Security fixes - CSRF / Command Injection / XSS, thanks @sergio-nadal!

Author: ScIT-Raphael

web/add/cron/autoupdate/index.php

@@ -5,6 +5,12 @@
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     exec (HESTIA_CMD."v-add-cron-hestia-autoupdate", $output, $return_var);
     $_SESSION['error_msg'] = __('Autoupdate has been successfully enabled');

web/add/cron/reports/index.php

@@ -5,6 +5,12 @@
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 exec (HESTIA_CMD."v-add-cron-reports ".$user, $output, $return_var);
 $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled');
 unset($output);

web/add/firewall/banlist/index.php

@@ -6,6 +6,12 @@
 // Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 // Check user
 if ($_SESSION['user'] != 'admin') {
     header("Location: /list/user");

web/delete/cron/autoupdate/index.php

@@ -5,6 +5,12 @@
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     exec (HESTIA_CMD."v-delete-cron-hestia-autoupdate", $output, $return_var);
     $_SESSION['error_msg'] = __('Autoupdate has been successfully disabled');

web/delete/cron/reports/index.php

@@ -5,6 +5,12 @@
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 exec (HESTIA_CMD."v-delete-cron-reports ".$user, $output, $return_var);
 $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully disabled');
 unset($output);

web/edit/db/index.php

@@ -27,7 +27,7 @@
 
 // Parse database
 $v_username = $user;
-$v_database = $_GET['database'];
+$v_database = escapeshellarg($_GET['database']);
 $v_dbuser = $data[$v_database]['DBUSER'];
 $v_password = "";
 $v_host = $data[$v_database]['HOST'];

web/edit/mail/index.php

@@ -26,7 +26,7 @@
     unset($output);
 
     // Parse domain
-    $v_domain = $_GET['domain'];
+    $v_domain = escapeshellarg($_GET['domain']);
     $v_antispam = $data[$v_domain]['ANTISPAM'];
     $v_antivirus = $data[$v_domain]['ANTIVIRUS'];
     $v_dkim = $data[$v_domain]['DKIM'];
@@ -51,8 +51,8 @@
 
     // Parse mail account
     $v_username = $user;
-    $v_domain = $_GET['domain'];
-    $v_account = $_GET['account'];
+    $v_domain = escapeshellarg($_GET['domain']);
+    $v_account = escapeshellarg($_GET['account']);
     $v_password = "";
     $v_aliases = str_replace(',', "\n", $data[$v_account]['ALIAS']);
     $valiases = explode(",", $data[$v_account]['ALIAS']);
@@ -219,7 +219,7 @@
 
     // Change account aliases
     if (empty($_SESSION['error_msg'])) {
-        $waliases = preg_replace("/\n/", " ", $_POST['v_aliases']);
+        $waliases = preg_replace("/\n/", " ", escapeshellarg($_POST['v_aliases']));
         $waliases = preg_replace("/,/", " ", $waliases);
         $waliases = preg_replace('/\s+/', ' ',$waliases);
         $waliases = trim($waliases);
@@ -245,7 +245,7 @@
 
     // Change forwarders
     if (empty($_SESSION['error_msg'])) {
-        $wfwd = preg_replace("/\n/", " ", $_POST['v_fwd']);
+        $wfwd = preg_replace("/\n/", " ", escapeshellarg($_POST['v_fwd']));
         $wfwd = preg_replace("/,/", " ", $wfwd);
         $wfwd = preg_replace('/\s+/', ' ',$wfwd);
         $wfwd = trim($wfwd);

web/edit/web/index.php

@@ -26,7 +26,7 @@
 
 // Parse domain
 $v_username = $user;
-$v_domain = $_GET['domain'];
+$v_domain = escapeshellarg($_GET['domain']);
 $v_ip = $data[$v_domain]['IP'];
 $v_template = $data[$v_domain]['TPL'];
 $v_aliases = str_replace(',', "\n", $data[$v_domain]['ALIAS']);
@@ -116,6 +116,7 @@
     }
 
     // Change web domain IP
+    
     if (($v_ip != $_POST['v_ip']) && (empty($_SESSION['error_msg']))) {
         $v_ip = escapeshellarg($_POST['v_ip']);
         exec (HESTIA_CMD."v-change-web-domain-ip ".$v_username." ".$v_domain." ".$v_ip." 'no'", $output, $return_var);
@@ -162,7 +163,7 @@
 
     // Change aliases
     if (empty($_SESSION['error_msg'])) {
-        $waliases = preg_replace("/\n/", " ", $_POST['v_aliases']);
+        $waliases = preg_replace("/\n/", " ", escapeshellarg($_POST['v_aliases']));
         $waliases = preg_replace("/,/", " ", $waliases);
         $waliases = preg_replace('/\s+/', ' ',$waliases);
         $waliases = trim($waliases);
@@ -588,7 +589,7 @@
                         $subject = __("FTP login credentials");
                         $hostname = exec('hostname');
                         $from = __('MAIL_FROM',$hostname);
-                        $mailtext = __('FTP_ACCOUNT_READY',$_GET['domain'],$user,$v_ftp_username,$v_ftp_user_data['v_ftp_password']);
+                        $mailtext = __('FTP_ACCOUNT_READY',escapeshellarg($_GET['domain']),$user,$v_ftp_username,$v_ftp_user_data['v_ftp_password']);
                         send_email($to, $subject, $mailtext, $from);
                         unset($v_ftp_email);
                     }
@@ -662,7 +663,7 @@
                     $subject = __("FTP login credentials");
                     $hostname = exec('hostname');
                     $from = __('MAIL_FROM',$hostname);
-                    $mailtext = __('FTP_ACCOUNT_READY',$_GET['domain'],$user,$v_ftp_username_for_emailing,$v_ftp_user_data['v_ftp_password']);
+                    $mailtext = __('FTP_ACCOUNT_READY',escapeshellarg($_GET['domain']),$user,$v_ftp_username_for_emailing,$v_ftp_user_data['v_ftp_password']);
                     send_email($to, $subject, $mailtext, $from);
                     unset($v_ftp_email);
                 }

web/list/directory/index.php

@@ -18,8 +18,8 @@
     $panel = json_decode(implode('', $output), true);
 }
 
-$path_a = !empty($_REQUEST['dir_a']) ? $_REQUEST['dir_a'] : '';
-$path_b = !empty($_REQUEST['dir_b']) ? $_REQUEST['dir_b'] : '';
+$path_a = !empty($_REQUEST['dir_a']) ? htmlentities($_REQUEST['dir_a']) : '';
+$path_b = !empty($_REQUEST['dir_b']) ? htmlentities($_REQUEST['dir_b']) : '';
 $GLOBAL_JS  = '<script type="text/javascript">GLOBAL.START_DIR_A = "' . $path_a . '";</script>';
 $GLOBAL_JS .= '<script type="text/javascript">GLOBAL.START_DIR_B = "' . $path_b . '";</script>';
 $GLOBAL_JS .= '<script type="text/javascript">GLOBAL.ROOT_DIR = "' . $panel[$user]['HOME'] . '";</script>';

web/restart/system/index.php

@@ -5,6 +5,12 @@
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
     if (!empty($_GET['hostname'])) {
         exec (HESTIA_CMD."v-restart-system yes", $output, $return_var);