Escape user variable in /keys/ (hestiacp#1667)

jaapmarcus · web-flow · commit 75dd04a90283 · 2021-03-09T00:50:17.000+01:00
Remove potenial leak 2fa status
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -40,7 +40,8 @@ All notable changes to this project will be documented in this file.
 - Improved IDN domain handling to resolve issues with Let's Encrypt SSL and mail domain services.
 - Added private folder to openbasedir permission for all main templates.
 - Disabled changing backup folder via Web UI because it used symbolic link instead of mount causing issues with restore mail / user files.
-- Fix xss vulnerability in v-add-sys-ip (thanks @numanturle)
+- Fixed xss vulnerability in v-add-sys-ip (thanks **@numanturle**)
+- Fixed remote execution possibility when deleting ssh key (thanks **@numanturle**)
 
 ## [1.3.3] - Service Release
 ### Bugfixes
diff --git a/web/delete/key/index.php b/web/delete/key/index.php
@@ -6,7 +6,7 @@
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];;
+    $user=$_GET['user'];
 }
 
 // Check token
@@ -17,8 +17,9 @@
 
 if (!empty($_GET['key'])) {
     $v_key = escapeshellarg(trim($_GET['key']));
+    $v_user = escapeshellarg(trim($v_user));
     $v_key = str_replace('/','\\/', $v_key);
-    exec (HESTIA_CMD."v-delete-user-ssh-key ".$user." ".$v_key);
+    exec (HESTIA_CMD."v-delete-user-ssh-key ".$v_user." ".$v_key);
     check_return_code($return_var,$output);
 }
 
diff --git a/web/inc/2fa/active.php b/web/inc/2fa/active.php
diff --git a/web/login/index.php b/web/login/index.php
@@ -97,10 +97,10 @@ function authenticate_user($user, $password, $twofa = ''){
                 $data = json_decode(implode('', $output), true);
                 unset($output); 
                 if ($data[$user]['TWOFA'] != '') {
-                        if(empty($_POST['twofa'])){
+                        if(empty($twofa)){
                             return false;
                         }else{
-                            $v_twofa = $_POST['twofa'];
+                            $v_twofa = escapeshellarg($twofa);
                             exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
                             unset($output);
                             if ( $return_var > 0 ) {
