Merge branch 'staging/release/v1.3.4' into release

CHANGELOG.md

@@ -1,7 +1,19 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+## [1.3.4] - Service Release
+### Features
+- No new features have been introduced in this release.
+
+### Bugfixes
+- Fixed xss vulnerability in v-add-sys-ip and user history log (thanks **@numanturle**)
+- Fixed remote execution possibility when deleting ssh key (thanks **@numanturle**)
+- Updated phpMyAdmin to v5.1.0
+
 ## [1.3.3] - Service Release
+### Features
+- No new features have been introduced in this release.
+
 ### Bugfixes
 - Improved permission handling.
 

README.md

@@ -2,7 +2,7 @@
 
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Latest stable release:** Version 1.3.3 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md)<br>
+**Latest stable release:** Version 1.3.4 | [View Changelog](https://github.com/hestiacp/hestiacp/blob/release/CHANGELOG.md)<br>
 
 **Web:** [www.hestiacp.com](https://www.hestiacp.com/)<br>
 **Documentation:** [docs.hestiacp.com](https://docs.hestiacp.com/)<br>

bin/v-add-sys-ip

@@ -41,7 +41,7 @@ source $HESTIA/conf/hestia.conf
 #----------------------------------------------------------#
 
 check_args '2' "$#" 'IP NETMASK [INTERFACE] [USER] [STATUS] [NAME] [NATED_IP]'
-is_format_valid 'ip' 'netmask' 'interface' 'user' 'ip_status'
+is_format_valid 'ip' 'netmask' 'iface' 'user' 'ip_status'
 is_ip_free
 is_object_valid 'user' 'USER' "$user"
 is_object_unsuspended 'user' 'USER' "$user"

bin/v-generate-ssl-cert

@@ -70,7 +70,8 @@ fi
 
 args_usage='DOMAIN EMAIL COUNTRY STATE CITY ORG UNIT [ALIASES] [FORMAT]'
 check_args '7' "$#" "$args_usage"
-is_format_valid 'domain_alias' 'format'
+is_format_valid 'domain' 'aliases' 'format'
+
 
 if [ ! -f /root/.rnd ]; then
     touch /root/.rnd

func/main.sh

@@ -962,6 +962,7 @@ is_format_valid() {
                 host)           is_object_format_valid "$arg" "$arg_name" ;;
                 hour)           is_cron_format_valid "$arg" $arg_name ;;
                 id)             is_int_format_valid "$arg" 'id' ;;
+                iface)          is_interface_format_valid "$arg" ;;
                 ip)             is_ip_format_valid "$arg" ;;
                 ip_name)        is_domain_format_valid "$arg" 'IP name';;
                 ip_status)      is_ip_status_format_valid "$arg" ;;

install/hst-install-debian.sh

@@ -23,8 +23,8 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.3.3'
-pma_v='5.0.4'
+HESTIA_INSTALL_VER='1.3.4'
+pma_v='5.1.0'
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0")
 fpm_v="7.4"
 mariadb_v="10.5"

install/hst-install-ubuntu.sh

@@ -23,8 +23,8 @@ HESTIA_INSTALL_DIR="$HESTIA/install/deb"
 VERBOSE='no'
 
 # Define software versions
-HESTIA_INSTALL_VER='1.3.3'
-pma_v='5.0.4'
+HESTIA_INSTALL_VER='1.3.4'
+pma_v='5.1.0'
 multiphp_v=("5.6" "7.0" "7.1" "7.2" "7.3" "7.4" "8.0")
 fpm_v="7.4"
 mariadb_v="10.5"

install/upgrade/upgrade.conf

@@ -43,4 +43,4 @@ UPGRADE_RESTART_SERVICES='true'
 #######################################################################################
 
 # Set version of phpMyAdmin to install during upgrade if not already installed
-pma_v='5.0.4'
+pma_v='5.1.0'

install/upgrade/versions/1.3.4.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Hestia Control Panel upgrade script for target version 1.3.4
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+
+echo '[ * ] Updating System Administrator account permissions...'
+$HESTIA/bin/v-change-user-role admin admin
+
+# Send end-of-life notification to admin user on servers running Ubuntu 16.04
+if [ "$OS_TYPE" = "Ubuntu" ]; then
+    if [ "$OS_VERSION" = '16.04' ]; then
+        $HESTIA/bin/v-add-user-notification admin 'IMPORTANT: End of support for Ubuntu 16.04 LTS' '<b>Hestia Control Panel no longer supports Ubuntu 16.04 LTS</b>, as a result your server will no longer receive upgrades or security patches after <b>v1.3.4</b>.<br><br>Please upgrade to a supported operating system.'
+    fi
+fi

src/deb/hestia/control

@@ -1,7 +1,7 @@
 Source: hestia
 Package: hestia
 Priority: optional
-Version: 1.3.3
+Version: 1.3.4
 Section: admin
 Maintainer: HestiaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com

web/api/index.php

@@ -104,7 +104,7 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
     // Check command
     if ($cmd == "'v-make-tmp-file'") {
         // Used in DNS Cluster
-        $fp = fopen($_POST['arg2'], 'w');
+        $fp = fopen('/tmp/'.basename($_POST['arg2']), 'w');
         fwrite($fp, $_POST['arg1']."\n");
         fclose($fp);
         $return_var = 0;

web/delete/key/index.php

@@ -6,7 +6,7 @@ session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];;
+    $user=$_GET['user'];
 }
 
 // Check token
@@ -17,8 +17,9 @@ if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
 
 if (!empty($_GET['key'])) {
     $v_key = escapeshellarg(trim($_GET['key']));
+    $v_user = escapeshellarg(trim($v_user));
     $v_key = str_replace('/','\\/', $v_key);
-    exec (HESTIA_CMD."v-delete-user-ssh-key ".$user." ".$v_key);
+    exec (HESTIA_CMD."v-delete-user-ssh-key ".$v_user." ".$v_key);
     check_return_code($return_var,$output);
 }
 

web/inc/2fa/active.php

@@ -1,23 +0,0 @@
-<?php
-
-define('NO_AUTH_REQUIRED',true);
-
-// Main include
-include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
-
-if (isset($_GET['user'])) {
-    $v_user = escapeshellarg($_GET['user']);
-
-    // Get user speciefic parameters
-    exec (HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
-    $data = json_decode(implode('', $output), true);
-
-    // Check if 2FA is active
-    if ($data[$_GET['user']]['TWOFA'] != '') {
-        header("HTTP/1.0 200 OK");
-        exit;
-    } else {
-        header("HTTP/1.0 404 Not Found");
-        exit;
-    }
-}

web/login/index.php

@@ -96,20 +96,22 @@ function authenticate_user($user, $password, $twofa = ''){
                 unset($output);
                 // Check if 2FA is active
                 if ($data[$user]['TWOFA'] != '') {
-                   if (empty($twofa)){
+                        if(empty($twofa)){
                             $_SESSION['login']['username'] = $user;
                             $_SESSION['login']['password'] = $password;
                             return false;
-                   } else {
-                        $v_twofa = escapeshellarg($twofa);
-                        exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
-                        unset($output);
-                        if ( $return_var > 0 ) {
-                            //sleep(2);
-                            $error = "<a class=\"error\">"._('Invalid or missing 2FA token')."</a>";
-                            $_SESSION['login']['username'] = $user;
-                            $_SESSION['login']['password'] = $password;
-                            return $error;
+                        }else{
+                            $v_twofa = escapeshellarg($twofa);
+                            exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
+                            unset($output);
+                            if ( $return_var > 0 ) {
+                                sleep(2);
+                                $error = "<a class=\"error\">"._('Invalid or missing 2FA token')."</a>";
+                                $_SESSION['login']['username'] = $user;
+                                $_SESSION['login']['password'] = $password;
+                                return $error;
+                                unset($_POST['twofa']);
+                            }
                         }
                    }
                 }
@@ -150,7 +152,6 @@ function authenticate_user($user, $password, $twofa = ''){
                     exit;
                 }
             }
-        }
     } else {
         unset($_POST);
         unset($_GET);

web/templates/admin/list_log.html

@@ -44,7 +44,7 @@
           </div>
           <div class="clearfix l-unit__stat-col--left small"><b><?=translate_date($data[$key]['DATE'])?></b></div>
           <div class="clearfix l-unit__stat-col--left compact"><b><?=$data[$key]['TIME']?></b></div>
-          <div class="clearfix l-unit__stat-col--left wide-7"><?=$data[$key]['CMD']?></div>
+          <div class="clearfix l-unit__stat-col--left wide-7"><?=htmlspecialchars($data[$key]['CMD'], ENT_QUOTES)?></div>
         </div>
       </div>
   <?}?>