Escape user variable in /keys/ (#1667)

Remove potenial leak 2fa status

CHANGELOG.md

@@ -1,6 +1,8 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
+- Fixed xss vulnerability in v-add-sys-ip (thanks **@numanturle**)
+- Fixed remote execution possibility when deleting ssh key (thanks **@numanturle**)
 ## [1.3.3] - Service Release
 ### Bugfixes
 - Improved permission handling.

web/delete/key/index.php

@@ -6,7 +6,7 @@ session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
 if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) {
-    $user=$_GET['user'];;
+    $user=$_GET['user'];
 }
 
 // Check token
@@ -17,8 +17,9 @@ if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
 
 if (!empty($_GET['key'])) {
     $v_key = escapeshellarg(trim($_GET['key']));
+    $v_user = escapeshellarg(trim($v_user));
     $v_key = str_replace('/','\\/', $v_key);
-    exec (HESTIA_CMD."v-delete-user-ssh-key ".$user." ".$v_key);
+    exec (HESTIA_CMD."v-delete-user-ssh-key ".$v_user." ".$v_key);
     check_return_code($return_var,$output);
 }
 

web/inc/2fa/active.php

@@ -1,23 +0,0 @@
-<?php
-
-define('NO_AUTH_REQUIRED',true);
-
-// Main include
-include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
-
-if (isset($_GET['user'])) {
-    $v_user = escapeshellarg($_GET['user']);
-
-    // Get user speciefic parameters
-    exec (HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
-    $data = json_decode(implode('', $output), true);
-
-    // Check if 2FA is active
-    if ($data[$_GET['user']]['TWOFA'] != '') {
-        header("HTTP/1.0 200 OK");
-        exit;
-    } else {
-        header("HTTP/1.0 404 Not Found");
-        exit;
-    }
-}

web/login/index.php

@@ -96,20 +96,20 @@ function authenticate_user($user, $password, $twofa = ''){
                 unset($output);
                 // Check if 2FA is active
                 if ($data[$user]['TWOFA'] != '') {
-                   if (empty($twofa)){
-                            $_SESSION['login']['username'] = $user;
-                            $_SESSION['login']['password'] = $password;
+                        if(empty($twofa)){
                             return false;
-                   } else {
-                        $v_twofa = escapeshellarg($twofa);
-                        exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
-                        unset($output);
-                        if ( $return_var > 0 ) {
-                            //sleep(2);
-                            $error = "<a class=\"error\">"._('Invalid or missing 2FA token')."</a>";
-                            $_SESSION['login']['username'] = $user;
-                            $_SESSION['login']['password'] = $password;
-                            return $error;
+                        }else{
+                            $v_twofa = escapeshellarg($twofa);
+                            exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var);
+                            unset($output);
+                            if ( $return_var > 0 ) {
+                                sleep(2);
+                                $error = "<a class=\"error\">"._('Invalid or missing 2FA token')."</a>";
+                                $_SESSION['login']['username'] = $user;
+                                $_SESSION['login']['password'] = $password;
+                                return $error;
+                                unset($_POST['twofa']);
+                            }
                         }
                    }
                 }