Vesta CP 0.9.8–20 rXSS to RCE / solves hestiacp#1558

Author: Serghey Rodin

web/upload/UploadHandler.php

@@ -1117,37 +1117,12 @@ protected function handle_file_upload($uploaded_file, $name, $size, $type, $erro
             $append_file = $content_range && is_file($file_path) &&
                 $file->size > $this->get_file_size($file_path);
             if ($uploaded_file && is_uploaded_file($uploaded_file)) {
-                // multipart/formdata uploads (POST method uploads)
-                if ($append_file) {
-                    file_put_contents(
-                        $file_path,
-                        fopen($uploaded_file, 'r'),
-                        FILE_APPEND
-                    );
-                } else {
-                    chmod($uploaded_file, 0644);
-//                    move_uploaded_file($uploaded_file, $file_path);
-                    exec (VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} '{$file_path}'", $output, $return_var);
-
-                    $error = check_return_code($return_var, $output);
-                    if ($return_var != 0) {
-                        //var_dump(VESTA_CMD . "v-copy-fs-file {$user} {$fn} {$path}");
-                        //var_dump($path);
-                        //var_dump($output);
-                        $file->error = 'Error while saving file ';
-//                        var_dump(VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} {$file_path}");
-//                        var_dump($return_var);
-//                        var_dump($output);
-//                        exit();
-                    }
+                chmod($uploaded_file, 0644);
+                exec (VESTA_CMD . "v-copy-fs-file ". USERNAME ." {$uploaded_file} '{$file_path}'", $output, $return_var);
+                $error = check_return_code($return_var, $output);
+                if ($return_var != 0) {
+                    $file->error = 'Error while saving file ';
                 }
-            } else {
-                // Non-multipart uploads (PUT method support)
-                file_put_contents(
-                    $file_path,
-                    fopen('php://input', 'r'),
-                    $append_file ? FILE_APPEND : 0
-                );
             }
             $file_size = $this->get_file_size($file_path, $append_file);
 

web/view/file/index.php

@@ -16,7 +16,7 @@
     $path = $_REQUEST['path'];
     if (!empty($_REQUEST['raw'])) {
         header('content-type: image/jpeg');
-        passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg($_REQUEST['path']));
+        passthru (VESTA_CMD . "v-open-fs-file " . $user . " " . escapeshellarg(htmlspecialchars($_REQUEST['path'], ENT_QUOTES, 'UTF-8')));
         exit;
     }
 }