Merge branch 'patch-cron' into 'stable-3.1'

Till Brehm · Till Brehm · commit 437fa5b47d30 · 2017-12-06T19:29:45.000+01:00
Fixed authenticated user privilegue escalation vulnerability in cron module, fixes #4869

See merge request ispconfig/ispconfig3!680
diff --git a/install/patches/upd_0085.php b/install/patches/upd_0085.php
@@ -0,0 +1,59 @@
+<?php
+
+if(!defined('INSTALLER_RUN')) die('Patch update file access violation.');
+
+/*
+	Example installer patch update class. the classname must match
+	the php and the sql patch update filename. The php patches are
+	only executed when a corresponding sql patch exists.
+*/
+
+class upd_0085 extends installer_patch_update {
+
+	public function onAfterSQL() {
+		global $inst, $conf;
+		
+		$cron_files = $conf['cron']['crontab_dir'] . '/ispc_*';
+		$check_suffix = '';
+		if (file_exists('/etc/gentoo-release')) {
+			$cron_files .= '.cron';
+			$check_suffix = '.cron';
+		}
+		
+		$file_list = glob($cron_files);
+		if(is_array($file_list) && !empty($file_list)) {
+			for($f = 0; $f < count($file_list); $f++) {
+				$cron_file = $file_list[$f];
+				$fp = fopen($cron_file, 'r');
+				while($fp && !feof($fp)) {
+					$line = trim(fgets($fp));
+					if($line == '') continue;
+					elseif(substr($line, 0, 1) === '#') continue; // commented out
+					
+					$fields = preg_split('/\s+/', $line);
+					if(trim($fields[0]) == '') {
+						// invalid line
+						swriteln($inst->lng('[INFO] Invalid cron line in file ' . $cron_file));
+					} elseif(preg_match('/^\w+=/', $line)) {
+						if(preg_match('/\s/', $line)) {
+							// warning line with env var and space!
+							swriteln($inst->lng("\n" . '[WARNING] Cron line in file ' . $cron_file . ' contains environment variable.' . "\n"));
+						}
+					} elseif(!isset($fields[5])) {
+						// invalid line (missing user)
+							swriteln($inst->lng("\n" . '[WARNING] Cron line in file ' . $cron_file . ' misses user field.' . "\n"));
+					} else {
+						$check_filename = trim($fields[5]) . $check_suffix;
+						if(substr($cron_file, -strlen($check_filename)) != $check_filename) {
+							// warning user not equal to file name
+							swriteln($inst->lng("\n" . '[WARNING] SUSPECT USER IN CRON FILE ' . $cron_file . '! CHECK CRON FILE FOR MALICIOUS ENTRIES!' . "\n"));
+						}
+					}
+				}
+				fclose($fp);
+			}
+		}
+	}
+}
+
+?>
diff --git a/install/sql/incremental/upd_0085.sql b/install/sql/incremental/upd_0085.sql
@@ -0,0 +1,21 @@
+ALTER TABLE `web_domain` CHANGE `folder_directive_snippets` `folder_directive_snippets` TEXT CHARACTER SET utf8 COLLATE utf8_general_ci NULL;
+ALTER TABLE `web_domain` ADD `log_retention` INT NOT NULL DEFAULT '30' AFTER `https_port`;
+ALTER TABLE `web_domain` CHANGE `stats_type` `stats_type` VARCHAR(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT 'awstats';
+ALTER TABLE `spamfilter_policy` 
+CHANGE `virus_lover` `virus_lover` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
+CHANGE `spam_lover` `spam_lover` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
+CHANGE `banned_files_lover` `banned_files_lover` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
+CHANGE `bad_header_lover` `bad_header_lover` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
+CHANGE `bypass_virus_checks` `bypass_virus_checks` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
+CHANGE `bypass_spam_checks` `bypass_spam_checks` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
+CHANGE `bypass_banned_checks` `bypass_banned_checks` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
+CHANGE `bypass_header_checks` `bypass_header_checks` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
+CHANGE `spam_modifies_subj` `spam_modifies_subj` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
+CHANGE `warnvirusrecip` `warnvirusrecip` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
+CHANGE `warnbannedrecip` `warnbannedrecip` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
+CHANGE `warnbadhrecip` `warnbadhrecip` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N';
+ALTER TABLE `dns_rr` CHANGE `data` `data` TEXT NOT NULL;
+ALTER TABLE `web_database` CHANGE `database_quota` `database_quota` INT(11) NULL DEFAULT NULL;
+ALTER TABLE `web_domain` ADD `log_retention` INT NOT NULL DEFAULT '30' ;
+ALTER TABLE spamfilter_policy CHANGE spam_tag_level spam_tag_level DECIMAL(5,2) NULL DEFAULT NULL, CHANGE spam_tag2_level spam_tag2_level DECIMAL(5,2) NULL DEFAULT NULL, CHANGE spam_kill_level spam_kill_level DECIMAL(5,2) NULL DEFAULT NULL, CHANGE spam_dsn_cutoff_level spam_dsn_cutoff_level DECIMAL(5,2) NULL DEFAULT NULL, CHANGE spam_quarantine_cutoff_level spam_quarantine_cutoff_level DECIMAL(5,2) NULL DEFAULT NULL;
+UPDATE `web_database` as d LEFT JOIN `web_domain` as w ON (w.domain_id = d.parent_domain_id) SET d.parent_domain_id = 0 WHERE w.domain_id IS NULL AND d.parent_domain_id != 0;
diff --git a/install/sql/incremental/upd_dev_collection.sql b/install/sql/incremental/upd_dev_collection.sql
@@ -1,21 +1 @@
-ALTER TABLE `web_domain` CHANGE `folder_directive_snippets` `folder_directive_snippets` TEXT CHARACTER SET utf8 COLLATE utf8_general_ci NULL;
-ALTER TABLE `web_domain` ADD `log_retention` INT NOT NULL DEFAULT '30' AFTER `https_port`;
-ALTER TABLE `web_domain` CHANGE `stats_type` `stats_type` VARCHAR(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT 'awstats';
-ALTER TABLE `spamfilter_policy` 
-CHANGE `virus_lover` `virus_lover` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
-CHANGE `spam_lover` `spam_lover` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
-CHANGE `banned_files_lover` `banned_files_lover` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
-CHANGE `bad_header_lover` `bad_header_lover` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
-CHANGE `bypass_virus_checks` `bypass_virus_checks` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
-CHANGE `bypass_spam_checks` `bypass_spam_checks` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
-CHANGE `bypass_banned_checks` `bypass_banned_checks` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
-CHANGE `bypass_header_checks` `bypass_header_checks` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
-CHANGE `spam_modifies_subj` `spam_modifies_subj` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
-CHANGE `warnvirusrecip` `warnvirusrecip` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
-CHANGE `warnbannedrecip` `warnbannedrecip` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N',
-CHANGE `warnbadhrecip` `warnbadhrecip` ENUM('N','Y') CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL DEFAULT 'N';
-ALTER TABLE `dns_rr` CHANGE `data` `data` TEXT NOT NULL;
-ALTER TABLE `web_database` CHANGE `database_quota` `database_quota` INT(11) NULL DEFAULT NULL;
-ALTER TABLE `web_domain` ADD `log_retention` INT NOT NULL DEFAULT '30' ;
-ALTER TABLE spamfilter_policy CHANGE spam_tag_level spam_tag_level DECIMAL(5,2) NULL DEFAULT NULL, CHANGE spam_tag2_level spam_tag2_level DECIMAL(5,2) NULL DEFAULT NULL, CHANGE spam_kill_level spam_kill_level DECIMAL(5,2) NULL DEFAULT NULL, CHANGE spam_dsn_cutoff_level spam_dsn_cutoff_level DECIMAL(5,2) NULL DEFAULT NULL, CHANGE spam_quarantine_cutoff_level spam_quarantine_cutoff_level DECIMAL(5,2) NULL DEFAULT NULL;
-UPDATE `web_database` as d LEFT JOIN `web_domain` as w ON (w.domain_id = d.parent_domain_id) SET d.parent_domain_id = 0 WHERE w.domain_id IS NULL AND d.parent_domain_id != 0;
+
diff --git a/interface/lib/classes/validate_cron.inc.php b/interface/lib/classes/validate_cron.inc.php
@@ -54,6 +54,9 @@ function command_format($field_name, $field_value, $validator) {
 
 			if(preg_match("'^([a-z0-9][a-z0-9\-]{0,62}\.)+([A-Za-z0-9\-]{2,30})$'i", $parsed["host"]) == false) return $this->get_error($validator['errmsg']);
 		}
+		if(strpos($field_value, "\n") !== false || strpos($field_value, "\r") !== false || strpos($field_value, chr(0)) !== false) {
+			return $this->get_error($validator['errmsg']);
+		}
 	}
 
 	function run_month_format($field_name, $field_value, $validator) {
diff --git a/server/plugins-available/cron_plugin.inc.php b/server/plugins-available/cron_plugin.inc.php
@@ -239,6 +239,11 @@ function _write_crontab() {
 				if($job['type'] == 'url') {
 					$command .= "\t{$cron_config['wget']} --user-agent='Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0' -q -t 1 -T 7200 -O " . $log_wget_target . " " . escapeshellarg($job['command']) . " " . $log_target;
 				} else {
+					if(strpos($job['command'], "\n") !== false || strpos($job['command'], "\r") !== false || strpos($job['command'], chr(0)) !== false) {
+						$app->log("Insecure Cron job SKIPPED: " . $job['command'], LOGLEVEL_WARN);
+						continue;
+					}
+					
 					$web_root = '';
 					if($job['type'] == 'chrooted') {
 						if(substr($job['command'], 0, strlen($this->parent_domain['document_root'])) == $this->parent_domain['document_root']) {

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,9 @@ function command_format($field_name, $field_value, $validator) {`
`54`	`54`
`55`	`55`	`if(preg_match("'^([a-z0-9][a-z0-9\-]{0,62}\.)+([A-Za-z0-9\-]{2,30})$'i", $parsed["host"]) == false) return $this->get_error($validator['errmsg']);`
`56`	`56`	`}`
	`57`	`+ if(strpos($field_value, "\n") !== false \|\| strpos($field_value, "\r") !== false \|\| strpos($field_value, chr(0)) !== false) {`
	`58`	`+ return $this->get_error($validator['errmsg']);`
	`59`	`+ }`
`57`	`60`	`}`
`58`	`61`
`59`	`62`	`function run_month_format($field_name, $field_value, $validator) {`