Fix security issues in v-add-web-domain-redirect + Sync up main with release (hestiacp#2814)

jaapmarcus · web-flow · commit b178b9719bb2 · 2022-08-04T18:18:04.000+02:00
* Fix v-add-web-domain-redirect

* Remove sudo permission admin group on new setups

We delete the group before install anyway

* Block "sudo" from

* Add missing slash

* Update changelog

* Update versions
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,26 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.6.6] - Service release 
+
+### Bugfixes
+
+- Update DNS templates with CNAME for ftp, www and webmail (#2808)
+- Fix name server A record validation error (#2807)
+- Fixed issue with renaming domains and config files not properly removed (#2803)
+- Add loading indicator after clicking save button (#2740)
+- Improve hostname detection in mail-wrapper (#2805 @clarkchentw)
+
+### Security
+
+- Fixed an vulnerability in v-add-web-domain-redirect (CVE-2022-2636)
+- Fixed an vulnerability in Ubuntu that can lead in privilege escalation for admin to root user (CVE-2022-2626)
+
+### Dependencies
+
+- Update Roundcube to 1.6.0
+- Update Dokuwiki to "2022-07-31" Igor (#2811)
+
 ## [1.6.5] - Service release 
 
 ### Bugfixes
@@ -13,7 +33,7 @@ All notable changes to this project will be documented in this file.
 - Improve random bytes generator (#2774)
 - Don't allow /inc/2fa/secret.php called from the web browser directly (#2784 @mayappear)
 - Improve CSRF Origin Check Bypass (#2785 @mayappear)
-- Fix vulnerability in Docuwiki Quick Install App @redstarp2 (CVE 2022-xxx-xxx)
+- Fix vulnerability in Docuwiki Quick Install App @redstarp2 (CVE-2022-2550)
 
 ### Dependencies
 
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.6.5 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
+**Latest stable release:** Version 1.6.6 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md) | [![Build Status](https://drone.hestiacp.com/api/badges/hestiacp/hestiacp/status.svg?ref=refs/heads/main)](https://drone.hestiacp.com/hestiacp/hestiacp) <br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>
diff --git a/bin/v-add-user b/bin/v-add-user
@@ -31,8 +31,9 @@ source_conf "$HESTIA/conf/hestia.conf"
 
 is_user_free() {
     # these names may cause issues with MariaDB/MySQL database names and should be reserved:
+    # sudo has been added due to Privilege escalation as sudo group has always sudo permission
     check_sysuser=$(php -r '$reserved_names=array("aria", "aria_log", "mysql", "mysql_upgrade", "ib", "ib_buffer",
- "ddl", "ddl_recovery", "performance"); if(in_array(strtolower($argv[1]), $reserved_names, true)){echo implode(", ", $reserved_names);}' "$user" );
+ "ddl", "ddl_recovery", "performance", "sudo"); if(in_array(strtolower($argv[1]), $reserved_names, true)){echo implode(", ", $reserved_names);}' "$user" );
     if [ -n "$check_sysuser" ]; then
         check_result "$E_INVALID" "The user name '$user' is reserved and cannot be used. List of reserved names: $check_sysuser"
         return
diff --git a/bin/v-add-web-domain-redirect b/bin/v-add-web-domain-redirect
@@ -42,21 +42,18 @@ is_object_unsuspended 'user' 'USER' "$user"
 is_object_valid 'web' 'DOMAIN' "$domain"
 is_object_unsuspended 'web' 'DOMAIN' "$domain"
 
-scheme=0
 if [[ "$3" =~ http://|https:// ]]; then
     scheme=1
-    regex='(https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]'
-    if ! [[ "$3" =~ $regex ]]; then
-        echo "Invalid redirect"
-        exit 2;
+    isValidUrl=$(php -r '$url=$argv[1]; $url=filter_var($url,FILTER_VALIDATE_URL); echo $url;' "$3")
+    if  [ -z "$isValidUrl" ]; then
+        check_result $E_INVALID "Invalid redirect"
     fi
 else
-    regex='[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]'
-    if ! [[ "$3" =~ $regex ]]; then
-        echo "Invalid redirect"
-        exit 2;
+    isValidUrl=$(php -r '$url=$argv[1]; $url=filter_var($url,FILTER_VALIDATE_URL); echo $url;' "http://$3")
+    if  [ -z "$isValidUrl" ]; then
+        check_result $E_INVALID "Invalid redirect"
     fi
-fi
+fi 
 
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
diff --git a/install/hst-install-debian.sh b/install/hst-install-debian.sh
@@ -32,7 +32,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.6.6~alpha'
+HESTIA_INSTALL_VER='1.6.7~alpha'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1")
 fpm_v="8.0"
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -32,7 +32,7 @@ HESTIA_COMMON_DIR="$HESTIA/install/common"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.6.6~alpha'
+HESTIA_INSTALL_VER='1.6.7~alpha'
 # Dependencies
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0" "8.1")
 fpm_v="8.0"
@@ -1335,6 +1335,8 @@ fi
 if [ -n "$(grep ^admin: /etc/group)" ] && [ "$force" = 'yes' ]; then
     groupdel admin > /dev/null 2>&1
 fi
+# Remove sudo "default" sudo permission admin user group should not exists any way 
+sed -i "s/%admin ALL=(ALL) ALL/#%admin ALL=(ALL) ALL/g" /etc/sudoers
 
 # Enable sftp jail
 echo "[ * ] Enable SFTP jail..."
diff --git a/install/upgrade/versions/1.6.7.sh b/install/upgrade/versions/1.6.7.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.6.7
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+####### Pass through information to the end user in case of a issue or problem  #######
+#######                                                                         #######
+####### Use add_upgrade_message "My message here" to include a message          #######
+####### in the upgrade notification email. Example:                             #######
+#######                                                                         #######
+####### add_upgrade_message "My message here"                                   #######
+#######                                                                         #######
+####### You can use \n within the string to create new lines.                   #######
+#######################################################################################
+
+upgrade_config_set_value 'UPGRADE_UPDATE_WEB_TEMPLATES' 'no'
+upgrade_config_set_value 'UPGRADE_UPDATE_DNS_TEMPLATES' 'no'
+upgrade_config_set_value 'UPGRADE_UPDATE_MAIL_TEMPLATES' 'no'
+upgrade_config_set_value 'UPGRADE_REBUILD_USERS' 'no'
+upgrade_config_set_value 'UPGRADE_UPDATE_FILEMANAGER_CONFIG' 'false'
diff --git a/src/deb/hestia/control b/src/deb/hestia/control
@@ -1,7 +1,7 @@
 Source: hestia
 Package: hestia
 Priority: optional
-Version: 1.6.6~alpha
+Version: 1.6.7~alpha
 Section: admin
 Maintainer: HestiaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com
