account if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { - $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); $v_account = escapeshellarg($_GET['account']); - exec(HESTIA_CMD."v-delete-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var); + exec(HESTIA_CMD."v-delete-mail-account ".$user." ".$v_domain." ".$v_account, $output, $return_var); check_return_code($return_var, $output); unset($output); + if($return_var > 0){ + header("Location: /list/mail/"); + }else{ $back = $_SESSION['back']; if (!empty($back)) { header("Location: ".$back); @@ -42,6 +47,7 @@ } header("Location: /list/mail/?domain=".$_GET['domain']); exit; + } } $back = $_SESSION['back']; diff --git a/web/delete/notification/index.php b/web/delete/notification/index.php index 8009e8f893..ba0347acd0 100644 --- a/web/delete/notification/index.php +++ b/web/delete/notification/index.php @@ -6,15 +6,14 @@ verify_csrf($_GET); if ($_GET['delete'] == 1) { - $v_username = escapeshellarg($user); $v_id = escapeshellarg((int)$_GET['notification_id']); - exec(HESTIA_CMD."v-delete-user-notification ".$v_username." ".$v_id, $output, $return_var); + exec(HESTIA_CMD."v-delete-user-notification ".$user." ".$v_id, $output, $return_var); check_return_code($return_var, $output); unset($output); } else { $v_username = escapeshellarg($user); $v_id = escapeshellarg((int)$_GET['notification_id']); - exec(HESTIA_CMD."v-acknowledge-user-notification ".$v_username." ".$v_id, $output, $return_var); + exec(HESTIA_CMD."v-acknowledge-user-notification ".$user." ".$v_id, $output, $return_var); check_return_code($return_var, $output); unset($output); } diff --git a/web/delete/web/cache/index.php b/web/delete/web/cache/index.php index 5a386e3e71..f8f06a2c5a 100644 --- a/web/delete/web/cache/index.php +++ b/web/delete/web/cache/index.php @@ -8,13 +8,12 @@ // Delete as someone else? if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) { - $user=$_GET['user']; + $user=escapeshellarg($_GET['user']); } if (!empty($_GET['domain'])) { - $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); - exec(HESTIA_CMD."v-purge-nginx-cache ".$v_username." ".$v_domain, $output, $return_var); + exec(HESTIA_CMD."v-purge-nginx-cache ".$user." ".$v_domain, $output, $return_var); check_return_code($return_var, $output); } $_SESSION['ok_msg'] = _('Nginx cache has been successfully purged'); diff --git a/web/delete/web/index.php b/web/delete/web/index.php index e2dbb7ed57..e991053f5d 100644 --- a/web/delete/web/index.php +++ b/web/delete/web/index.php @@ -8,13 +8,12 @@ // Delete as someone else? if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) { - $user = $_GET['user']; + $user = escapeshellarg($user); } if (!empty($_GET['domain'])) { - $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); - exec(HESTIA_CMD . 'v-delete-web-domain ' . $v_username . ' ' . $v_domain . " 'yes'", $output, $return_var); + exec(HESTIA_CMD . 'v-delete-web-domain ' . $user . ' ' . $v_domain . " 'yes'", $output, $return_var); check_return_code($return_var, $output); unset($output); } diff --git a/web/download/backup/index.php b/web/download/backup/index.php index 7c895820d3..a1f43918b6 100644 --- a/web/download/backup/index.php +++ b/web/download/backup/index.php @@ -9,9 +9,8 @@ $backup = $_GET['backup']; if (!file_exists('/backup/'.$backup)) { - $v_username = escapeshellarg($user); $backup = escapeshellarg($_GET['backup']); - exec(HESTIA_CMD."v-schedule-user-backup-download ".$v_username." ".$backup, $output, $return_var); + exec(HESTIA_CMD."v-schedule-user-backup-download ".$user." ".$backup, $output, $return_var); if ($return_var == 0) { $_SESSION['error_msg'] = _('BACKUP_DOWNLOAD_SCHEDULED'); } else { diff --git a/web/edit/cron/index.php b/web/edit/cron/index.php index 160867e2db..06e31b3f06 100644 --- a/web/edit/cron/index.php +++ b/web/edit/cron/index.php @@ -19,7 +19,7 @@ // List cron job $v_job = escapeshellarg($_GET['job']); exec(HESTIA_CMD."v-list-cron-job ".$user." ".$v_job." 'json'", $output, $return_var); -check_return_code($return_var, $output); +check_return_code_redirect($return_var, $output, '/list/cron/'); $data = json_decode(implode('', $output), true); unset($output); diff --git a/web/edit/db/index.php b/web/edit/db/index.php index dc5f507408..ef5c89a651 100644 --- a/web/edit/db/index.php +++ b/web/edit/db/index.php @@ -20,7 +20,7 @@ // List datbase $v_database = $_GET['database']; exec(HESTIA_CMD."v-list-database ".$user." ".escapeshellarg($v_database)." 'json'", $output, $return_var); -check_return_code($return_var, $output); +check_return_code_redirect($return_var, $output, '/list/db/'); $data = json_decode(implode('', $output), true); unset($output); diff --git a/web/edit/dns/index.php b/web/edit/dns/index.php index 89a86735ae..87438e6d69 100644 --- a/web/edit/dns/index.php +++ b/web/edit/dns/index.php @@ -26,7 +26,7 @@ if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) { $v_domain = escapeshellarg($_GET['domain']); exec(HESTIA_CMD."v-list-dns-domain ".$user." ".$v_domain." json", $output, $return_var); - check_return_code($return_var, $output); + check_return_code_redirect($return_var, $output,'/list/dns/'); $data = json_decode(implode('', $output), true); unset($output); @@ -58,10 +58,9 @@ $v_domain = escapeshellarg($_GET['domain']); $v_record_id = escapeshellarg($_GET['record_id']); exec(HESTIA_CMD."v-list-dns-records ".$user." ".$v_domain." 'json'", $output, $return_var); - check_return_code($return_var, $output); + check_return_code_redirect($return_var, $output,'/list/dns/'); $data = json_decode(implode('', $output), true); unset($output); - // Parse dns record $v_username = $user; $v_domain = $_GET['domain']; @@ -206,6 +205,10 @@ // Display body for dns domain render_page($user, $TAB, 'edit_dns'); } else { + if(empty($data[$_GET['record_id']])){ + header("Location: /list/dns/"); + $_SESSION['error_msg'] = _("Unknown record ID"); + } // Display body for dns record render_page($user, $TAB, 'edit_dns_rec'); } diff --git a/web/edit/firewall/index.php b/web/edit/firewall/index.php index 666816fa07..f0ba0e3500 100644 --- a/web/edit/firewall/index.php +++ b/web/edit/firewall/index.php @@ -21,7 +21,7 @@ // List rule $v_rule = escapeshellarg($_GET['rule']); exec(HESTIA_CMD."v-list-firewall-rule ".$v_rule." 'json'", $output, $return_var); -check_return_code($return_var, $output); +check_return_code_redirect($return_var, $output,'/list/firewall'); $data = json_decode(implode('', $output), true); unset($output); diff --git a/web/edit/ip/index.php b/web/edit/ip/index.php index 81cd8c0fab..ad48556a08 100644 --- a/web/edit/ip/index.php +++ b/web/edit/ip/index.php @@ -21,7 +21,7 @@ // List ip $v_ip = escapeshellarg($_GET['ip']); exec(HESTIA_CMD."v-list-sys-ip ".$v_ip." 'json'", $output, $return_var); -check_return_code($return_var, $output); +check_return_code_redirect($return_var, $output,'/list/ip'); $data = json_decode(implode('', $output), true); unset($output); diff --git a/web/edit/mail/index.php b/web/edit/mail/index.php index 032809037f..d5807c8dff 100644 --- a/web/edit/mail/index.php +++ b/web/edit/mail/index.php @@ -32,15 +32,10 @@ // List mail domain if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { $v_domain = $_GET['domain']; - if ($_SESSION['userContext'] !== 'admin') { - if (!in_array($v_domain, $user_domains)) { - header("Location: /list/mail/"); - exit; - } - } exec(HESTIA_CMD."v-list-mail-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var); $data = json_decode(implode('', $output), true); + check_return_code_redirect($return_var, $output, '/list/mail/'); unset($output); // Parse domain @@ -89,16 +84,11 @@ // List mail account if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) { $v_domain = $_GET['domain']; - if ($_SESSION['userContext'] !== 'admin') { - if (!in_array($v_domain, $user_domains)) { - header("Location: /list/mail/"); - exit; - } - } $v_account = $_GET['account']; exec(HESTIA_CMD."v-list-mail-account ".$user." ".escapeshellarg($v_domain)." ".escapeshellarg($v_account)." 'json'", $output, $return_var); $data = json_decode(implode('', $output), true); + check_return_code_redirect($return_var, $output, '/list/mail/'); unset($output); // Parse mail account diff --git a/web/edit/package/index.php b/web/edit/package/index.php index 17ff469b36..c8308ba30d 100644 --- a/web/edit/package/index.php +++ b/web/edit/package/index.php @@ -28,6 +28,7 @@ // List package $v_package = escapeshellarg($_GET['package']); exec(HESTIA_CMD."v-list-user-package ".$v_package." 'json'", $output, $return_var); +check_return_code_redirect($return_var, $output, '/list/package/'); $data = json_decode(implode('', $output), true); unset($output); diff --git a/web/edit/user/index.php b/web/edit/user/index.php index 59f7ddfd88..2b054aa427 100644 --- a/web/edit/user/index.php +++ b/web/edit/user/index.php @@ -33,7 +33,8 @@ // List user exec(HESTIA_CMD."v-list-user ".escapeshellarg($v_username)." json", $output, $return_var); -check_return_code($return_var, $output); +check_return_code_redirect($return_var, $output, '/list/user/'); + $data = json_decode(implode('', $output), true); unset($output); diff --git a/web/edit/web/index.php b/web/edit/web/index.php index 5165bdf872..c739152eea 100644 --- a/web/edit/web/index.php +++ b/web/edit/web/index.php @@ -19,21 +19,15 @@ } // Get all user domains -exec(HESTIA_CMD."v-list-web-domains ".escapeshellarg($user)." json", $output, $return_var); +exec(HESTIA_CMD."v-list-web-domains ".$user." json", $output, $return_var); $user_domains = json_decode(implode('', $output), true); $user_domains = array_keys($user_domains); unset($output); -// List domain $v_domain = $_GET['domain']; -if ($_SESSION['userContext'] !== 'admin') { - if (!in_array($v_domain, $user_domains)) { - header("Location: /list/mail/"); - exit; - } -} - exec(HESTIA_CMD."v-list-web-domain ".$user." ".escapeshellarg($v_domain)." json", $output, $return_var); +# Check if domain exists if not return /list/web/ +check_return_code_redirect($return_var, $output, '/list/web/'); $data = json_decode(implode('', $output), true); unset($output); diff --git a/web/inc/main.php b/web/inc/main.php index c081307d6c..982aca7d53 100644 --- a/web/inc/main.php +++ b/web/inc/main.php @@ -113,11 +113,11 @@ function destroy_sessions() } if (isset($_SESSION['user'])) { - $user = $_SESSION['user']; + $user = escapeshellarg($_SESSION['user']); } if (isset($_SESSION['look']) && ($_SESSION['userContext'] === 'admin')) { - $user = $_SESSION['look']; + $user = escapeshellarg($_SESSION['look']); } require_once(dirname(__FILE__) . '/i18n.php'); @@ -140,6 +140,17 @@ function check_return_code($return_var, $output) $_SESSION['error_msg'] = $error; } } +function check_return_code_redirect($return_var, $output, $location){ + if ($return_var != 0) { + $error = implode('
', $output); + if (empty($error)) { + $error = sprintf(_('Error code:'), $return_var); + } + $_SESSION['error_msg'] = $error; + header("Location:".$location); + } + +} function render_page($user, $TAB, $page) { @@ -189,14 +200,31 @@ function verify_csrf($method, $return = false) } } +function show_error_panel($data){ + if (!empty($data['error_msg'])) { + $msg_icon = 'fa-exclamation-circle status-icon red'; + $msg_text = $data['error_msg']; + $msg_id = 'vst-error'; + } else { + if (!empty($data['ok_msg'])) { + $msg_icon = 'fa-check-circle status-icon green'; + $msg_text = $data['ok_msg']; + $msg_id = 'vst-ok'; + } + } + ?> + + 0) { - echo 'ERROR: Unable to retrieve account details.
Please log in again.'; destroy_sessions(); + $_SESSION['error_msg'] = _('You have been logged out. Please log in again.'); header('Location: /login/'); exit; } @@ -206,8 +234,8 @@ function top_panel($user, $TAB) // Log out active sessions for suspended users if (($panel[$user]['SUSPENDED'] === 'yes') && ($_SESSION['POLICY_USER_VIEW_SUSPENDED'] !== 'yes')) { if(empty($_SESSION['look'])){ - $_SESSION['error_msg'] = 'You have been logged out. Please log in again.'; destroy_sessions(); + $_SESSION['error_msg'] = _('You have been logged out. Please log in again.'); header('Location: /login/'); } } diff --git a/web/login/index.php b/web/login/index.php index ee6ad222c2..20d97f3215 100644 --- a/web/login/index.php +++ b/web/login/index.php @@ -36,6 +36,9 @@ unset($_SESSION['_sf2_attributes']); unset($_SESSION['_sf2_meta']); header('Location: /login/'); + }else{ + # User doesn't exists + header('Location: /'); } } exit; diff --git a/web/suspend/cron/index.php b/web/suspend/cron/index.php index 0beffcb829..823034c2c1 100644 --- a/web/suspend/cron/index.php +++ b/web/suspend/cron/index.php @@ -6,9 +6,8 @@ verify_csrf($_GET); if (!empty($_GET['job'])) { - $v_username = escapeshellarg($user); $v_job = escapeshellarg($_GET['job']); - exec(HESTIA_CMD."v-suspend-cron-job ".$v_username." ".$v_job, $output, $return_var); + exec(HESTIA_CMD."v-suspend-cron-job ".$user." ".$v_job, $output, $return_var); check_return_code($return_var, $output); unset($output); } diff --git a/web/suspend/db/index.php b/web/suspend/db/index.php index 8837ddf69c..47566a7ed5 100644 --- a/web/suspend/db/index.php +++ b/web/suspend/db/index.php @@ -10,9 +10,8 @@ verify_csrf($_GET); if (!empty($_GET['database'])) { - $v_username = escapeshellarg($user); $v_database = escapeshellarg($_GET['database']); - exec(HESTIA_CMD."v-suspend-database ".$v_username." ".$v_database, $output, $return_var); + exec(HESTIA_CMD."v-suspend-database ".$user." ".$v_database, $output, $return_var); check_return_code($return_var, $output); unset($output); } diff --git a/web/suspend/dns/index.php b/web/suspend/dns/index.php index 07367cd611..080988f11e 100644 --- a/web/suspend/dns/index.php +++ b/web/suspend/dns/index.php @@ -11,9 +11,8 @@ // DNS domain if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) { - $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); - exec(HESTIA_CMD."v-suspend-dns-domain ".$v_username." ".$v_domain, $output, $return_var); + exec(HESTIA_CMD."v-suspend-dns-domain ".$user." ".$v_domain, $output, $return_var); check_return_code($return_var, $output); unset($output); $back = $_SESSION['back']; @@ -27,10 +26,9 @@ // DNS record if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) { - $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); $v_record_id = escapeshellarg($_GET['record_id']); - exec(HESTIA_CMD."v-suspend-dns-record ".$v_username." ".$v_domain." ".$v_record_id, $output, $return_var); + exec(HESTIA_CMD."v-suspend-dns-record ".$user." ".$v_domain." ".$v_record_id, $output, $return_var); check_return_code($return_var, $output); unset($output); $back = $_SESSION['back']; diff --git a/web/suspend/mail/index.php b/web/suspend/mail/index.php index 4f92d2678d..ca304e2fdf 100644 --- a/web/suspend/mail/index.php +++ b/web/suspend/mail/index.php @@ -11,9 +11,8 @@ // Mail domain if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { - $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); - exec(HESTIA_CMD."v-suspend-mail-domain ".$v_username." ".$v_domain, $output, $return_var); + exec(HESTIA_CMD."v-suspend-mail-domain ".$user." ".$v_domain, $output, $return_var); check_return_code($return_var, $output); unset($output); $back=getenv("HTTP_REFERER"); @@ -30,7 +29,7 @@ $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); $v_account = escapeshellarg($_GET['account']); - exec(HESTIA_CMD."v-suspend-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var); + exec(HESTIA_CMD."v-suspend-mail-account ".$user." ".$v_domain." ".$v_account, $output, $return_var); check_return_code($return_var, $output); unset($output); $back = $_SESSION['back']; diff --git a/web/suspend/user/index.php b/web/suspend/user/index.php index 35a38ec384..1ef3762865 100644 --- a/web/suspend/user/index.php +++ b/web/suspend/user/index.php @@ -16,8 +16,7 @@ } if (!empty($_GET['user'])) { - $v_username = escapeshellarg($_GET['user']); - exec(HESTIA_CMD."v-suspend-user ".$v_username, $output, $return_var); + exec(HESTIA_CMD."v-suspend-user ".$user, $output, $return_var); } check_return_code($return_var, $output); unset($output); diff --git a/web/suspend/web/index.php b/web/suspend/web/index.php index 9d1b111960..d5dcfaac21 100644 --- a/web/suspend/web/index.php +++ b/web/suspend/web/index.php @@ -12,7 +12,7 @@ if (!empty($_GET['domain'])) { $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); - exec(HESTIA_CMD."v-suspend-web-domain ".$v_username." ".$v_domain, $output, $return_var); + exec(HESTIA_CMD."v-suspend-web-domain ".$user." ".$v_domain, $output, $return_var); } check_return_code($return_var, $output); unset($output); diff --git a/web/templates/includes/title.html b/web/templates/includes/title.html index f46c0d77de..513c92460b 100644 --- a/web/templates/includes/title.html +++ b/web/templates/includes/title.html @@ -1,2 +1,2 @@ -<?=$_SERVER['HTTP_HOST']; ?> - <?=_($TAB)?> - <?=_('Hestia Control Panel');?> \ No newline at end of file +<?=htmlentities($_SERVER['HTTP_HOST']); ?> - <?=_($TAB)?> - <?=_('Hestia Control Panel');?> \ No newline at end of file diff --git a/web/templates/pages/add_cron.html b/web/templates/pages/add_cron.html index 1ab5eab7a8..65e3713a37 100644 --- a/web/templates/pages/add_cron.html +++ b/web/templates/pages/add_cron.html @@ -341,20 +341,7 @@ - - + diff --git a/web/templates/pages/add_db.html b/web/templates/pages/add_db.html index 9f546927ab..2c9bde74a1 100644 --- a/web/templates/pages/add_db.html +++ b/web/templates/pages/add_db.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/add_dns.html b/web/templates/pages/add_dns.html index a2bbcd6a9c..d37be1e252 100644 --- a/web/templates/pages/add_dns.html +++ b/web/templates/pages/add_dns.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/add_dns_rec.html b/web/templates/pages/add_dns_rec.html index 252d3a2696..74f1c6e2a1 100644 --- a/web/templates/pages/add_dns_rec.html +++ b/web/templates/pages/add_dns_rec.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/add_firewall.html b/web/templates/pages/add_firewall.html index 55fcbd18c7..622febce2e 100644 --- a/web/templates/pages/add_firewall.html +++ b/web/templates/pages/add_firewall.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/add_firewall_banlist.html b/web/templates/pages/add_firewall_banlist.html index 684cf1f480..f96594de21 100644 --- a/web/templates/pages/add_firewall_banlist.html +++ b/web/templates/pages/add_firewall_banlist.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/add_firewall_ipset.html b/web/templates/pages/add_firewall_ipset.html index dece08db14..e41843877c 100644 --- a/web/templates/pages/add_firewall_ipset.html +++ b/web/templates/pages/add_firewall_ipset.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/add_ip.html b/web/templates/pages/add_ip.html index 5ac65cf7b5..738893534b 100644 --- a/web/templates/pages/add_ip.html +++ b/web/templates/pages/add_ip.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/add_key.html b/web/templates/pages/add_key.html index c8794a9101..4b9ba4ec02 100644 --- a/web/templates/pages/add_key.html +++ b/web/templates/pages/add_key.html @@ -41,20 +41,7 @@ - - + diff --git a/web/templates/pages/add_mail.html b/web/templates/pages/add_mail.html index 62126ab81c..d3ed770926 100644 --- a/web/templates/pages/add_mail.html +++ b/web/templates/pages/add_mail.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/add_mail_acc.html b/web/templates/pages/add_mail_acc.html index eea7e1356a..a2fe153baf 100644 --- a/web/templates/pages/add_mail_acc.html +++ b/web/templates/pages/add_mail_acc.html @@ -37,20 +37,7 @@ - - + @@ -169,7 +156,7 @@ + diff --git a/web/templates/pages/edit_backup_exclusions.html b/web/templates/pages/edit_backup_exclusions.html index 970e3f99ee..e70bb2d008 100644 --- a/web/templates/pages/edit_backup_exclusions.html +++ b/web/templates/pages/edit_backup_exclusions.html @@ -38,20 +38,7 @@ - - + diff --git a/web/templates/pages/edit_cron.html b/web/templates/pages/edit_cron.html index 644259acac..765448a5a5 100644 --- a/web/templates/pages/edit_cron.html +++ b/web/templates/pages/edit_cron.html @@ -342,20 +342,7 @@ - - + diff --git a/web/templates/pages/edit_db.html b/web/templates/pages/edit_db.html index a2027d670d..91cb030fa2 100644 --- a/web/templates/pages/edit_db.html +++ b/web/templates/pages/edit_db.html @@ -38,20 +38,7 @@ - - + diff --git a/web/templates/pages/edit_dns.html b/web/templates/pages/edit_dns.html index b87e4e1c87..984530a4d0 100644 --- a/web/templates/pages/edit_dns.html +++ b/web/templates/pages/edit_dns.html @@ -38,20 +38,7 @@ - - + diff --git a/web/templates/pages/edit_dns_rec.html b/web/templates/pages/edit_dns_rec.html index 063760d05e..e19d4c59e7 100644 --- a/web/templates/pages/edit_dns_rec.html +++ b/web/templates/pages/edit_dns_rec.html @@ -38,20 +38,7 @@ - - + diff --git a/web/templates/pages/edit_firewall.html b/web/templates/pages/edit_firewall.html index abfd16343a..57fac3b801 100644 --- a/web/templates/pages/edit_firewall.html +++ b/web/templates/pages/edit_firewall.html @@ -38,20 +38,7 @@ - - + diff --git a/web/templates/pages/edit_ip.html b/web/templates/pages/edit_ip.html index e8525bf01e..1922b5b2d5 100644 --- a/web/templates/pages/edit_ip.html +++ b/web/templates/pages/edit_ip.html @@ -38,20 +38,7 @@ - - + diff --git a/web/templates/pages/edit_mail.html b/web/templates/pages/edit_mail.html index 611a5d6ada..b7b16cacf2 100644 --- a/web/templates/pages/edit_mail.html +++ b/web/templates/pages/edit_mail.html @@ -38,20 +38,7 @@ - - + @@ -133,7 +120,8 @@ -
+ +
@@ -143,7 +131,7 @@ - / + / @@ -181,7 +169,7 @@ : - + @@ -190,7 +178,7 @@ : - + @@ -199,7 +187,7 @@ : - + @@ -207,7 +195,7 @@ : - + @@ -215,7 +203,7 @@ : - + @@ -223,7 +211,7 @@ : - + @@ -231,7 +219,7 @@ : - + diff --git a/web/templates/pages/edit_mail_acc.html b/web/templates/pages/edit_mail_acc.html index 860d9781b7..19d6de8b17 100644 --- a/web/templates/pages/edit_mail_acc.html +++ b/web/templates/pages/edit_mail_acc.html @@ -38,20 +38,7 @@ - - + @@ -199,7 +186,7 @@ : -
mail.
+
mail.
@@ -223,7 +210,7 @@ : -
mail.
+
mail.
@@ -248,7 +235,7 @@ : -
http://
+
http://
diff --git a/web/templates/pages/edit_package.html b/web/templates/pages/edit_package.html index 0bda36907e..557118e699 100644 --- a/web/templates/pages/edit_package.html +++ b/web/templates/pages/edit_package.html @@ -38,20 +38,7 @@ - - + diff --git a/web/templates/pages/edit_server.html b/web/templates/pages/edit_server.html index 1fb32aa49b..f2540cc75a 100644 --- a/web/templates/pages/edit_server.html +++ b/web/templates/pages/edit_server.html @@ -41,24 +41,9 @@ - - -

+ - diff --git a/web/templates/pages/edit_server_bind9.html b/web/templates/pages/edit_server_bind9.html index 787979f04b..7f702ed5dc 100644 --- a/web/templates/pages/edit_server_bind9.html +++ b/web/templates/pages/edit_server_bind9.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/edit_server_dovecot.html b/web/templates/pages/edit_server_dovecot.html index e8ffbcc54c..245731afe0 100644 --- a/web/templates/pages/edit_server_dovecot.html +++ b/web/templates/pages/edit_server_dovecot.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/edit_server_httpd.html b/web/templates/pages/edit_server_httpd.html index 1c742f9ba2..63843e8a6d 100644 --- a/web/templates/pages/edit_server_httpd.html +++ b/web/templates/pages/edit_server_httpd.html @@ -38,20 +38,7 @@ - - + diff --git a/web/templates/pages/edit_server_mysql.html b/web/templates/pages/edit_server_mysql.html index 421958f3ac..14c0cff7fc 100644 --- a/web/templates/pages/edit_server_mysql.html +++ b/web/templates/pages/edit_server_mysql.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/edit_server_nginx.html b/web/templates/pages/edit_server_nginx.html index fdd58cb98e..af9171828c 100644 --- a/web/templates/pages/edit_server_nginx.html +++ b/web/templates/pages/edit_server_nginx.html @@ -38,20 +38,7 @@ - - + diff --git a/web/templates/pages/edit_server_pgsql.html b/web/templates/pages/edit_server_pgsql.html index 08a116c432..4f7997e87b 100644 --- a/web/templates/pages/edit_server_pgsql.html +++ b/web/templates/pages/edit_server_pgsql.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/edit_server_php.html b/web/templates/pages/edit_server_php.html index 9bf27e20c7..f115ca53db 100644 --- a/web/templates/pages/edit_server_php.html +++ b/web/templates/pages/edit_server_php.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/edit_server_service.html b/web/templates/pages/edit_server_service.html index 0fae36259f..7a1fc3b4f1 100644 --- a/web/templates/pages/edit_server_service.html +++ b/web/templates/pages/edit_server_service.html @@ -37,20 +37,7 @@ - - + diff --git a/web/templates/pages/edit_user.html b/web/templates/pages/edit_user.html index 185450b7b6..1e3797cf81 100644 --- a/web/templates/pages/edit_user.html +++ b/web/templates/pages/edit_user.html @@ -5,8 +5,8 @@ - +
- +
@@ -68,20 +68,7 @@ - - + @@ -158,7 +145,7 @@


-
+
diff --git a/web/templates/pages/edit_web.html b/web/templates/pages/edit_web.html index 2bb311d349..fc009664f4 100644 --- a/web/templates/pages/edit_web.html +++ b/web/templates/pages/edit_web.html @@ -5,11 +5,11 @@
- " id="v-clear-cache"> + " id="v-clear-cache"> - + @@ -46,20 +46,7 @@ - - + @@ -173,8 +160,8 @@ @@ -257,7 +244,7 @@ @@ -503,9 +490,9 @@ diff --git a/web/templates/pages/generate_ssl.html b/web/templates/pages/generate_ssl.html index 8260786bd6..0d47112a2c 100644 --- a/web/templates/pages/generate_ssl.html +++ b/web/templates/pages/generate_ssl.html @@ -1,20 +1,7 @@
- - +
diff --git a/web/templates/pages/list_backup_detail.html b/web/templates/pages/list_backup_detail.html index f124fbf069..c906c8bbb2 100644 --- a/web/templates/pages/list_backup_detail.html +++ b/web/templates/pages/list_backup_detail.html @@ -53,7 +53,7 @@ diff --git a/web/templates/pages/list_cron.html b/web/templates/pages/list_cron.html index 22cdb12aa2..5d51111c48 100644 --- a/web/templates/pages/list_cron.html +++ b/web/templates/pages/list_cron.html @@ -21,8 +21,8 @@ diff --git a/web/templates/pages/list_db.html b/web/templates/pages/list_db.html index d3fcdab4d6..0328a03170 100644 --- a/web/templates/pages/list_db.html +++ b/web/templates/pages/list_db.html @@ -40,8 +40,8 @@ diff --git a/web/templates/pages/list_dns.html b/web/templates/pages/list_dns.html index 67a200cc58..8d1ff8103f 100644 --- a/web/templates/pages/list_dns.html +++ b/web/templates/pages/list_dns.html @@ -20,8 +20,8 @@ diff --git a/web/templates/pages/list_dns_rec.html b/web/templates/pages/list_dns_rec.html index 2b9f4a6b61..bd698b3e38 100644 --- a/web/templates/pages/list_dns_rec.html +++ b/web/templates/pages/list_dns_rec.html @@ -21,8 +21,8 @@ diff --git a/web/templates/pages/list_mail.html b/web/templates/pages/list_mail.html index 7862f55124..a15860e1ab 100644 --- a/web/templates/pages/list_mail.html +++ b/web/templates/pages/list_mail.html @@ -18,8 +18,8 @@ diff --git a/web/templates/pages/list_mail_acc.html b/web/templates/pages/list_mail_acc.html index e8bdcafb30..448e56366b 100644 --- a/web/templates/pages/list_mail_acc.html +++ b/web/templates/pages/list_mail_acc.html @@ -24,8 +24,8 @@ @@ -127,7 +127,7 @@ } ?>
animated fadeIn" - v_unit_id="" v_section="mail_acc" sort-date="" sort-name="" sort-disk="" + v_unit_id="" v_section="mail_acc" sort-date="" sort-name="" sort-disk="" sort-quota="" sort-star=" ">
@@ -136,9 +136,9 @@
- + - +
diff --git a/web/templates/pages/list_packages.html b/web/templates/pages/list_packages.html index 68d382a479..56698380d8 100644 --- a/web/templates/pages/list_packages.html +++ b/web/templates/pages/list_packages.html @@ -15,10 +15,11 @@
- @@ -60,7 +47,7 @@ @@ -70,7 +57,7 @@ diff --git a/web/templates/pages/list_user.html b/web/templates/pages/list_user.html index ef674db4a0..c3a248773c 100644 --- a/web/templates/pages/list_user.html +++ b/web/templates/pages/list_user.html @@ -17,8 +17,8 @@ diff --git a/web/templates/pages/list_web.html b/web/templates/pages/list_web.html index b47910548c..d418868277 100644 --- a/web/templates/pages/list_web.html +++ b/web/templates/pages/list_web.html @@ -19,8 +19,8 @@ diff --git a/web/templates/pages/list_webapps.html b/web/templates/pages/list_webapps.html index ccacb60852..c347495d7e 100644 --- a/web/templates/pages/list_webapps.html +++ b/web/templates/pages/list_webapps.html @@ -2,7 +2,7 @@
- +
@@ -45,7 +45,7 @@

:

- +
diff --git a/web/templates/pages/list_weblog.html b/web/templates/pages/list_weblog.html index cb8b33e076..5dd0093c00 100644 --- a/web/templates/pages/list_weblog.html +++ b/web/templates/pages/list_weblog.html @@ -31,7 +31,7 @@
-
+
diff --git a/web/templates/pages/login/reset_2.html b/web/templates/pages/login/reset_2.html index d05aed2556..2c680d5f5c 100644 --- a/web/templates/pages/login/reset_2.html +++ b/web/templates/pages/login/reset_2.html @@ -26,8 +26,8 @@ diff --git a/web/templates/pages/login/reset_3.html b/web/templates/pages/login/reset_3.html index b5950c0ae9..89533fb85c 100644 --- a/web/templates/pages/login/reset_3.html +++ b/web/templates/pages/login/reset_3.html @@ -18,9 +18,9 @@ diff --git a/web/templates/pages/setup_webapp.html b/web/templates/pages/setup_webapp.html index 493196bc23..a1ff7e1289 100644 --- a/web/templates/pages/setup_webapp.html +++ b/web/templates/pages/setup_webapp.html @@ -2,7 +2,7 @@
- +
diff --git a/web/unsuspend/cron/index.php b/web/unsuspend/cron/index.php index accbd86034..e984cea81d 100644 --- a/web/unsuspend/cron/index.php +++ b/web/unsuspend/cron/index.php @@ -9,9 +9,8 @@ verify_csrf($_GET); if (!empty($_GET['job'])) { - $v_username = escapeshellarg($user); $v_job = escapeshellarg($_GET['job']); - exec(HESTIA_CMD."v-unsuspend-cron-job ".$v_username." ".$v_job, $output, $return_var); + exec(HESTIA_CMD."v-unsuspend-cron-job ".$user." ".$v_job, $output, $return_var); check_return_code($return_var, $output); unset($output); } diff --git a/web/unsuspend/db/index.php b/web/unsuspend/db/index.php index a111cc4bfb..32de99aab4 100644 --- a/web/unsuspend/db/index.php +++ b/web/unsuspend/db/index.php @@ -9,9 +9,8 @@ verify_csrf($_GET); if (!empty($_GET['database'])) { - $v_username = escapeshellarg($user); $v_database = escapeshellarg($_GET['database']); - exec(HESTIA_CMD."v-unsuspend-database ".$v_username." ".$v_database, $output, $return_var); + exec(HESTIA_CMD."v-unsuspend-database ".$user." ".$v_database, $output, $return_var); check_return_code($return_var, $output); unset($output); } diff --git a/web/unsuspend/dns/index.php b/web/unsuspend/dns/index.php index e897035071..9fdebf52b2 100644 --- a/web/unsuspend/dns/index.php +++ b/web/unsuspend/dns/index.php @@ -9,9 +9,8 @@ // DNS domain if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) { - $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); - exec(HESTIA_CMD."v-unsuspend-dns-domain ".$v_username." ".$v_domain, $output, $return_var); + exec(HESTIA_CMD."v-unsuspend-dns-domain ".$user." ".$v_domain, $output, $return_var); if ($return_var != 0) { $error = implode('
', $output); if (empty($error)) { @@ -31,10 +30,9 @@ // DNS record if ((!empty($_GET['domain'])) && (!empty($_GET['record_id']))) { - $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); $v_record_id = escapeshellarg($_GET['record_id']); - exec(HESTIA_CMD."v-unsuspend-dns-record ".$v_username." ".$v_domain." ".$v_record_id, $output, $return_var); + exec(HESTIA_CMD."v-unsuspend-dns-record ".$user." ".$v_domain." ".$v_record_id, $output, $return_var); if ($return_var != 0) { $error = implode('
', $output); if (empty($error)) { diff --git a/web/unsuspend/mail/index.php b/web/unsuspend/mail/index.php index 3bad8b47b9..c1873ef51b 100644 --- a/web/unsuspend/mail/index.php +++ b/web/unsuspend/mail/index.php @@ -9,9 +9,8 @@ // Mail domain if ((!empty($_GET['domain'])) && (empty($_GET['account']))) { - $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); - exec(HESTIA_CMD."v-unsuspend-mail-domain ".$v_username." ".$v_domain, $output, $return_var); + exec(HESTIA_CMD."v-unsuspend-mail-domain ".$user." ".$v_domain, $output, $return_var); if ($return_var != 0) { $error = implode('
', $output); if (empty($error)) { @@ -34,7 +33,7 @@ $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); $v_account = escapeshellarg($_GET['account']); - exec(HESTIA_CMD."v-unsuspend-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var); + exec(HESTIA_CMD."v-unsuspend-mail-account ".$user." ".$v_domain." ".$v_account, $output, $return_var); if ($return_var != 0) { $error = implode('
', $output); if (empty($error)) { diff --git a/web/unsuspend/web/index.php b/web/unsuspend/web/index.php index 94d40c78e2..70140cb6cc 100644 --- a/web/unsuspend/web/index.php +++ b/web/unsuspend/web/index.php @@ -8,9 +8,8 @@ verify_csrf($_GET); if (!empty($_GET['domain'])) { - $v_username = escapeshellarg($user); $v_domain = escapeshellarg($_GET['domain']); - exec(HESTIA_CMD."v-unsuspend-domain ".$v_username." ".$v_domain, $output, $return_var); + exec(HESTIA_CMD."v-unsuspend-domain ".$user." ".$v_domain, $output, $return_var); check_return_code($return_var, $output); unset($output); }
-
-
+
+
- / + /
: - - + + : - - + + : - - + + : - - + + : - - + + : - - + + : - - + + +
diff --git a/web/templates/pages/list_ssl.html b/web/templates/pages/list_ssl.html index 0e105c78a2..e4f1a735ba 100644 --- a/web/templates/pages/list_ssl.html +++ b/web/templates/pages/list_ssl.html @@ -32,25 +32,12 @@
- - +
+
- +
- +
: - - + + : - - + +
- - + +
- - - + + +