[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 78d49152a8838474eba0ab103ad7897aa2de7b53

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 78d49152a8838474eba0ab103ad7897aa2de7b53
@ 2016-04-08 15:38 git
  0 siblings, 0 replies; only message in thread
From: git @ 2016-04-08 15:38 UTC (permalink / raw)
  To: ipfire-scm

[-- Attachment #1: Type: text/plain, Size: 6476 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  78d49152a8838474eba0ab103ad7897aa2de7b53 (commit)
       via  0aff7b81965c06756ff42482ef0aa3ccfa68bf8f (commit)
       via  f367d5b38845e73b6e4963374c021e565283208d (commit)
      from  c954b6acdccddaa7cda03f9cebb7db21e36123d5 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 78d49152a8838474eba0ab103ad7897aa2de7b53
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Fri Apr 8 15:55:46 2016 +0100

    core101: Ship latest changes in CGI files
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

commit 0aff7b81965c06756ff42482ef0aa3ccfa68bf8f
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Apr 4 16:41:30 2016 +0100

    {proxy,chpasswd}.cgi: Fix a remote code execution vulnerability
    
    Handcrafted requests with shell commands could be sent to these
    CGI files and gain shell access as unprivileged user.
    
    References: #11087
    
    Reported-by: Yann Cam <yann.cam(a)gmail.com>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

commit f367d5b38845e73b6e4963374c021e565283208d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Apr 4 14:22:56 2016 +0100

    ipinfo.cgi: Remove XSS vulnerability
    
    References: #11087
    
    Reported-by: Yann Cam <yann.cam(a)gmail.com>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/rootfiles/core/101/filelists/files |  3 ++
 html/cgi-bin/chpasswd.cgi                 | 46 ++++++++-----------------------
 html/cgi-bin/ipinfo.cgi                   | 21 ++++++++------
 html/cgi-bin/proxy.cgi                    |  5 +++-
 4 files changed, 32 insertions(+), 43 deletions(-)

Difference in files:
diff --git a/config/rootfiles/core/101/filelists/files b/config/rootfiles/core/101/filelists/files
index 409e5fe..0f75ac8 100644
--- a/config/rootfiles/core/101/filelists/files
+++ b/config/rootfiles/core/101/filelists/files
@@ -1,2 +1,5 @@
 etc/system-release
 etc/issue
+srv/web/ipfire/cgi-bin/chpasswd.cgi
+srv/web/ipfire/cgi-bin/ipinfo.cgi
+srv/web/ipfire/cgi-bin/proxy.cgi
diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi
index ae9e6ec..0a66062 100644
--- a/html/cgi-bin/chpasswd.cgi
+++ b/html/cgi-bin/chpasswd.cgi
@@ -20,6 +20,7 @@
 ###############################################################################
 
 use CGI qw(param);
+use Apache::Htpasswd;
 use Crypt::PasswdMD5;
 
 $swroot = "/var/ipfire";
@@ -74,48 +75,25 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd change password'})
 		$errormessage = $tr{'advproxy errmsg password length 1'}.$proxysettings{'NCSA_MIN_PASS_LEN'}.$tr{'advproxy errmsg password length 2'};
 		goto ERROR;
 	}
-	if (! -z $userdb)
-	{
-		open FILE, $userdb;
-		@users = <FILE>;
-		close FILE;
 
-		$username = '';
-		$cryptpwd = '';
+	my $htpasswd = new Apache::Htpasswd("$userdb");
 
-		foreach (@users)
-		{
- 			chomp;
-			@temp = split(/:/,$_);
-			if ($temp[0] =~ /^$cgiparams{'USERNAME'}$/i)
-			{
-				$username = $temp[0];
-				$cryptpwd = $temp[1];
-			}
-		}
-	}
-	if ($username eq '')
-	{
+	# Check if a user with this name exists
+	my $old_password = $htpasswd->fetchPass($cgiparams{'USERNAME'});
+	if (!$old_password) {
 		$errormessage = $tr{'advproxy errmsg invalid user'};
 		goto ERROR;
 	}
-	if (
-	    !(crypt($cgiparams{'OLD_PASSWORD'}, $cryptpwd) eq $cryptpwd) &&
-	    !(apache_md5_crypt($cgiparams{'OLD_PASSWORD'}, $cryptpwd) eq $cryptpwd)
-	   )
-	{
+
+	# Reset password
+	if (!$htpasswd->htpasswd($cgiparams{'USERNAME'}, $cgiparams{'NEW_PASSWORD_1'},
+			$cgiparams{'OLD_PASSWORD'})) {
 		$errormessage = $tr{'advproxy errmsg password incorrect'};
 		goto ERROR;
 	}
-	$returncode = system("/usr/sbin/htpasswd -b $userdb $username $cgiparams{'NEW_PASSWORD_1'}");
-	if ($returncode == 0)
-	{
-		$success = 1;
-		undef %cgiparams;
-	} else {
-		$errormessage = $tr{'advproxy errmsg change fail'};
-		goto ERROR;
-	}
+
+	$success = 1;
+	undef %cgiparams;
 }
 
 ERROR:
diff --git a/html/cgi-bin/ipinfo.cgi b/html/cgi-bin/ipinfo.cgi
index 71098a2..8cefe6e 100644
--- a/html/cgi-bin/ipinfo.cgi
+++ b/html/cgi-bin/ipinfo.cgi
@@ -19,6 +19,7 @@
 #                                                                             #
 ###############################################################################
 
+use CGI;
 use IO::Socket;
 use strict;
 
@@ -34,18 +35,14 @@ my %cgiparams=();
 
 &Header::showhttpheaders();
 
-&Header::getcgihash(\%cgiparams);
-
-$ENV{'QUERY_STRING'} =~s/&//g;
-my @addrs = split(/ip=/,$ENV{'QUERY_STRING'});
-
 &Header::openpage($Lang::tr{'ip info'}, 1, '');
-
 &Header::openbigbox('100%', 'left');
 my @lines=();
 my $extraquery='';
-foreach my $addr (@addrs) {
-next if $addr eq "";
+
+my $addr = CGI::param("ip") || "";
+
+if (&General::validip($addr)) {
 	$extraquery='';
 	@lines=();
 	my $whoisname = "whois.arin.net";
@@ -91,6 +88,14 @@ next if $addr eq "";
 	}
 	print "</pre>\n";
 	&Header::closebox();
+} else {
+	&Header::openbox('100%', 'left', $Lang::tr{'invalid ip'});
+	print <<EOF;
+		<p style="text-align: center;">
+			$Lang::tr{'invalid ip'}
+		</p>
+EOF
+	&Header::closebox();
 }
 
 print <<END
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index 6c4e2b0..1c9bb87 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -27,6 +27,7 @@
 #
 
 use strict;
+use Apache::Htpasswd;
 
 # enable only the following on debugging purpose
 #use warnings;
@@ -4134,7 +4135,9 @@ sub adduser
 		close(FILE);
 	} else {
 		&deluser($str_user);
-		system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass");
+
+		my $htpasswd = new Apache::Htpasswd("$userdb");
+		$htpasswd->htpasswd($str_user, $str_pass);
 	}
 
 	if ($str_group eq 'standard') { open(FILE, ">>$stdgrp");


hooks/post-receive
--
IPFire 2.x development tree

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2016-04-08 15:38 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-08 15:38 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 78d49152a8838474eba0ab103ad7897aa2de7b53 git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox