Merge pull request hestiacp#534 from serghey-rodin/revert-516-fix-sec-osci

Revert "[SECURITY] Fix OS command injection."

Author: serghey-rodin

web/add/cron/autoupdate/index.php

@@ -3,12 +3,13 @@
 error_reporting(NULL);
 ob_start();
 session_start();
-include($_SERVER['DOCUMENT_ROOT'].'/inc/main.php');
+include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if ($_SESSION['user'] == 'admin') {
-    v_exec('v-add-cron-vesta-autoupdate', [], false);
+    exec (VESTA_CMD."v-add-cron-vesta-autoupdate", $output, $return_var);
     $_SESSION['error_msg'] = __('Autoupdate has been successfully enabled');
+    unset($output);
 }
 
-header('Location: /list/updates/');
+header("Location: /list/updates/");
 exit;

web/add/cron/index.php

@@ -13,7 +13,7 @@
     // Check token
     if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
         header('location: /login/');
-        exit;
+        exit();
     }
 
     // Check empty fields
@@ -35,16 +35,18 @@
     }
 
     // Protect input
-    $v_min = $_POST['v_min'];
-    $v_hour = $_POST['v_hour'];
-    $v_day = $_POST['v_day'];
-    $v_month = $_POST['v_month'];
-    $v_wday = $_POST['v_wday'];
-    $v_cmd = $_POST['v_cmd'];
+    $v_min = escapeshellarg($_POST['v_min']);
+    $v_hour = escapeshellarg($_POST['v_hour']);
+    $v_day = escapeshellarg($_POST['v_day']);
+    $v_month = escapeshellarg($_POST['v_month']);
+    $v_wday = escapeshellarg($_POST['v_wday']);
+    $v_cmd = escapeshellarg($_POST['v_cmd']);
 
     // Add cron job
     if (empty($_SESSION['error_msg'])) {
-        v_exec('v-add-cron-job', [$user, $v_min, $v_hour, $v_day, $v_month, $v_wday, $v_cmd]);
+        exec (VESTA_CMD."v-add-cron-job ".$user." ".$v_min." ".$v_hour." ".$v_day." ".$v_month." ".$v_wday." ".$v_cmd, $output, $return_var);
+        check_return_code($return_var,$output);
+        unset($output);
     }
 
     // Flush field values on success
@@ -56,6 +58,7 @@
         unset($v_month);
         unset($v_wday);
         unset($v_cmd);
+        unset($output);
     }
 }
 

web/add/cron/reports/index.php

@@ -3,10 +3,11 @@
 error_reporting(NULL);
 ob_start();
 session_start();
-include($_SERVER['DOCUMENT_ROOT'].'/inc/main.php');
+include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
-v_exec('v-add-cron-reports', [$user], false);
+exec (VESTA_CMD."v-add-cron-reports ".$user, $output, $return_var);
 $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled');
+unset($output);
 
-header('Location: /list/cron/');
+header("Location: /list/cron/");
 exit;

web/add/db/index.php

@@ -12,7 +12,7 @@
     // Check token
     if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
         header('location: /login/');
-        exit;
+        exit();
     }
 
     // Check empty fields
@@ -30,7 +30,7 @@
                 $error_msg = $error_msg.", ".$error;
             }
         }
-        $_SESSION['error_msg'] = __('Field "%s" can not be blank.', $error_msg);
+        $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg);
     }
 
     // Validate email
@@ -43,36 +43,45 @@
     // Check password length
     if (empty($_SESSION['error_msg'])) {
         $pw_len = strlen($_POST['v_password']);
-        if ($pw_len < 6) $_SESSION['error_msg'] = __('Password is too short.', $error_msg);
+        if ($pw_len < 6 ) $_SESSION['error_msg'] = __('Password is too short.',$error_msg);
     }
 
-    $v_database = $_POST['v_database'];
-    $v_dbuser = $_POST['v_dbuser'];
+    // Protect input
+    $v_database = escapeshellarg($_POST['v_database']);
+    $v_dbuser = escapeshellarg($_POST['v_dbuser']);
     $v_type = $_POST['v_type'];
     $v_charset = $_POST['v_charset'];
     $v_host = $_POST['v_host'];
     $v_db_email = $_POST['v_db_email'];
 
     // Add database
     if (empty($_SESSION['error_msg'])) {
-        $v_password = tempnam('/tmp', 'vst');
-        $fp = fopen($v_password, 'w');
+        $v_type = escapeshellarg($_POST['v_type']);
+        $v_charset = escapeshellarg($_POST['v_charset']);
+        $v_host = escapeshellarg($_POST['v_host']);
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
         fwrite($fp, $_POST['v_password']."\n");
         fclose($fp);
-        v_exec('v-add-database', [$user, $v_database, $v_dbuser, $v_password, $v_type, $v_host, $v_charset]);
+        exec (VESTA_CMD."v-add-database ".$user." ".$v_database." ".$v_dbuser." ".$v_password." ".$v_type." ".$v_host." ".$v_charset, $output, $return_var);
+        check_return_code($return_var,$output);
+        unset($output);
         unlink($v_password);
-        $v_password = $_POST['v_password'];
+        $v_password = escapeshellarg($_POST['v_password']);
+        $v_type = $_POST['v_type'];
+        $v_host = $_POST['v_host'];
+        $v_charset = $_POST['v_charset'];
     }
 
     // Get database manager url
     if (empty($_SESSION['error_msg'])) {
-        list($http_host, $port) = explode(':', $_SERVER['HTTP_HOST'] . ':');
+        list($http_host, $port) = explode(':', $_SERVER["HTTP_HOST"] . ":");
         if ($_POST['v_host'] != 'localhost' ) $http_host = $_POST['v_host'];
-        if ($_POST['v_type'] == 'mysql') $db_admin = 'phpMyAdmin';
-        if ($_POST['v_type'] == 'mysql') $db_admin_link = "http://$http_host/phpmyadmin/";
+        if ($_POST['v_type'] == 'mysql') $db_admin = "phpMyAdmin";
+        if ($_POST['v_type'] == 'mysql') $db_admin_link = "http://".$http_host."/phpmyadmin/";
         if (($_POST['v_type'] == 'mysql') && (!empty($_SESSION['DB_PMA_URL']))) $db_admin_link = $_SESSION['DB_PMA_URL'];
-        if ($_POST['v_type'] == 'pgsql') $db_admin = 'phpPgAdmin';
-        if ($_POST['v_type'] == 'pgsql') $db_admin_link = "http://$http_host/phppgadmin/";
+        if ($_POST['v_type'] == 'pgsql') $db_admin = "phpPgAdmin";
+        if ($_POST['v_type'] == 'pgsql') $db_admin_link = "http://".$http_host."/phppgadmin/";
         if (($_POST['v_type'] == 'pgsql') && (!empty($_SESSION['DB_PGA_URL']))) $db_admin_link = $_SESSION['DB_PGA_URL'];
     }
 
@@ -81,15 +90,15 @@
         $to = $v_db_email;
         $subject = __("Database Credentials");
         $hostname = exec('hostname');
-        $from = __('MAIL_FROM', $hostname);
-        $mailtext = __('DATABASE_READY', $user.'_'.$_POST['v_database'], $user.'_'.$_POST['v_dbuser'], $_POST['v_password'], $db_admin_link);
+        $from = __('MAIL_FROM',$hostname);
+        $mailtext = __('DATABASE_READY',$user."_".$_POST['v_database'],$user."_".$_POST['v_dbuser'],$_POST['v_password'],$db_admin_link);
         send_email($to, $subject, $mailtext, $from);
     }
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('DATABASE_CREATED_OK', htmlentities($user.'_'.$_POST['v_database']), htmlentities($user.'_'.$_POST['v_database']));
-        $_SESSION['ok_msg'] .= " / <a href=$db_admin_link target='_blank'>" . __('open %s', $db_admin) . '</a>';
+        $_SESSION['ok_msg'] = __('DATABASE_CREATED_OK',htmlentities($user)."_".htmlentities($_POST['v_database']),htmlentities($user)."_".htmlentities($_POST['v_database']));
+        $_SESSION['ok_msg'] .= " / <a href=".$db_admin_link." target='_blank'>" . __('open %s',$db_admin) . "</a>";
         unset($v_database);
         unset($v_dbuser);
         unset($v_password);
@@ -108,15 +117,16 @@
 $v_db_email = $panel[$user]['CONTACT'];
 
 // List avaiable database types
-$db_types = explode(',', $_SESSION['DB_SYSTEM']);
+$db_types = split(",",$_SESSION['DB_SYSTEM']);
 
 // List available database servers
 $db_hosts = array();
 foreach ($db_types as $db_type ) {
-    v_exec('v-list-database-hosts', [$db_type, 'json'], false, $output);
-    $db_hosts_tmp = json_decode($output, true);
+    exec (VESTA_CMD."v-list-database-hosts ".$db_type." 'json'", $output, $return_var);
+    $db_hosts_tmp = json_decode(implode('', $output), true);
     $db_hosts = array_merge($db_hosts, $db_hosts_tmp);
     unset($db_hosts_tmp);
+    unset($output);
 }
 
 // Display body

web/add/dns/index.php

@@ -13,7 +13,7 @@
     // Check token
     if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
         header('location: /login/');
-        exit;
+        exit();
     }
 
     // Check empty fields
@@ -32,47 +32,56 @@
 
     // Protect input
     $v_domain = preg_replace("/^www./i", "", $_POST['v_domain']);
+    $v_domain = escapeshellarg($v_domain);
     $v_domain = strtolower($v_domain);
-    $v_ip = $_POST['v_ip'];
-    if (!empty($_POST['v_ns1'])) $v_ns1 = $_POST['v_ns1'];
-    if (!empty($_POST['v_ns2'])) $v_ns2 = $_POST['v_ns2'];
-    if (!empty($_POST['v_ns3'])) $v_ns3 = $_POST['v_ns3'];
-    if (!empty($_POST['v_ns4'])) $v_ns4 = $_POST['v_ns4'];
-    if (!empty($_POST['v_ns5'])) $v_ns5 = $_POST['v_ns5'];
-    if (!empty($_POST['v_ns6'])) $v_ns6 = $_POST['v_ns6'];
-    if (!empty($_POST['v_ns7'])) $v_ns7 = $_POST['v_ns7'];
-    if (!empty($_POST['v_ns8'])) $v_ns8 = $_POST['v_ns8'];
+    $v_ip = escapeshellarg($_POST['v_ip']);
+    if (!empty($_POST['v_ns1'])) $v_ns1 = escapeshellarg($_POST['v_ns1']);
+    if (!empty($_POST['v_ns2'])) $v_ns2 = escapeshellarg($_POST['v_ns2']);
+    if (!empty($_POST['v_ns3'])) $v_ns3 = escapeshellarg($_POST['v_ns3']);
+    if (!empty($_POST['v_ns4'])) $v_ns4 = escapeshellarg($_POST['v_ns4']);
+    if (!empty($_POST['v_ns5'])) $v_ns5 = escapeshellarg($_POST['v_ns5']);
+    if (!empty($_POST['v_ns6'])) $v_ns6 = escapeshellarg($_POST['v_ns6']);
+    if (!empty($_POST['v_ns7'])) $v_ns7 = escapeshellarg($_POST['v_ns7']);
+    if (!empty($_POST['v_ns8'])) $v_ns8 = escapeshellarg($_POST['v_ns8']);
 
     // Add dns domain
     if (empty($_SESSION['error_msg'])) {
-        v_exec('v-add-dns-domain', [$user, $v_domain, $v_ip, $v_ns1, $v_ns2, $v_ns3, $v_ns4, $v_ns5, $v_ns6, $v_ns7, $v_ns8, 'no']);
+        exec (VESTA_CMD."v-add-dns-domain ".$user." ".$v_domain." ".$v_ip." ".$v_ns1." ".$v_ns2." ".$v_ns3." ".$v_ns4." ".$v_ns5."  ".$v_ns6."  ".$v_ns7." ".$v_ns8." no", $output, $return_var);
+        check_return_code($return_var,$output);
+        unset($output);
     }
 
 
     // Set expiriation date
     if (empty($_SESSION['error_msg'])) {
         if ((!empty($_POST['v_exp'])) && ($_POST['v_exp'] != date('Y-m-d', strtotime('+1 year')))) {
-            $v_exp = $_POST['v_exp'];
-            v_exec('v-change-dns-domain-exp', [$user, $v_domain, $v_exp, 'no']);
+            $v_exp = escapeshellarg($_POST['v_exp']);
+            exec (VESTA_CMD."v-change-dns-domain-exp ".$user." ".$v_domain." ".$v_exp." no", $output, $return_var);
+            check_return_code($return_var,$output);
+            unset($output);
         }
     }
 
     // Set ttl
     if (empty($_SESSION['error_msg'])) {
         if ((!empty($_POST['v_ttl'])) && ($_POST['v_ttl'] != '14400') && (empty($_SESSION['error_msg']))) {
-            $v_ttl = $_POST['v_ttl'];
-            v_exec('v-change-dns-domain-ttl', [$user, $v_domain, $v_ttl, 'no']);
+            $v_ttl = escapeshellarg($_POST['v_ttl']);
+            exec (VESTA_CMD."v-change-dns-domain-ttl ".$user." ".$v_domain." ".$v_ttl." no", $output, $return_var);
+            check_return_code($return_var,$output);
+            unset($output);
         }
     }
 
     // Restart dns server
     if (empty($_SESSION['error_msg'])) {
-        v_exec('v-restart-dns');
+        exec (VESTA_CMD."v-restart-dns", $output, $return_var);
+        check_return_code($return_var,$output);
+        unset($output);
     }
 
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
-        $_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK', htmlentities($_POST[v_domain]), htmlentities($_POST[v_domain]));
+        $_SESSION['ok_msg'] = __('DNS_DOMAIN_CREATED_OK',htmlentities($_POST[v_domain]),htmlentities($_POST[v_domain]));
         unset($v_domain);
     }
 }
@@ -84,7 +93,7 @@
     // Check token
     if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
         header('location: /login/');
-        exit;
+        exit();
     }
 
     // Check empty fields
@@ -104,15 +113,18 @@
     }
 
     // Protect input
-    $v_domain = $_POST['v_domain'];
-    $v_rec = $_POST['v_rec'];
-    $v_type = $_POST['v_type'];
-    $v_val = $_POST['v_val'];
-    $v_priority = $_POST['v_priority'];
+    $v_domain = escapeshellarg($_POST['v_domain']);
+    $v_rec = escapeshellarg($_POST['v_rec']);
+    $v_type = escapeshellarg($_POST['v_type']);
+    $v_val = escapeshellarg($_POST['v_val']);
+    $v_priority = escapeshellarg($_POST['v_priority']);
 
     // Add dns record
     if (empty($_SESSION['error_msg'])) {
-        v_exec('v-add-dns-record', [$user, $v_domain, $v_rec, $v_type, $v_val, $v_priority]);
+        exec (VESTA_CMD."v-add-dns-record ".$user." ".$v_domain." ".$v_rec." ".$v_type." ".$v_val." ".$v_priority, $output, $return_var);
+        check_return_code($return_var,$output);
+        unset($output);
+        $v_type = $_POST['v_type'];
     }
 
     // Flush field values on success
@@ -147,8 +159,8 @@
     if (empty($v_ttl)) $v_ttl = 14400;
     if (empty($v_exp)) $v_exp = date('Y-m-d', strtotime('+1 year'));
     if (empty($v_ns1)) {
-        v_exec('v-list-user-ns', [$user, 'json'], false, $output);
-        $nameservers = json_decode($output, true);
+        exec (VESTA_CMD."v-list-user-ns ".$user." json", $output, $return_var);
+        $nameservers = json_decode(implode('', $output), true);
         $v_ns1 = str_replace("'", "", $nameservers[0]);
         $v_ns2 = str_replace("'", "", $nameservers[1]);
         $v_ns3 = str_replace("'", "", $nameservers[2]);
@@ -157,6 +169,7 @@
         $v_ns6 = str_replace("'", "", $nameservers[5]);
         $v_ns7 = str_replace("'", "", $nameservers[6]);
         $v_ns8 = str_replace("'", "", $nameservers[7]);
+        unset($output);
     }
     include($_SERVER['DOCUMENT_ROOT'].'/templates/admin/add_dns.html');
 }

web/add/favorite/index.php

@@ -9,13 +9,15 @@
 // Check token
 //    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
 //        header('location: /login/');
-//        exit;
+//        exit();
 //    }
 
-    $v_section = $_REQUEST['v_section'];
-    $v_unit_id = $_REQUEST['v_unit_id'];
+    // Protect input
+    $v_section = escapeshellarg($_REQUEST['v_section']);
+    $v_unit_id = escapeshellarg($_REQUEST['v_unit_id']);
 
-    $_SESSION['favourites'][strtoupper((string)$v_section)][(string)$v_unit_id] = 1;
+    $_SESSION['favourites'][strtoupper($_REQUEST['v_section'])][$_REQUEST['v_unit_id']] = 1;
 
-    v_exec('v-add-user-favourites', [$_SESSION['user'], $v_section, $v_unit_id], false/*true*/);
+    exec (VESTA_CMD."v-add-user-favourites ".$_SESSION['user']." ".$v_section." ".$v_unit_id, $output, $return_var);
+//    check_return_code($return_var,$output);
 ?>

web/add/firewall/banlist/index.php

@@ -31,12 +31,15 @@
         $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg);
     }
 
-    $v_chain = $_POST['v_chain'];
-    $v_ip = $_POST['v_ip'];
+    // Protect input
+    $v_chain = escapeshellarg($_POST['v_chain']);
+    $v_ip = escapeshellarg($_POST['v_ip']);
 
     // Add firewall ban
     if (empty($_SESSION['error_msg'])) {
-        v_exec('v-add-firewall-ban', [$v_ip, $v_chain]);
+        exec (VESTA_CMD."v-add-firewall-ban ".$v_ip." ".$v_chain, $output, $return_var);
+        check_return_code($return_var,$output);
+        unset($output);
     }
 
     // Flush field values on success