Fix XXS issues (hestiacp#2432)

* XSS patches

* Reslove XSS vulnrebilty

* Resolve XSS vulnrebility

* Prevent showing edit form from non exsiting records

* Improve error handling message

Create a function

* Make sure $user from $_SESSION is escapeshellarg

Prevent double escapeshellarg in Edit/web/index

* Enable translateable errors in /inc/main.php

Fix  "White" screen issue when trying to loginas non existing user

* Prevent double escapeshellarg()

* Do not remove unset($output)

* Resolve linting errors

Author: jaapmarcus

install/deb/phpmyadmin/hestia-sso.php

@@ -147,7 +147,11 @@ function session_invalid()
                 $user = $_GET['user'];
                 $host = 'localhost';
                 $token = $_GET['hestia_token'];
-                $time = $_GET['exp'];
+                if(is_numeric($_GET['exp'])){
+                    $time = $_GET['exp'];
+                }else{
+                    $time = 0; 
+                }
 
                 if ($time + 60 > time()) {
                     //note: Possible issues with cloudflare due to ip obfuscation

web/delete/backup/exclusion/index.php

@@ -4,16 +4,15 @@
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 // Check token
 verify_csrf($_GET);
 
 if (!empty($_GET['system'])) {
-    $v_username = escapeshellarg($user);
     $v_system = escapeshellarg($_GET['system']);
-    exec(HESTIA_CMD."v-delete-user-backup-exclusions ".$v_username." ".$v_system, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-user-backup-exclusions ".$user." ".$v_system, $output, $return_var);
 }
 check_return_code($return_var, $output);
 unset($output);

web/delete/backup/index.php

@@ -4,16 +4,15 @@
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 // Check token
 verify_csrf($_GET);
 
 if (!empty($_GET['backup'])) {
-    $v_username = escapeshellarg($user);
     $v_backup = escapeshellarg($_GET['backup']);
-    exec(HESTIA_CMD."v-delete-user-backup ".$v_username." ".$v_backup, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-user-backup ".$user." ".$v_backup, $output, $return_var);
 }
 check_return_code($return_var, $output);
 unset($output);

web/delete/cron/index.php

@@ -4,7 +4,7 @@
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 // Check token
@@ -13,7 +13,7 @@
 if (!empty($_GET['job'])) {
     $v_username = escapeshellarg($user);
     $v_job = escapeshellarg($_GET['job']);
-    exec(HESTIA_CMD."v-delete-cron-job ".$v_username." ".$v_job, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-cron-job ".$user." ".$v_job, $output, $return_var);
 }
 check_return_code($return_var, $output);
 unset($output);

web/delete/db/index.php

@@ -4,16 +4,15 @@
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 // Check token
 verify_csrf($_GET);
 
 if (!empty($_GET['database'])) {
-    $v_username = escapeshellarg($user);
     $v_database = escapeshellarg($_GET['database']);
-    exec(HESTIA_CMD."v-delete-database ".$v_username." ".$v_database, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-database ".$user." ".$v_database, $output, $return_var);
 }
 check_return_code($return_var, $output);
 unset($output);

web/delete/dns/index.php

@@ -5,17 +5,16 @@
 
 // Delete as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 // Check token
 verify_csrf($_GET);
 
 // DNS domain
 if ((!empty($_GET['domain'])) && (empty($_GET['record_id']))) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD."v-delete-dns-domain ".$v_username." ".$v_domain, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-dns-domain ".$user." ".$v_domain, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
 
@@ -41,8 +40,14 @@
         header("Location: ".$back);
         exit;
     }
-    header("Location: /list/dns/?domain=".$_GET['domain']);
-    exit;
+    if($return_var > 0){
+        header("Location: /list/dns/");
+        exit;
+    }else{
+        header("Location: /list/dns/?domain=".$_GET['domain']);
+        exit;
+    }
+    
 }
 
 $back = $_SESSION['back'];

web/delete/key/index.php

@@ -7,13 +7,12 @@
 verify_csrf($_GET);
 
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user = $_GET['user'];
+    $user=escapeshellarg($_GET['user']);
 }
 
 if (!empty($_GET['key'])) {
     $v_key = escapeshellarg(trim($_GET['key']));
-    $v_user = escapeshellarg(trim($user));
-    exec(HESTIA_CMD."v-delete-user-ssh-key ".$v_user." ".$v_key);
+    exec(HESTIA_CMD."v-delete-user-ssh-key ".$user." ".$v_key);
     check_return_code($return_var, $output);
 }
 

web/delete/log/auth/index.php

@@ -7,13 +7,12 @@
 
 // Check if administrator is viewing system log (currently 'admin' user)
 if (($_SESSION['userContext'] === "admin") && (isset($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
     $token=$_SESSION['token'];
 }
 
 // Clear log
-$v_username = escapeshellarg($user);
-exec(HESTIA_CMD."v-delete-user-auth-log ".$v_username, $output, $return_var);
+exec(HESTIA_CMD."v-delete-user-auth-log ".$user, $output, $return_var);
 check_return_code($return_var, $output);
 unset($output);
 
@@ -32,7 +31,7 @@
 
 // Add current user session back to log unless impersonating another user
 if (!isset($_SESSION['look'])) {
-    exec(HESTIA_CMD."v-log-user-login ".$v_username." ".$v_ip." success ".$v_session_id." ".$v_user_agent, $output, $return_var);
+    exec(HESTIA_CMD."v-log-user-login ".$user." ".$v_ip." success ".$v_session_id." ".$v_user_agent, $output, $return_var);
 }
 
 // Flush session messages

web/delete/log/index.php

@@ -7,24 +7,27 @@
 
 // Check if administrator is viewing system log (currently 'admin' user)
 if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=escapeshellarg($_GET['user']);
     $token=$_SESSION['token'];
 }
 
-// Set correct page reload target
-if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
-    header("Location: /list/log/?user=$user&token=$token");
-} else {
-    header("Location: /list/log/");
-}
-
 // Clear log
-$v_username = escapeshellarg($user);
-exec(HESTIA_CMD."v-delete-user-log ".$v_username." ".$output, $return_var);
+exec(HESTIA_CMD."v-delete-user-log ".$user." ".$output, $return_var);
 check_return_code($return_var, $output);
 unset($output);
 unset($token);
 
+if($return_var > 0){
+    header("Location: /list/log/");
+}else{
+    // Set correct page reload target
+    if (($_SESSION['userContext'] === "admin") && (!empty($_GET['user']))) {
+        header("Location: /list/log/?user=$user&token=$token");
+    } else {
+        header("Location: /list/log/");
+    }
+}
+
 // Render page
 render_page($user, $TAB, 'list_log');
 

web/delete/mail/index.php

@@ -5,7 +5,7 @@
 
 // Delete as someone else?
 if (($_SESSION['userContext'] === 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];
+    $user=scapeshellarg($user);
 }
 
 // Check token
@@ -15,10 +15,13 @@
 if ((!empty($_GET['domain'])) && (empty($_GET['account']))) {
     $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
-    exec(HESTIA_CMD."v-delete-mail-domain ".$v_username." ".$v_domain, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-mail-domain ".$user." ".$v_domain, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
     $back = $_SESSION['back'];
+    if($return_var > 0){
+       header("Location: /list/mail/"); 
+    }
     if (!empty($back)) {
         header("Location: ".$back);
         exit;
@@ -29,19 +32,22 @@
 
 // Mail account
 if ((!empty($_GET['domain'])) && (!empty($_GET['account']))) {
-    $v_username = escapeshellarg($user);
     $v_domain = escapeshellarg($_GET['domain']);
     $v_account = escapeshellarg($_GET['account']);
-    exec(HESTIA_CMD."v-delete-mail-account ".$v_username." ".$v_domain." ".$v_account, $output, $return_var);
+    exec(HESTIA_CMD."v-delete-mail-account ".$user." ".$v_domain." ".$v_account, $output, $return_var);
     check_return_code($return_var, $output);
     unset($output);
+    if($return_var > 0){
+       header("Location: /list/mail/"); 
+    }else{
     $back = $_SESSION['back'];
     if (!empty($back)) {
         header("Location: ".$back);
         exit;
     }
     header("Location: /list/mail/?domain=".$_GET['domain']);
     exit;
+    }
 }
 
 $back = $_SESSION['back'];