From 60619559823aaa3bfe50bee1c6e9c0e529c5e672 Mon Sep 17 00:00:00 2001 From: Daniele <1950630+vtenext-dan@users.noreply.github.com> Date: Tue, 10 Aug 2021 09:39:20 +0200 Subject: [PATCH 1/3] TT228766 Security fix --- vteversion.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/vteversion.php b/vteversion.php index 3f76cfd..d202582 100644 --- a/vteversion.php +++ b/vteversion.php @@ -7,9 +7,9 @@ $patch_version = ''; $modified_database = ''; $vte_legacy_version = '5.2.1'; $enterprise_current_version = '20.04.1'; -$enterprise_current_build = '2208'; +$enterprise_current_build = '2210'; $enterprise_base_build = '2103'; // just to know where we started -$enterprise_mode = 'VTENEXT'; +$enterprise_mode = 'VTENEXTCE'; $enterprise_project = ''; -$enterprise_subversion = ''; +$enterprise_subversion = 'VTENEXTCE200401'; $enterprise_website = array('http://www.vtenext.com','vtenext.com','info@vtenext.com'); From 0b7471e3df52c6c285c74beeb8cd1c3a8c9b1e02 Mon Sep 17 00:00:00 2001 From: Daniele <1950630+vtenext-dan@users.noreply.github.com> Date: Tue, 10 Aug 2021 09:40:32 +0200 Subject: [PATCH 2/3] TTTT228766 - Security Fix --- Smarty/templates/ComposeEmail.tpl | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/Smarty/templates/ComposeEmail.tpl b/Smarty/templates/ComposeEmail.tpl index 656302c..d3ca19d 100644 --- a/Smarty/templates/ComposeEmail.tpl +++ b/Smarty/templates/ComposeEmail.tpl @@ -64,15 +64,15 @@ {if !empty($smarty.request.message)} - - + {* crmv@211287 *} + {* crmv@211287 *} {/if} {* crmv@2043m *} {if $smarty.request.reply_mail_converter neq ''} - - - + {* crmv@211287 *} + {* crmv@211287 *} + {* crmv@211287 *} {/if} {* crmv@2043me *} {* crmv@62394 - activity tracking inputs *} @@ -280,7 +280,6 @@ {* crmv@204525 *} - {* crmv@121575e *} {/foreach} @@ -482,6 +481,14 @@ jQuery(document).ready(function() {ldelim} }); }, FileUploaded: function(up, file, info) { + // crmv@228766 + var response = JSON.parse(info.response); + if(response.hasOwnProperty('error')){ + vtealert(response.error.message); + up.removeFile(file); + } + // crmv@228766e + // Called when a file has finished uploading jQuery('.plupload_buttons').show(); jQuery('.plupload_upload_status').hide(); @@ -519,7 +526,7 @@ jQuery(document).ready(function() {ldelim} jQuery.ajax({ url: 'index.php', method: 'POST', - data: "module=Documents&action=DocumentsAjax&file=EmailFile&record={/literal}{$smarty.request.rec}{literal}", + data: "module=Documents&action=DocumentsAjax&file=EmailFile&record={/literal}{$smarty.request.rec|@vtlib_purify|escape:'quotes'}{literal}",//crmv@211287 success: function(result) { } }); @@ -689,4 +696,4 @@ function remove_attach(self) { {/literal} - \ No newline at end of file + From 3faaec424da314ae9b1727e9b51799f67c8dbc13 Mon Sep 17 00:00:00 2001 From: Daniele <1950630+vtenext-dan@users.noreply.github.com> Date: Tue, 10 Aug 2021 09:41:07 +0200 Subject: [PATCH 3/3] TTTT228766 - Security Fix --- modules/Emails/plupload/upload.php | 49 ++++++++++++++++++++++++------ 1 file changed, 39 insertions(+), 10 deletions(-) diff --git a/modules/Emails/plupload/upload.php b/modules/Emails/plupload/upload.php index 7aed727..6bcebd6 100644 --- a/modules/Emails/plupload/upload.php +++ b/modules/Emails/plupload/upload.php @@ -10,15 +10,38 @@ * Contributing: http://www.plupload.com/contributing */ -// Settings -$targetDir = 'storage/uploads_emails_'.$_REQUEST['dir']; //crmv@2963m +//crmv@228766 +if(!isset($root_directory)){ + require('../../../config.inc.php'); +} +chdir($root_directory); +require_once('include/utils/utils.php'); +VteSession::start(); +if(!VteSession::hasKey('authenticated_user_id')) die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Not Authorized."}, "id" : "id"}'); +// crmv@228766e +// Settings +$targetDir = 'storage/uploads_emails_'.str_replace('../', '', $_REQUEST['dir']);//crmv@2963m crmv@228766 + +// crmv@228766 +$tempRootDir = rtrim($root_directory, "/"); // Create target dir if (!file_exists($targetDir)){ @mkdir($targetDir); + checkIfPathIsInStorage($targetDir, $tempRootDir); + @file_put_contents($targetDir."/index.html", "\n"); // crmv@195947 +} else { + checkIfPathIsInStorage($targetDir, $tempRootDir); } +function checkIfPathIsInStorage($path, $rootPath){ + if (strpos(dirname(realpath($path)), $rootPath.'/storage') !== 0){ + die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Bad dir."}, "id" : "id"}'); + } +} +// crmv@228766e + //crmv@81704 if ($_REQUEST['ckeditor'] == 'true'){ $response_arr = Array( @@ -60,7 +83,7 @@ if ($_REQUEST['ckeditor'] == 'true'){ } echo Zend_Json::encode($response_arr); exit; - + } //crmv@81704 e @@ -85,6 +108,13 @@ $chunk = isset($_REQUEST["chunk"]) ? $_REQUEST["chunk"] : 0; $chunks = isset($_REQUEST["chunks"]) ? $_REQUEST["chunks"] : 0; $fileName = isset($_REQUEST["name"]) ? $_REQUEST["name"] : ''; +// crmv@228766 +$ext = pathinfo($fileName, PATHINFO_EXTENSION); +if (is_array($upload_badext) && in_array($ext, $upload_badext)){ + die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "File type not supported."}, "id" : "id"}'); +} +// crmv@228766e + // Clean the fileName for security reasons $fileName = preg_replace('/[^\w\._]+/', '', $fileName); @@ -124,7 +154,7 @@ if (isset($_SERVER["HTTP_CONTENT_TYPE"])) if (isset($_SERVER["CONTENT_TYPE"])) $contentType = $_SERVER["CONTENT_TYPE"]; - + // Handle non multipart uploads older WebKit versions didn't support multipart in HTML5 if (strpos($contentType, "multipart") !== false) { if (isset($_FILES['file']['tmp_name']) && is_uploaded_file($_FILES['file']['tmp_name'])) { @@ -137,7 +167,7 @@ if (strpos($contentType, "multipart") !== false) { if ($in) { while ($buff = fread($in, 4096)) fwrite($out, $buff); - // crmv@205309 + // crmv@205309 } else { header("HTTP/1.0 500 Internal Server Error"); die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); @@ -159,8 +189,8 @@ if (strpos($contentType, "multipart") !== false) { } // crmv@205309e } - - // crmv@205309 + + // crmv@205309 } else { header("HTTP/1.0 500 Internal Server Error"); die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message": "Failed to move uploaded file."}, "id" : "id"}'); @@ -176,7 +206,7 @@ if (strpos($contentType, "multipart") !== false) { if ($in) { while ($buff = fread($in, 4096)) fwrite($out, $buff); - // crmv@205309 + // crmv@205309 } else { header("HTTP/1.0 500 Internal Server Error"); die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); @@ -185,7 +215,7 @@ if (strpos($contentType, "multipart") !== false) { fclose($in); fclose($out); - + } else { // crmv@205309 // try to save in database @@ -204,4 +234,3 @@ if (strpos($contentType, "multipart") !== false) { // Return JSON-RPC response die('{"jsonrpc" : "2.0", "result" : null, "id" : "id"}'); //crmv@22123e -?>