Headline
CVE-2022-0753: Fix XXS issues (#2432) · hestiacp/hestiacp@ee10e22
Cross-site Scripting (XSS) - Reflected in GitHub repository hestiacp/hestiacp prior to 1.5.9.
@@ -5,7 +5,7 @@
// Delete as someone else?
if (($_SESSION[‘userContext’] === ‘admin’) && (!empty($_GET[‘user’]))) {
$user=$_GET[‘user’];
$user=scapeshellarg($user);
This comment has been minimized.
Sign in to view
Copy link
****TriggerLab** Feb 22, 2022**
mistake commit :)
This comment has been minimized.
Sign in to view
Copy link
****jaapmarcus** Feb 22, 2022**
Author Member
Resolved in staging branch
}
// Check token
@@ -15,10 +15,13 @@
if ((!empty($_GET[‘domain’])) && (empty($_GET[‘account’]))) {
$v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET[‘domain’]);
exec(HESTIA_CMD."v-delete-mail-domain “.$v_username.” ".$v_domain, $output, $return_var);
exec(HESTIA_CMD."v-delete-mail-domain “.$user.” ".$v_domain, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
$back = $_SESSION[‘back’];
if($return_var > 0){
header(“Location: /list/mail/”);
}
if (!empty($back)) {
header("Location: ".$back);
exit;
@@ -29,19 +32,22 @@
// Mail account
if ((!empty($_GET[‘domain’])) && (!empty($_GET[‘account’]))) {
$v_username = escapeshellarg($user);
$v_domain = escapeshellarg($_GET[‘domain’]);
$v_account = escapeshellarg($_GET[‘account’]);
exec(HESTIA_CMD."v-delete-mail-account “.$v_username.” “.$v_domain.” ".$v_account, $output, $return_var);
exec(HESTIA_CMD."v-delete-mail-account “.$user.” “.$v_domain.” ".$v_account, $output, $return_var);
check_return_code($return_var, $output);
unset($output);
if($return_var > 0){
header(“Location: /list/mail/”);
}else{
$back = $_SESSION[‘back’];
if (!empty($back)) {
header("Location: ".$back);
exit;
}
header("Location: /list/mail/?domain=".$_GET[‘domain’]);
exit;
}
}
$back = $_SESSION[‘back’];