This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 78d49152a8838474eba0ab103ad7897aa2de7b53 (commit)
via 0aff7b81965c06756ff42482ef0aa3ccfa68bf8f (commit)
via f367d5b38845e73b6e4963374c021e565283208d (commit)
from c954b6acdccddaa7cda03f9cebb7db21e36123d5 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 78d49152a8838474eba0ab103ad7897aa2de7b53
Author: Michael Tremer
Date: Fri Apr 8 15:55:46 2016 +0100
core101: Ship latest changes in CGI files
Signed-off-by: Michael Tremer
commit 0aff7b81965c06756ff42482ef0aa3ccfa68bf8f
Author: Michael Tremer
Date: Mon Apr 4 16:41:30 2016 +0100
{proxy,chpasswd}.cgi: Fix a remote code execution vulnerability
Handcrafted requests with shell commands could be sent to these
CGI files and gain shell access as unprivileged user.
References: #11087
Reported-by: Yann Cam
Signed-off-by: Michael Tremer
commit f367d5b38845e73b6e4963374c021e565283208d
Author: Michael Tremer
Date: Mon Apr 4 14:22:56 2016 +0100
ipinfo.cgi: Remove XSS vulnerability
References: #11087
Reported-by: Yann Cam
Signed-off-by: Michael Tremer
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/101/filelists/files | 3 ++
html/cgi-bin/chpasswd.cgi | 46 ++++++++-----------------------
html/cgi-bin/ipinfo.cgi | 21 ++++++++------
html/cgi-bin/proxy.cgi | 5 +++-
4 files changed, 32 insertions(+), 43 deletions(-)
Difference in files:
diff --git a/config/rootfiles/core/101/filelists/files b/config/rootfiles/core/101/filelists/files
index 409e5fe..0f75ac8 100644
--- a/config/rootfiles/core/101/filelists/files
+++ b/config/rootfiles/core/101/filelists/files
@@ -1,2 +1,5 @@
etc/system-release
etc/issue
+srv/web/ipfire/cgi-bin/chpasswd.cgi
+srv/web/ipfire/cgi-bin/ipinfo.cgi
+srv/web/ipfire/cgi-bin/proxy.cgi
diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi
index ae9e6ec..0a66062 100644
--- a/html/cgi-bin/chpasswd.cgi
+++ b/html/cgi-bin/chpasswd.cgi
@@ -20,6 +20,7 @@
###############################################################################
use CGI qw(param);
+use Apache::Htpasswd;
use Crypt::PasswdMD5;
$swroot = "/var/ipfire";
@@ -74,48 +75,25 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'})
$errormessage = $tr{'advproxy errmsg password length 1'}.$proxysettings{'NCSA_MIN_PASS_LEN'}.$tr{'advproxy errmsg password length 2'};
goto ERROR;
}
- if (! -z $userdb)
- {
- open FILE, $userdb;
- @users = ;
- close FILE;
- $username = '';
- $cryptpwd = '';
+ my $htpasswd = new Apache::Htpasswd("$userdb");
- foreach (@users)
- {
- chomp;
- @temp = split(/:/,$_);
- if ($temp[0] =~ /^$cgiparams{'USERNAME'}$/i)
- {
- $username = $temp[0];
- $cryptpwd = $temp[1];
- }
- }
- }
- if ($username eq '')
- {
+ # Check if a user with this name exists
+ my $old_password = $htpasswd->fetchPass($cgiparams{'USERNAME'});
+ if (!$old_password) {
$errormessage = $tr{'advproxy errmsg invalid user'};
goto ERROR;
}
- if (
- !(crypt($cgiparams{'OLD_PASSWORD'}, $cryptpwd) eq $cryptpwd) &&
- !(apache_md5_crypt($cgiparams{'OLD_PASSWORD'}, $cryptpwd) eq $cryptpwd)
- )
- {
+
+ # Reset password
+ if (!$htpasswd->htpasswd($cgiparams{'USERNAME'}, $cgiparams{'NEW_PASSWORD_1'},
+ $cgiparams{'OLD_PASSWORD'})) {
$errormessage = $tr{'advproxy errmsg password incorrect'};
goto ERROR;
}
- $returncode = system("/usr/sbin/htpasswd -b $userdb $username $cgiparams{'NEW_PASSWORD_1'}");
- if ($returncode == 0)
- {
- $success = 1;
- undef %cgiparams;
- } else {
- $errormessage = $tr{'advproxy errmsg change fail'};
- goto ERROR;
- }
+
+ $success = 1;
+ undef %cgiparams;
}
ERROR:
diff --git a/html/cgi-bin/ipinfo.cgi b/html/cgi-bin/ipinfo.cgi
index 71098a2..8cefe6e 100644
--- a/html/cgi-bin/ipinfo.cgi
+++ b/html/cgi-bin/ipinfo.cgi
@@ -19,6 +19,7 @@
# #
###############################################################################
+use CGI;
use IO::Socket;
use strict;
@@ -34,18 +35,14 @@ my %cgiparams=();
&Header::showhttpheaders();
-&Header::getcgihash(\%cgiparams);
-
-$ENV{'QUERY_STRING'} =~s/&//g;
-my @addrs = split(/ip=/,$ENV{'QUERY_STRING'});
-
&Header::openpage($Lang::tr{'ip info'}, 1, '');
-
&Header::openbigbox('100%', 'left');
my @lines=();
my $extraquery='';
-foreach my $addr (@addrs) {
-next if $addr eq "";
+
+my $addr = CGI::param("ip") || "";
+
+if (&General::validip($addr)) {
$extraquery='';
@lines=();
my $whoisname = "whois.arin.net";
@@ -91,6 +88,14 @@ next if $addr eq "";
}
print "\n";
&Header::closebox();
+} else {
+ &Header::openbox('100%', 'left', $Lang::tr{'invalid ip'});
+ print <
+ $Lang::tr{'invalid ip'}
+
+EOF
+ &Header::closebox();
}
print <htpasswd($str_user, $str_pass);
}
if ($str_group eq 'standard') { open(FILE, ">>$stdgrp");
hooks/post-receive
--
IPFire 2.x development tree