This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 78d49152a8838474eba0ab103ad7897aa2de7b53 (commit) via 0aff7b81965c06756ff42482ef0aa3ccfa68bf8f (commit) via f367d5b38845e73b6e4963374c021e565283208d (commit) from c954b6acdccddaa7cda03f9cebb7db21e36123d5 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 78d49152a8838474eba0ab103ad7897aa2de7b53 Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Apr 8 15:55:46 2016 +0100
core101: Ship latest changes in CGI files
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0aff7b81965c06756ff42482ef0aa3ccfa68bf8f Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 4 16:41:30 2016 +0100
{proxy,chpasswd}.cgi: Fix a remote code execution vulnerability
Handcrafted requests with shell commands could be sent to these CGI files and gain shell access as unprivileged user.
References: #11087
Reported-by: Yann Cam yann.cam@gmail.com Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit f367d5b38845e73b6e4963374c021e565283208d Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Apr 4 14:22:56 2016 +0100
ipinfo.cgi: Remove XSS vulnerability
References: #11087
Reported-by: Yann Cam yann.cam@gmail.com Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/101/filelists/files | 3 ++ html/cgi-bin/chpasswd.cgi | 46 ++++++++----------------------- html/cgi-bin/ipinfo.cgi | 21 ++++++++------ html/cgi-bin/proxy.cgi | 5 +++- 4 files changed, 32 insertions(+), 43 deletions(-)
Difference in files: diff --git a/config/rootfiles/core/101/filelists/files b/config/rootfiles/core/101/filelists/files index 409e5fe..0f75ac8 100644 --- a/config/rootfiles/core/101/filelists/files +++ b/config/rootfiles/core/101/filelists/files @@ -1,2 +1,5 @@ etc/system-release etc/issue +srv/web/ipfire/cgi-bin/chpasswd.cgi +srv/web/ipfire/cgi-bin/ipinfo.cgi +srv/web/ipfire/cgi-bin/proxy.cgi diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi index ae9e6ec..0a66062 100644 --- a/html/cgi-bin/chpasswd.cgi +++ b/html/cgi-bin/chpasswd.cgi @@ -20,6 +20,7 @@ ###############################################################################
use CGI qw(param); +use Apache::Htpasswd; use Crypt::PasswdMD5;
$swroot = "/var/ipfire"; @@ -74,48 +75,25 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'}) $errormessage = $tr{'advproxy errmsg password length 1'}.$proxysettings{'NCSA_MIN_PASS_LEN'}.$tr{'advproxy errmsg password length 2'}; goto ERROR; } - if (! -z $userdb) - { - open FILE, $userdb; - @users = <FILE>; - close FILE;
- $username = ''; - $cryptpwd = ''; + my $htpasswd = new Apache::Htpasswd("$userdb");
- foreach (@users) - { - chomp; - @temp = split(/:/,$_); - if ($temp[0] =~ /^$cgiparams{'USERNAME'}$/i) - { - $username = $temp[0]; - $cryptpwd = $temp[1]; - } - } - } - if ($username eq '') - { + # Check if a user with this name exists + my $old_password = $htpasswd->fetchPass($cgiparams{'USERNAME'}); + if (!$old_password) { $errormessage = $tr{'advproxy errmsg invalid user'}; goto ERROR; } - if ( - !(crypt($cgiparams{'OLD_PASSWORD'}, $cryptpwd) eq $cryptpwd) && - !(apache_md5_crypt($cgiparams{'OLD_PASSWORD'}, $cryptpwd) eq $cryptpwd) - ) - { + + # Reset password + if (!$htpasswd->htpasswd($cgiparams{'USERNAME'}, $cgiparams{'NEW_PASSWORD_1'}, + $cgiparams{'OLD_PASSWORD'})) { $errormessage = $tr{'advproxy errmsg password incorrect'}; goto ERROR; } - $returncode = system("/usr/sbin/htpasswd -b $userdb $username $cgiparams{'NEW_PASSWORD_1'}"); - if ($returncode == 0) - { - $success = 1; - undef %cgiparams; - } else { - $errormessage = $tr{'advproxy errmsg change fail'}; - goto ERROR; - } + + $success = 1; + undef %cgiparams; }
ERROR: diff --git a/html/cgi-bin/ipinfo.cgi b/html/cgi-bin/ipinfo.cgi index 71098a2..8cefe6e 100644 --- a/html/cgi-bin/ipinfo.cgi +++ b/html/cgi-bin/ipinfo.cgi @@ -19,6 +19,7 @@ # # ###############################################################################
+use CGI; use IO::Socket; use strict;
@@ -34,18 +35,14 @@ my %cgiparams=();
&Header::showhttpheaders();
-&Header::getcgihash(%cgiparams); - -$ENV{'QUERY_STRING'} =~s/&//g; -my @addrs = split(/ip=/,$ENV{'QUERY_STRING'}); - &Header::openpage($Lang::tr{'ip info'}, 1, ''); - &Header::openbigbox('100%', 'left'); my @lines=(); my $extraquery=''; -foreach my $addr (@addrs) { -next if $addr eq ""; + +my $addr = CGI::param("ip") || ""; + +if (&General::validip($addr)) { $extraquery=''; @lines=(); my $whoisname = "whois.arin.net"; @@ -91,6 +88,14 @@ next if $addr eq ""; } print "</pre>\n"; &Header::closebox(); +} else { + &Header::openbox('100%', 'left', $Lang::tr{'invalid ip'}); + print <<EOF; + <p style="text-align: center;"> + $Lang::tr{'invalid ip'} + </p> +EOF + &Header::closebox(); }
print <<END diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 6c4e2b0..1c9bb87 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -27,6 +27,7 @@ #
use strict; +use Apache::Htpasswd;
# enable only the following on debugging purpose #use warnings; @@ -4134,7 +4135,9 @@ sub adduser close(FILE); } else { &deluser($str_user); - system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass"); + + my $htpasswd = new Apache::Htpasswd("$userdb"); + $htpasswd->htpasswd($str_user, $str_pass); }
if ($str_group eq 'standard') { open(FILE, ">>$stdgrp");
hooks/post-receive -- IPFire 2.x development tree