Skip to content

Commit

Permalink
Merge pull request #2120 from jaapmarcus/fix/csrf-juggling
Browse files Browse the repository at this point in the history 
Rewrite session token check to prevent juggling
  • Loading branch information
@jaapmarcus
jaapmarcus committed Sep 10, 2021
2 parents 0e0f312 + 2d4295c commit fc68baf
Show file tree
Hide file tree
Showing 118 changed files with 2,882 additions and 2,479 deletions.
5 changes: 5 additions & 0 deletions install/upgrade/versions/1.4.13.sh
View file
Expand Up @@ -48,3 +48,8 @@ fi
if [ -d "$HESTIA/web/edit/file/" ]; then
rm -fr $HESTIA/web/edit/file/
fi

# Not used any more
if [ -d "$HESTIA/web/edit/server/theme/" ]; then
rm -fr $HESTIA/web/edit/server/theme/
fi
10 changes: 4 additions & 6 deletions web/add/cron/autoupdate/index.php
View file
@@ -1,18 +1,16 @@
<?php

// Init
error_reporting(NULL);
error_reporting(null);
ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

// Check token
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
header('location: /login/');
exit();
}
verify_csrf($_GET);

if ($_SESSION['user'] == 'admin') {
exec (HESTIA_CMD."v-add-cron-hestia-autoupdate", $output, $return_var);
exec(HESTIA_CMD."v-add-cron-hestia-autoupdate", $output, $return_var);
unset($output);
}

Expand Down
40 changes: 25 additions & 15 deletions web/add/cron/index.php
View file
@@ -1,5 +1,6 @@
<?php
error_reporting(NULL);

error_reporting(null);
ob_start();
$TAB = 'CRON';

Expand All @@ -10,27 +11,36 @@
if (!empty($_POST['ok'])) {

// Check token
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
header('location: /login/');
exit();
}
verify_csrf($_POST);

// Check empty fields
if ((!isset($_POST['v_min'])) || ($_POST['v_min'] == '')) $errors[] = _('minute');
if ((!isset($_POST['v_hour'])) || ($_POST['v_hour'] == '')) $errors[] = _('hour');
if ((!isset($_POST['v_day'])) || ($_POST['v_day'] == '')) $errors[] = _('day');
if ((!isset($_POST['v_month'])) || ($_POST['v_month'] == '')) $errors[] = _('month');
if ((!isset($_POST['v_wday'])) || ($_POST['v_wday'] == '')) $errors[] = _('day of week');
if ((!isset($_POST['v_cmd'])) || ($_POST['v_cmd'] == '')) $errors[] = _('cmd');
if ((!isset($_POST['v_min'])) || ($_POST['v_min'] == '')) {
$errors[] = _('minute');
}
if ((!isset($_POST['v_hour'])) || ($_POST['v_hour'] == '')) {
$errors[] = _('hour');
}
if ((!isset($_POST['v_day'])) || ($_POST['v_day'] == '')) {
$errors[] = _('day');
}
if ((!isset($_POST['v_month'])) || ($_POST['v_month'] == '')) {
$errors[] = _('month');
}
if ((!isset($_POST['v_wday'])) || ($_POST['v_wday'] == '')) {
$errors[] = _('day of week');
}
if ((!isset($_POST['v_cmd'])) || ($_POST['v_cmd'] == '')) {
$errors[] = _('cmd');
}
if (!empty($errors[0])) {
foreach ($errors as $i => $error) {
if ( $i == 0 ) {
if ($i == 0) {
$error_msg = $error;
} else {
$error_msg = $error_msg.", ".$error;
}
}
$_SESSION['error_msg'] = sprintf(_('Field "%s" can not be blank.'),$error_msg);
$_SESSION['error_msg'] = sprintf(_('Field "%s" can not be blank.'), $error_msg);
}

// Protect input
Expand All @@ -43,8 +53,8 @@

// Add cron job
if (empty($_SESSION['error_msg'])) {
exec (HESTIA_CMD."v-add-cron-job ".$user." ".$v_min." ".$v_hour." ".$v_day." ".$v_month." ".$v_wday." ".$v_cmd, $output, $return_var);
check_return_code($return_var,$output);
exec(HESTIA_CMD."v-add-cron-job ".$user." ".$v_min." ".$v_hour." ".$v_day." ".$v_month." ".$v_wday." ".$v_cmd, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
}

Expand Down
10 changes: 4 additions & 6 deletions web/add/cron/reports/index.php
View file
@@ -1,17 +1,15 @@
<?php

// Init
error_reporting(NULL);
error_reporting(null);
ob_start();
session_start();
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

// Check token
if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
header('location: /login/');
exit();
}
verify_csrf($_GET);

exec (HESTIA_CMD."v-add-cron-reports ".$user, $output, $return_var);
exec(HESTIA_CMD."v-add-cron-reports ".$user, $output, $return_var);
unset($output);

header("Location: /list/cron/");
Expand Down
86 changes: 57 additions & 29 deletions web/add/db/index.php
View file
@@ -1,5 +1,6 @@
<?php
error_reporting(NULL);

error_reporting(null);
ob_start();
$TAB = 'DB';

Expand All @@ -10,27 +11,36 @@
if (!empty($_POST['ok'])) {

// Check token
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
header('location: /login/');
exit();
}
verify_csrf($_POST);

// Check empty fields
if (empty($_POST['v_database'])) $errors[] = _('database');
if (empty($_POST['v_dbuser'])) $errors[] = _('username');
if (empty($_POST['v_password'])) $errors[] = _('password');
if (empty($_POST['v_type'])) $errors[] = _('type');
if (empty($_POST['v_host'])) $errors[] = _('host');
if (empty($_POST['v_charset'])) $errors[] = _('charset');
if (empty($_POST['v_database'])) {
$errors[] = _('database');
}
if (empty($_POST['v_dbuser'])) {
$errors[] = _('username');
}
if (empty($_POST['v_password'])) {
$errors[] = _('password');
}
if (empty($_POST['v_type'])) {
$errors[] = _('type');
}
if (empty($_POST['v_host'])) {
$errors[] = _('host');
}
if (empty($_POST['v_charset'])) {
$errors[] = _('charset');
}
if (!empty($errors[0])) {
foreach ($errors as $i => $error) {
if ( $i == 0 ) {
if ($i == 0) {
$error_msg = $error;
} else {
$error_msg = $error_msg.", ".$error;
}
}
$_SESSION['error_msg'] = sprintf(_('Field "%s" can not be blank.'),$error_msg);
$_SESSION['error_msg'] = sprintf(_('Field "%s" can not be blank.'), $error_msg);
}

// Validate email
Expand All @@ -42,7 +52,9 @@

// Check password length
if (empty($_SESSION['error_msg'])) {
if (!validate_password($_POST['v_password'])) { $_SESSION['error_msg'] = _('Password does not match the minimum requirements');}
if (!validate_password($_POST['v_password'])) {
$_SESSION['error_msg'] = _('Password does not match the minimum requirements');
}
}

// Protect input
Expand All @@ -58,12 +70,12 @@
$v_type = escapeshellarg($_POST['v_type']);
$v_charset = escapeshellarg($_POST['v_charset']);
$v_host = escapeshellarg($_POST['v_host']);
$v_password = tempnam("/tmp","vst");
$v_password = tempnam("/tmp", "vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['v_password']."\n");
fclose($fp);
exec (HESTIA_CMD."v-add-database ".$user." ".$v_database." ".$v_dbuser." ".$v_password." ".$v_type." ".$v_host." ".$v_charset, $output, $return_var);
check_return_code($return_var,$output);
exec(HESTIA_CMD."v-add-database ".$user." ".$v_database." ".$v_dbuser." ".$v_password." ".$v_type." ".$v_host." ".$v_charset, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
unlink($v_password);
$v_password = escapeshellarg($_POST['v_password']);
Expand All @@ -75,13 +87,27 @@
// Get database manager url
if (empty($_SESSION['error_msg'])) {
list($http_host, $port) = explode(':', $_SERVER["HTTP_HOST"] . ":");
if ($_POST['v_host'] != 'localhost' ) $http_host = $_POST['v_host'];
if ($_POST['v_type'] == 'mysql') $db_admin = "phpMyAdmin";
if ($_POST['v_type'] == 'mysql') $db_admin_link = "http://".$http_host."/phpmyadmin/";
if (($_POST['v_type'] == 'mysql') && (!empty($_SESSION['DB_PMA_ALIAS']))) $db_admin_link = "http://".$http_host."/".$_SESSION['DB_PMA_ALIAS'];
if ($_POST['v_type'] == 'pgsql') $db_admin = "phpPgAdmin";
if ($_POST['v_type'] == 'pgsql') $db_admin_link = "http://".$http_host."/phppgadmin/";
if (($_POST['v_type'] == 'pgsql') && (!empty($_SESSION['DB_PGA_ALIAS']))) $db_admin_link = "http://".$http_host."/".$_SESSION['DB_PGA_ALIAS'];
if ($_POST['v_host'] != 'localhost') {
$http_host = $_POST['v_host'];
}
if ($_POST['v_type'] == 'mysql') {
$db_admin = "phpMyAdmin";
}
if ($_POST['v_type'] == 'mysql') {
$db_admin_link = "http://".$http_host."/phpmyadmin/";
}
if (($_POST['v_type'] == 'mysql') && (!empty($_SESSION['DB_PMA_ALIAS']))) {
$db_admin_link = "http://".$http_host."/".$_SESSION['DB_PMA_ALIAS'];
}
if ($_POST['v_type'] == 'pgsql') {
$db_admin = "phpPgAdmin";
}
if ($_POST['v_type'] == 'pgsql') {
$db_admin_link = "http://".$http_host."/phppgadmin/";
}
if (($_POST['v_type'] == 'pgsql') && (!empty($_SESSION['DB_PGA_ALIAS']))) {
$db_admin_link = "http://".$http_host."/".$_SESSION['DB_PGA_ALIAS'];
}
}

// Email login credentials
Expand All @@ -91,14 +117,14 @@
$hostname = exec('hostname');
$from = "noreply@".$hostname;
$from_name = _('Hestia Control Panel');
$mailtext = sprintf(_('DATABASE_READY'),$user."_".$_POST['v_database'],$user."_".$_POST['v_dbuser'],$_POST['v_password'],$db_admin_link);
$mailtext = sprintf(_('DATABASE_READY'), $user."_".$_POST['v_database'], $user."_".$_POST['v_dbuser'], $_POST['v_password'], $db_admin_link);
send_email($to, $subject, $mailtext, $from, $from_name);
}

// Flush field values on success
if (empty($_SESSION['error_msg'])) {
$_SESSION['ok_msg'] = sprintf(_('DATABASE_CREATED_OK'),htmlentities($user)."_".htmlentities($_POST['v_database']),htmlentities($user)."_".htmlentities($_POST['v_database']));
$_SESSION['ok_msg'] .= " / <a href=".$db_admin_link." target='_blank'>" . sprintf(_('open %s'),$db_admin) . "</a>";
$_SESSION['ok_msg'] = sprintf(_('DATABASE_CREATED_OK'), htmlentities($user)."_".htmlentities($_POST['v_database']), htmlentities($user)."_".htmlentities($_POST['v_database']));
$_SESSION['ok_msg'] .= " / <a href=".$db_admin_link." target='_blank'>" . sprintf(_('open %s'), $db_admin) . "</a>";
unset($v_database);
unset($v_dbuser);
unset($v_password);
Expand All @@ -114,9 +140,11 @@
$db_types = explode(',', $_SESSION['DB_SYSTEM']);

// List available database servers
exec (HESTIA_CMD."v-list-database-hosts json", $output, $return_var);
exec(HESTIA_CMD."v-list-database-hosts json", $output, $return_var);
$db_hosts_tmp1 = json_decode(implode('', $output), true);
$db_hosts_tmp2 = array_map(function($host){return $host['HOST'];}, $db_hosts_tmp1);
$db_hosts_tmp2 = array_map(function ($host) {
return $host['HOST'];
}, $db_hosts_tmp1);
$db_hosts = array_values(array_unique($db_hosts_tmp2));
unset($output);
unset($db_hosts_tmp1);
Expand Down

0 comments on commit fc68baf

Please sign in to comment.