password transmission via tmp files

Author: serghey-rodin

web/add/db/index.php

@@ -43,7 +43,6 @@
     // Protect input
     $v_database = escapeshellarg($_POST['v_database']);
     $v_dbuser = escapeshellarg($_POST['v_dbuser']);
-    $v_password = escapeshellarg($_POST['v_password']);
     $v_type = $_POST['v_type'];
     $v_charset = $_POST['v_charset'];
     $v_host = $_POST['v_host'];
@@ -54,9 +53,15 @@
         $v_type = escapeshellarg($_POST['v_type']);
         $v_charset = escapeshellarg($_POST['v_charset']);
         $v_host = escapeshellarg($_POST['v_host']);
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-add-database ".$user." ".$v_database." ".$v_dbuser." ".$v_password." ".$v_type." ".$v_host." ".$v_charset, $output, $return_var);
         check_return_code($return_var,$output);
         unset($output);
+        unlink($v_password);
+        $v_password = escapeshellarg($_POST['v_password']);
         $v_type = $_POST['v_type'];
         $v_host = $_POST['v_host'];
         $v_charset = $_POST['v_charset'];

web/add/mail/index.php

@@ -87,7 +87,6 @@
     $v_domain = escapeshellarg($_POST['v_domain']);
     $v_domain = strtolower($v_domain);
     $v_account = escapeshellarg($_POST['v_account']);
-    $v_password = escapeshellarg($_POST['v_password']);
     $v_quota = escapeshellarg($_POST['v_quota']);
     $v_aliases = $_POST['v_aliases'];
     $v_fwd = $_POST['v_fwd'];
@@ -96,9 +95,15 @@
 
     // Add Mail Account
     if (empty($_SESSION['error_msg'])) {
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-add-mail-account ".$user." ".$v_domain." ".$v_account." ".$v_password." ".$v_quota, $output, $return_var);
         check_return_code($return_var,$output);
         unset($output);
+        unlink($v_password);
+        $v_password = escapeshellarg($_POST['v_password']);
     }
 
     // Add Aliases

web/add/user/index.php

@@ -47,7 +47,6 @@
 
     // Protect input
     $v_username = escapeshellarg($_POST['v_username']);
-    $v_password = escapeshellarg($_POST['v_password']);
     $v_email = escapeshellarg($_POST['v_email']);
     $v_package = escapeshellarg($_POST['v_package']);
     $v_language = escapeshellarg($_POST['v_language']);
@@ -58,9 +57,15 @@
 
     // Add user
     if (empty($_SESSION['error_msg'])) {
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-add-user ".$v_username." ".$v_password." ".$v_email." ".$v_package." ".$v_fname." ".$v_lname, $output, $return_var);
         check_return_code($return_var,$output);
         unset($output);
+        unlink($v_password);
+        $v_password = escapeshellarg($_POST['v_password']);
     }
 
     // Set language

web/add/web/index.php

@@ -196,10 +196,15 @@
     // Add web stats password
     if ((!empty($_POST['v_stats_user'])) && (empty($_SESSION['error_msg']))) {
         $v_stats_user = escapeshellarg($_POST['v_stats_user']);
-        $v_stats_password = escapeshellarg($_POST['v_stats_password']);
+        $v_stats_password = tempnam("/tmp","vst");
+        $fp = fopen($v_stats_password, "w");
+        fwrite($fp, $_POST['v_stats_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-add-web-domain-stats-user ".$user." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
         check_return_code($return_var,$output);
         unset($output);
+        unlink($v_stats_password);
+        $v_stats_password = escapeshellarg($_POST['v_stats_password']);
     }
 
     // Restart DNS server
@@ -259,13 +264,16 @@
                 $v_ftp_username      = $v_ftp_user_data['v_ftp_user'];
                 $v_ftp_username_full = $user . '_' . $v_ftp_user_data['v_ftp_user'];
                 $v_ftp_user = escapeshellarg($v_ftp_user_data['v_ftp_user']);
-                $v_ftp_password = escapeshellarg($v_ftp_user_data['v_ftp_password']);
-
                 if ($domain_added) {
                     $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path']));
+                    $v_ftp_password = tempnam("/tmp","vst");
+                    $fp = fopen($v_ftp_password, "w");
+                    fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
+                    fclose($fp);
                     exec (VESTA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
                     check_return_code($return_var,$output);
                     unset($output);
+                    unlink($v_ftp_password);
                     if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) {
                         $to = $v_ftp_user_data['v_ftp_email'];
                         $subject = __("FTP login credentials");

web/api/index.php

@@ -11,11 +11,15 @@
             echo 'Error: only admin is allowed to use API';
             exit;
         }
-        
+
         $v_user = escapeshellarg($_POST['user']);
-        $v_password = escapeshellarg($_POST['password']);
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['password']."\n");
+        fclose($fp);
         $v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
         exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'",  $output, $auth_code);
+        unlink($v_password);
     } else {
         $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']);
         if (file_exists($key) && is_file($key)) {
@@ -27,7 +31,7 @@
         echo 'Error: authentication failed';
         exit;
     }
-    
+
     // Prepare arguments
     if (isset($_POST['cmd'])) $cmd = escapeshellarg($_POST['cmd']);
     if (isset($_POST['arg1'])) $arg1 = escapeshellarg($_POST['arg1']);
@@ -40,31 +44,30 @@
     if (isset($_POST['arg8'])) $arg8 = escapeshellarg($_POST['arg8']);
     if (isset($_POST['arg9'])) $arg9 = escapeshellarg($_POST['arg9']);
 
- // Build query
+    // Build query
     $cmdquery = VESTA_CMD.$cmd." ";
-     
-     if(!empty($arg1)){
-                     $cmdquery = $cmdquery.$arg1." "; }
-     if(!empty($arg2)){
-                     $cmdquery = $cmdquery.$arg2." "; }
-     if(!empty($arg3)){
-                     $cmdquery = $cmdquery.$arg3." "; }
-     if(!empty($arg4)){
-                     $cmdquery = $cmdquery.$arg4." "; }
-     if(!empty($arg5)){
-                     $cmdquery = $cmdquery.$arg5." "; }
-     if(!empty($arg6)){
-                     $cmdquery = $cmdquery.$arg6." "; }
-     if(!empty($arg7)){
-                     $cmdquery = $cmdquery.$arg7." "; }
-     if(!empty($arg8)){
-                     $cmdquery = $cmdquery.$arg8." "; }
-     if(!empty($arg9)){
-                     $cmdquery = $cmdquery.$arg9; }
+    if(!empty($arg1)){
+         $cmdquery = $cmdquery.$arg1." "; }
+    if(!empty($arg2)){
+         $cmdquery = $cmdquery.$arg2." "; }
+    if(!empty($arg3)){
+         $cmdquery = $cmdquery.$arg3." "; }
+    if(!empty($arg4)){
+         $cmdquery = $cmdquery.$arg4." "; }
+    if(!empty($arg5)){
+         $cmdquery = $cmdquery.$arg5." "; }
+    if(!empty($arg6)){
+         $cmdquery = $cmdquery.$arg6." "; }
+    if(!empty($arg7)){
+         $cmdquery = $cmdquery.$arg7." "; }
+    if(!empty($arg8)){
+         $cmdquery = $cmdquery.$arg8." "; }
+    if(!empty($arg9)){
+         $cmdquery = $cmdquery.$arg9; }
 
-   // Run query
+    // Run query
     exec ($cmdquery, $output, $return_var);
-    
+
     if ((!empty($_POST['returncode'])) && ($_POST['returncode'] == 'yes')) {
         echo $return_var;
     } else {

web/edit/db/index.php

@@ -64,11 +64,15 @@
 
     // Change database password
     if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) {
-        $v_password = escapeshellarg($_POST['v_password']);
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-change-database-password ".$v_username." ".$v_database." ".$v_password, $output, $return_var);
-        check_return_code($return_var,$output);
-        $v_password = "••••••••";
+        check_return_code($return_var,$output);    
         unset($output);
+        unlink($v_password);
+        $v_password = "••••••••";
     }
 
     // Set success message

web/edit/mail/index.php

@@ -178,11 +178,15 @@
 
     // Change password
     if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) {
-        $v_password = escapeshellarg($_POST['v_password']);
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-change-mail-account-password ".$v_username." ".$v_domain." ".$v_account." ".$v_password, $output, $return_var);
         check_return_code($return_var,$output);
-        $v_password = "••••••••";
         unset($output);
+        unlink($v_password);
+        $v_password = "••••••••";
     }
 
     // Change quota

web/edit/user/index.php

@@ -76,11 +76,15 @@
 
     // Change password
     if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) {
-        $v_password = escapeshellarg($_POST['v_password']);
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-change-user-password ".$v_username." ".$v_password, $output, $return_var);
         check_return_code($return_var,$output);
-        $v_password = "••••••••";
         unset($output);
+        unlink($v_password);
+        $v_password = "••••••••";
     }
 
     // Change package (admin only)

web/edit/web/index.php

@@ -426,10 +426,14 @@
             $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg);
         } else {
             $v_stats_user = escapeshellarg($_POST['v_stats_user']);
-            $v_stats_password = escapeshellarg($_POST['v_stats_password']);
+            $v_stats_password = tempnam("/tmp","vst");
+            $fp = fopen($v_stats_password, "w");
+            fwrite($fp, $_POST['v_stats_password']."\n");
+            fclose($fp);
             exec (VESTA_CMD."v-add-web-domain-stats-user ".$v_username." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
             check_return_code($return_var,$output);
             unset($output);
+            unlink($v_stats_password);
             $v_stats_password = "••••••••";
         }
     }
@@ -450,10 +454,14 @@
         }
         if (($v_stats_user != $_POST['v_stats_user']) || ($_POST['v_stats_password'] != "••••••••" ) && (empty($_SESSION['error_msg']))) {
             $v_stats_user = escapeshellarg($_POST['v_stats_user']);
-            $v_stats_password = escapeshellarg($_POST['v_stats_password']);
+            $v_stats_password = tempnam("/tmp","vst");
+            $fp = fopen($v_stats_password, "w");
+            fwrite($fp, $_POST['v_stats_password']."\n");
+            fclose($fp);
             exec (VESTA_CMD."v-add-web-domain-stats-user ".$v_username." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
             check_return_code($return_var,$output);
             unset($output);
+            unlink($v_stats_password);
             $v_stats_password = "••••••••";
         }
     }
@@ -484,9 +492,12 @@
                 $v_ftp_username      = $v_ftp_user_data['v_ftp_user'];
                 $v_ftp_username_full = $user . '_' . $v_ftp_user_data['v_ftp_user'];
                 $v_ftp_user = escapeshellarg($v_ftp_username);
-                $v_ftp_password = escapeshellarg($v_ftp_user_data['v_ftp_password']);
                 $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path']));
                 if (empty($_SESSION['error_msg'])) {
+                    $v_ftp_password = tempnam("/tmp","vst");
+                    $fp = fopen($v_ftp_password, "w");
+                    fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
+                    fclose($fp);
                     exec (VESTA_CMD."v-add-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
                     check_return_code($return_var,$output);
                     if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) {
@@ -499,6 +510,8 @@
                         unset($v_ftp_email);
                     }
                     unset($output);
+                    unlink($v_ftp_password);
+                    $v_ftp_password = escapeshellarg($v_ftp_user_data['v_ftp_password']);
                 }
 
                 if ($return_var == 0) {
@@ -552,7 +565,13 @@
                 $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path']));
                 exec (VESTA_CMD."v-change-web-domain-ftp-path ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_path, $output, $return_var);
                 if ($v_ftp_user_data['v_ftp_password'] != "'••••••••'" && $v_ftp_user_data['v_ftp_password'] != "••••••••" && !empty($v_ftp_user_data['v_ftp_password'])) {
+                    $v_ftp_password = tempnam("/tmp","vst");
+                    $fp = fopen($v_ftp_password, "w");
+                    fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
+                    fclose($fp);
                     exec (VESTA_CMD."v-change-web-domain-ftp-password ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_user_data['v_ftp_password'], $output, $return_var);
+                    unlink($v_ftp_password);
+                    $v_ftp_user_data['v_ftp_password'] = escapeshellarg(trim($v_ftp_user_data['v_ftp_password']));
                     $to = $v_ftp_user_data['v_ftp_email'];
                     $subject = __("FTP login credentials");
                     $hostname = exec('hostname');

web/list/dns/index.php

@@ -23,7 +23,7 @@
         include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_dns.html');
     }
 } else {
-    exec (VESTA_CMD."v-list-dns-records '".$user."' '".$_GET['domain']."' 'json'", $output, $return_var);
+    exec (VESTA_CMD."v-list-dns-records '".$user."' '".escapeshellarg($_GET['domain'])."' 'json'", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     $data = array_reverse($data, true);
     unset($output);