Bugfix: command injection vulnerabilities

ajax/networking/get_netcfg.php

@@ -3,11 +3,11 @@
 require '../../includes/csrf.php';
 require_once '../../includes/config.php';
 
-$interface = $_GET['iface'];
+$interface = $_POST['iface'];
 
 if (isset($interface)) {
     // fetch dnsmasq.conf settings for interface
-    exec('cat '. RASPI_DNSMASQ_PREFIX.$interface.'.conf', $return);
+    exec('cat '. escapeshellarg(RASPI_DNSMASQ_PREFIX.$interface.'.conf'), $return);
     $conf = ParseConfig($return);
 
     $dhcpdata['DHCPEnabled'] = empty($conf) ? false : true;

app/img/wifi-qr-code.php

@@ -3,6 +3,7 @@
 require_once '../../includes/config.php';
 require_once '../../includes/defaults.php';
 require_once '../../includes/functions.php';
+require_once '../../includes/locale.php';
 
 // prevent direct file access
 if (!isset($_SERVER['HTTP_REFERER'])) {
@@ -41,7 +42,7 @@ function qr_encode($str)
 $password = qr_encode($password);
 
 $data = "WIFI:S:$ssid;T:$type;P:$password;$hidden;";
-$command = "qrencode -t svg -m 0 -o - " . mb_escapeshellarg($data);
+$command = "qrencode -t svg -m 0 -o - " . escapeshellarg($data);
 $svg = shell_exec($command);
 
 $config_mtime  = filemtime(RASPI_HOSTAPD_CONFIG);

app/js/custom.js

@@ -178,8 +178,8 @@ Populates the DHCP server form fields
 Option toggles are set dynamically depending on the loaded configuration
 */
 function loadInterfaceDHCPSelect() {
-    var iface = $('#cbxdhcpiface').val();
-    $.get('ajax/networking/get_netcfg.php?iface='+iface,function(data){
+    var strInterface = $('#cbxdhcpiface').val();
+    $.post('ajax/networking/get_netcfg.php',{iface:strInterface},function(data){
         jsonData = JSON.parse(data);
         $('#dhcp-iface')[0].checked = jsonData.DHCPEnabled;
         $('#txtipaddress').val(jsonData.StaticIP);

includes/functions.php

@@ -518,19 +518,6 @@ function cache($key, $callback)
     }
 }
 
-// insspired by
-// http://markushedlund.com/dev/php-escapeshellarg-with-unicodeutf-8-support
-function mb_escapeshellarg($arg)
-{
-    $isWindows = strtolower(substr(PHP_OS, 0, 3)) === 'win';
-    if ($isWindows) {
-        $escaped_arg = str_replace(array('"', '%'), '', $arg);
-    } else {
-        $escaped_arg = str_replace("'", "'\\''", $arg);
-    }
-    return "\"$escaped_arg\"";
-}
-
 function dnsServers()
 {
     $data = json_decode(file_get_contents("./config/dns-servers.json"));

includes/hostapd.php

@@ -59,9 +59,8 @@ function DisplayHostAPDConfig()
             }
         }
     }
-
     exec('cat '. RASPI_HOSTAPD_CONFIG, $hostapdconfig);
-    exec('iwgetid '. $_POST['interface']. ' -r', $wifiNetworkID);
+    exec('iwgetid '. escapeshellarg($_POST['interface']). ' -r', $wifiNetworkID);
     if (!empty($wifiNetworkID[0])) {
         $managedModeEnabled = true;
     }

installers/common.sh

@@ -213,7 +213,7 @@ function _create_hostapd_scripts() {
     # Move service control shell scripts
     sudo cp "$webroot_dir/installers/"service*.sh "$raspap_dir/hostapd" || _install_status 1 "Unable to move service control scripts"
     # Make enablelog.sh and disablelog.sh not writable by www-data group.
-    sudo chown -c root:"$raspap_user" "$raspap_dir/hostapd/"*.sh || _install_status 1 "Unable change owner and/or group"
+    sudo chown -c root:root "$raspap_dir/hostapd/"*.sh || _install_status 1 "Unable change owner and/or group"
     sudo chmod 750 "$raspap_dir/hostapd/"*.sh || _install_status 1 "Unable to change file permissions"
     _install_status 0
 }
@@ -228,7 +228,7 @@ function _create_lighttpd_scripts() {
     sudo cp "$webroot_dir/installers/"configport.sh "$raspap_dir/lighttpd" || _install_status 1 "Unable to move service control scripts"
     # Make configport.sh writable by www-data group
     echo "Changing file ownership"
-    sudo chown -c root:"$raspap_user" "$raspap_dir/lighttpd/"*.sh || _install_status 1 "Unable change owner and/or group"
+    sudo chown -c root:root "$raspap_dir/lighttpd/"*.sh || _install_status 1 "Unable change owner and/or group"
     sudo chmod 750 "$raspap_dir/lighttpd/"*.sh || _install_status 1 "Unable to change file permissions"
     _install_status 0
 }
@@ -310,8 +310,9 @@ function _install_adblock() {
     echo "Moving and setting permissions for blocklist update script"
     sudo cp "$webroot_dir/installers/"update_blocklist.sh "$raspap_dir/adblock" || _install_status 1 "Unable to move blocklist update script"
 
-    # Make blocklists and update script writable by www-data group
-    sudo chown -c root:"$raspap_user" "$raspap_dir/adblock/"*.* || _install_status 1 "Unable to change owner/group"
+    # Make blocklists writable by www-data group, restrict update scripts to root
+    sudo chown -c root:"$raspap_user" "$raspap_dir/adblock/"*.txt || _install_status 1 "Unable to change owner/group"
+    sudo chown -c root:root "$raspap_dir/adblock/"*.sh || _install_status 1 "Unable to change owner/group"
     sudo chmod 750 "$raspap_dir/adblock/"*.sh || install_error "Unable to change file permissions"
 
     # Create 090_adblock.conf and write values to /etc/dnsmasq.d
@@ -400,11 +401,11 @@ function _create_openvpn_scripts() {
     _install_log "Creating OpenVPN control scripts"
     sudo mkdir $raspap_dir/openvpn || _install_status 1 "Unable to create directory '$raspap_dir/openvpn'"
 
-   # Move service auth control & logging shell scripts
+    # Move service auth control & logging shell scripts
     sudo cp "$webroot_dir/installers/"configauth.sh "$raspap_dir/openvpn" || _install_status 1 "Unable to move auth control script"
     sudo cp "$webroot_dir/installers/"openvpnlog.sh "$raspap_dir/openvpn" || _install_status 1 "Unable to move logging script"
-    # Make scripts executable by www-data group
-    sudo chown -c root:"$raspap_user" "$raspap_dir/openvpn/"*.sh || _install_status 1 "Unable change owner and/or group"
+    # Restrict script execution to root user
+    sudo chown -c root:root "$raspap_dir/openvpn/"*.sh || _install_status 1 "Unable change owner and/or group"
     sudo chmod 750 "$raspap_dir/openvpn/"*.sh || _install_status 1 "Unable to change file permissions"
     _install_status 0
 }
@@ -490,9 +491,10 @@ function _move_config_file() {
         _install_status 1 "'$raspap_dir' directory doesn't exist"
     fi
 
+    # Copy config file and make writable by www-data group
     _install_log "Moving configuration file to $raspap_dir"
     sudo cp "$webroot_dir"/raspap.php "$raspap_dir" || _install_status 1 "Unable to move files to '$raspap_dir'"
-    sudo chown -R $raspap_user:$raspap_user "$raspap_dir" || _install_status 1 "Unable to change file ownership for '$raspap_dir'"
+    sudo chown -c $raspap_user:"$raspap_user" "$raspap_dir"/raspap.php || _install_status 1 "Unable change owner and/or group"
 }
 
 # Set up default configuration
@@ -506,8 +508,8 @@ function _default_configuration() {
         sudo cp $webroot_dir/config/dhcpcd.conf /etc/dhcpcd.conf || _install_status 1 "Unable to move dhcpcd configuration file"
         sudo cp $webroot_dir/config/defaults.json $raspap_network || _install_status 1 "Unable to move defaults.json settings"
 
-        echo "Changing file ownership of $raspap_dir"
-        sudo chown -R $raspap_user:$raspap_user "$raspap_dir" || _install_status 1 "Unable to change file ownership for '$raspap_dir'"
+        echo "Changing file ownership of ${raspap_network}/defaults.json"
+        sudo chown $raspap_user:$raspap_user "$raspap_network"/defaults.json || _install_status 1 "Unable to change file ownership for defaults.json"
 
         echo "Checking for existence of /etc/dnsmasq.d"
         [ -d /etc/dnsmasq.d ] || sudo mkdir /etc/dnsmasq.d