From mboxrd@z Thu Jan 1 00:00:00 1970 From: git@ipfire.org To: ipfire-scm@lists.ipfire.org Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 78d49152a8838474eba0ab103ad7897aa2de7b53 Date: Fri, 08 Apr 2016 16:38:47 +0100 Message-ID: <20160408153847.C6CA81081BA6@git01.ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3676418590035994354==" List-Id: --===============3676418590035994354== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, next has been updated via 78d49152a8838474eba0ab103ad7897aa2de7b53 (commit) via 0aff7b81965c06756ff42482ef0aa3ccfa68bf8f (commit) via f367d5b38845e73b6e4963374c021e565283208d (commit) from c954b6acdccddaa7cda03f9cebb7db21e36123d5 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 78d49152a8838474eba0ab103ad7897aa2de7b53 Author: Michael Tremer Date: Fri Apr 8 15:55:46 2016 +0100 core101: Ship latest changes in CGI files =20 Signed-off-by: Michael Tremer commit 0aff7b81965c06756ff42482ef0aa3ccfa68bf8f Author: Michael Tremer Date: Mon Apr 4 16:41:30 2016 +0100 {proxy,chpasswd}.cgi: Fix a remote code execution vulnerability =20 Handcrafted requests with shell commands could be sent to these CGI files and gain shell access as unprivileged user. =20 References: #11087 =20 Reported-by: Yann Cam Signed-off-by: Michael Tremer commit f367d5b38845e73b6e4963374c021e565283208d Author: Michael Tremer Date: Mon Apr 4 14:22:56 2016 +0100 ipinfo.cgi: Remove XSS vulnerability =20 References: #11087 =20 Reported-by: Yann Cam Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/rootfiles/core/101/filelists/files | 3 ++ html/cgi-bin/chpasswd.cgi | 46 ++++++++---------------------= -- html/cgi-bin/ipinfo.cgi | 21 ++++++++------ html/cgi-bin/proxy.cgi | 5 +++- 4 files changed, 32 insertions(+), 43 deletions(-) Difference in files: diff --git a/config/rootfiles/core/101/filelists/files b/config/rootfiles/cor= e/101/filelists/files index 409e5fe..0f75ac8 100644 --- a/config/rootfiles/core/101/filelists/files +++ b/config/rootfiles/core/101/filelists/files @@ -1,2 +1,5 @@ etc/system-release etc/issue +srv/web/ipfire/cgi-bin/chpasswd.cgi +srv/web/ipfire/cgi-bin/ipinfo.cgi +srv/web/ipfire/cgi-bin/proxy.cgi diff --git a/html/cgi-bin/chpasswd.cgi b/html/cgi-bin/chpasswd.cgi index ae9e6ec..0a66062 100644 --- a/html/cgi-bin/chpasswd.cgi +++ b/html/cgi-bin/chpasswd.cgi @@ -20,6 +20,7 @@ ############################################################################= ### =20 use CGI qw(param); +use Apache::Htpasswd; use Crypt::PasswdMD5; =20 $swroot =3D "/var/ipfire"; @@ -74,48 +75,25 @@ if ($cgiparams{'SUBMIT'} eq $tr{'advproxy chgwebpwd chang= e password'}) $errormessage =3D $tr{'advproxy errmsg password length 1'}.$proxysettings{= 'NCSA_MIN_PASS_LEN'}.$tr{'advproxy errmsg password length 2'}; goto ERROR; } - if (! -z $userdb) - { - open FILE, $userdb; - @users =3D ; - close FILE; =20 - $username =3D ''; - $cryptpwd =3D ''; + my $htpasswd =3D new Apache::Htpasswd("$userdb"); =20 - foreach (@users) - { - chomp; - @temp =3D split(/:/,$_); - if ($temp[0] =3D~ /^$cgiparams{'USERNAME'}$/i) - { - $username =3D $temp[0]; - $cryptpwd =3D $temp[1]; - } - } - } - if ($username eq '') - { + # Check if a user with this name exists + my $old_password =3D $htpasswd->fetchPass($cgiparams{'USERNAME'}); + if (!$old_password) { $errormessage =3D $tr{'advproxy errmsg invalid user'}; goto ERROR; } - if ( - !(crypt($cgiparams{'OLD_PASSWORD'}, $cryptpwd) eq $cryptpwd) && - !(apache_md5_crypt($cgiparams{'OLD_PASSWORD'}, $cryptpwd) eq $cryptpwd) - ) - { + + # Reset password + if (!$htpasswd->htpasswd($cgiparams{'USERNAME'}, $cgiparams{'NEW_PASSWORD_1= '}, + $cgiparams{'OLD_PASSWORD'})) { $errormessage =3D $tr{'advproxy errmsg password incorrect'}; goto ERROR; } - $returncode =3D system("/usr/sbin/htpasswd -b $userdb $username $cgiparams{= 'NEW_PASSWORD_1'}"); - if ($returncode =3D=3D 0) - { - $success =3D 1; - undef %cgiparams; - } else { - $errormessage =3D $tr{'advproxy errmsg change fail'}; - goto ERROR; - } + + $success =3D 1; + undef %cgiparams; } =20 ERROR: diff --git a/html/cgi-bin/ipinfo.cgi b/html/cgi-bin/ipinfo.cgi index 71098a2..8cefe6e 100644 --- a/html/cgi-bin/ipinfo.cgi +++ b/html/cgi-bin/ipinfo.cgi @@ -19,6 +19,7 @@ # = # ############################################################################= ### =20 +use CGI; use IO::Socket; use strict; =20 @@ -34,18 +35,14 @@ my %cgiparams=3D(); =20 &Header::showhttpheaders(); =20 -&Header::getcgihash(\%cgiparams); - -$ENV{'QUERY_STRING'} =3D~s/&//g; -my @addrs =3D split(/ip=3D/,$ENV{'QUERY_STRING'}); - &Header::openpage($Lang::tr{'ip info'}, 1, ''); - &Header::openbigbox('100%', 'left'); my @lines=3D(); my $extraquery=3D''; -foreach my $addr (@addrs) { -next if $addr eq ""; + +my $addr =3D CGI::param("ip") || ""; + +if (&General::validip($addr)) { $extraquery=3D''; @lines=3D(); my $whoisname =3D "whois.arin.net"; @@ -91,6 +88,14 @@ next if $addr eq ""; } print "\n"; &Header::closebox(); +} else { + &Header::openbox('100%', 'left', $Lang::tr{'invalid ip'}); + print < + $Lang::tr{'invalid ip'} +

+EOF + &Header::closebox(); } =20 print <htpasswd($str_user, $str_pass); } =20 if ($str_group eq 'standard') { open(FILE, ">>$stdgrp"); hooks/post-receive -- IPFire 2.x development tree --===============3676418590035994354==--