From 5e5085d97153d9646751b3987e07294fcbc28d53 Mon Sep 17 00:00:00 2001 From: danbgds Date: Sun, 2 Jun 2019 11:53:17 -0400 Subject: [PATCH] Updated fixes for CVE-2019-11409 (#4170) --- app/basic_operator_panel/exec.php | 54 ++++++++++++++++++++---------- app/basic_operator_panel/index.php | 39 +++++++++++---------- 2 files changed, 56 insertions(+), 37 deletions(-) diff --git a/app/basic_operator_panel/exec.php b/app/basic_operator_panel/exec.php index 259e52d893..1b71c20776 100644 --- a/app/basic_operator_panel/exec.php +++ b/app/basic_operator_panel/exec.php @@ -80,7 +80,7 @@ if (count($_GET)>0) { //setup the event socket connection $fp = event_socket_create($_SESSION['event_socket_ip_address'], $_SESSION['event_socket_port'], $_SESSION['event_socket_password']); - +/* //get the status if (stristr($action, 'user_status') == true) { $user_status = $data; @@ -119,32 +119,50 @@ if (count($_GET)>0) { $user_status = ""; } } +*/ //allow specific commands if (strlen($switch_cmd) > 0) { - if (stristr($switch_cmd, 'originate') == true) {} - elseif (stristr($switch_cmd, 'uuid_record') == true) {} - elseif (stristr($switch_cmd, 'uuid_transfer') == true) {} - elseif (stristr($switch_cmd, 'eavesdrop') == true) {} - elseif (stristr($switch_cmd, 'uuid_kill') == true) {} - else { - $switch_cmd = ''; - } - if (stristr($switch_cmd, 'system') == true) { - $switch_cmd = ''; - } - } + $api_cmd = ''; + $uuid_pattern = '/[^-A-Fa-f0-9]/'; + $num_pattern = '/[^-A-Za-z0-9()*#]/'; - //switch cmd - if (strlen($switch_cmd) > 0) { + if ($switch_cmd == 'originate') { + $source = preg_replace($num_pattern,'',$_GET['source']); + $destination = preg_replace($num_pattern,'',$_GET['destination']); + $api_cmd = 'bgapi originate {sip_auto_answer=true,origination_caller_id_number=' . $source . ',sip_h_Call-Info=_undef_}user/' . $source . '@' . $_SESSION['domain_name'] . ' ' . $destination . ' XML ' . trim($_SESSION['user_context']); + } elseif ($switch_cmd == 'uuid_record') { + $uuid = preg_replace($uuid_pattern,'',$_GET['uuid']); + $api_cmd = 'uuid_record ' . $uuid . ' start ' . $_SESSION['switch']['recordings']['dir'] . '/' . $_SESSION['domain_name'] . '/archive/' . date('Y/M/d') . '/' . $uuid . '.wav'; + } elseif ($switch_cmd == 'uuid_transfer') { + $uuid = preg_replace($uuid_pattern,'',$_GET['uuid']); + $destination = preg_replace($num_pattern,'',$_GET['destination']); + $api_cmd = 'uuid_transfer ' . $uuid . ' ' . $destination . ' XML ' . trim($_SESSION['user_context']); + } elseif ($switch_cmd == 'uuid_eavesdrop') { + $chan_uuid = preg_replace($uuid_pattern,'',$_GET['chan_uuid']); + $ext = preg_replace($num_pattern,'',$_GET['ext']); + $destination = preg_replace($num_pattern,'',$_GET['destination']); + $language = new text; + $text = $language->get(); + + $api_cmd = 'bgapi originate {origination_caller_id_name=' . $text['label-eavesdrop'] . ',origination_caller_id_number=' . $ext . '}user/' . $destination . '@' . $_SESSION['domain_name'] . ' &eavesdrop(' . $chan_uuid . ')'; + } elseif ($switch_cmd == 'uuid_kill') { + $call_id = preg_replace($uuid_pattern,'',$_GET['call_id']); + $api_cmd = 'uuid_kill ' . $call_id; + } else { + echo 'access denied'; + return; + } + + + /* //set the status so they are compatible with mod_callcenter $switch_cmd = str_replace("Available_On_Demand", "'Available (On Demand)'", $switch_cmd); $switch_cmd = str_replace("Logged_Out", "'Logged Out'", $switch_cmd); $switch_cmd = str_replace("On_Break", "'On Break'", $switch_cmd); $switch_cmd = str_replace("Do_Not_Disturb", "'Logged Out'", $switch_cmd); - /* //if ($action == "energy") { //conference 3001-example.org energy 103 $switch_result = event_socket_request($fp, 'api '.$switch_cmd); @@ -176,8 +194,9 @@ if (count($_GET)>0) { */ //run the command - $switch_result = event_socket_request($fp, 'api '.$switch_cmd); + $switch_result = event_socket_request($fp, 'api '.$api_cmd); + /* //record stop if ($action == "record") { if (trim($_GET["action2"]) == "stop") { @@ -197,6 +216,7 @@ if (count($_GET)>0) { } } } + */ } } diff --git a/app/basic_operator_panel/index.php b/app/basic_operator_panel/index.php index 160196fff5..2fb817d893 100644 --- a/app/basic_operator_panel/index.php +++ b/app/basic_operator_panel/index.php @@ -239,11 +239,11 @@ } else { if (from_ext != to_ext) { // prevent user from dragging extention onto self - cmd = get_originate_cmd(from_ext+'@', to_ext); //make a call + cmd = get_originate_cmd(from_ext, to_ext); //make a call } } - if (cmd != '') { send_cmd('exec.php?cmd='+escape(cmd)); } + if (cmd != '') { send_cmd(cmd) } refresh_start(); } @@ -280,13 +280,13 @@ if (destination != '') { if (!isNaN(parseFloat(destination)) && isFinite(destination)) { if (call_id == '') { - cmd = get_originate_cmd(from_ext+'@', destination); //make a call + cmd = get_originate_cmd(from_ext, destination); //make a call } else { cmd = get_transfer_cmd(call_id, destination); } if (cmd != '') { - send_cmd('exec.php?cmd='+escape(cmd)); + send_cmd(cmd); $('#destination_'+from_ext+'_'+which).removeAttr('onblur'); toggle_destination(from_ext, which); } @@ -297,17 +297,16 @@ //kill call function kill_call(call_id) { if (call_id != '') { - cmd = 'uuid_kill ' + call_id; - send_cmd('exec.php?cmd='+escape(cmd)); + send_cmd('exec.php?cmd=uuid_kill&call_id=' + call_id) } } //eavesdrop call function eavesdrop_call(ext, chan_uuid) { if (ext != '' && chan_uuid != '') { - cmd = get_eavesdrop_cmd(ext, chan_uuid); + cmd = get_eavesdrop_cmd(ext, chan_uuid, document.getElementById('eavesdrop_dest').value); if (cmd != '') { - send_cmd('exec.php?cmd='+escape(cmd)); + send_cmd(cmd) } } } @@ -317,7 +316,7 @@ if (chan_uuid != '') { cmd = get_record_cmd(chan_uuid); if (cmd != '') { - send_cmd('exec.php?cmd='+escape(cmd)); + send_cmd(cmd); } } } @@ -396,23 +395,23 @@ } function get_transfer_cmd(uuid, destination) { - cmd = "uuid_transfer " + uuid + " " + destination + " XML "; - return cmd; + url = "exec.php?cmd=uuid_transfer&uuid=" + uuid + "&destination=" + destination + return url; } function get_originate_cmd(source, destination) { - cmd = "bgapi originate {sip_auto_answer=true,origination_caller_id_number=" + destination + ",sip_h_Call-Info=_undef_}user/" + source + " " + destination + " XML "; - return cmd; + url = "exec.php?cmd=originate&source=" + source + "&destination=" + destination + return url; } - function get_eavesdrop_cmd(ext, chan_uuid) { - cmd = "bgapi originate {origination_caller_id_name=,origination_caller_id_number=" + ext + "}user/"+(document.getElementById('eavesdrop_dest').value)+"@ &eavesdrop(" + chan_uuid + ")"; - return cmd; + function get_eavesdrop_cmd(ext, chan_uuid, destination) { + url = "exec.php?cmd=uuid_eavesdrop&ext=" + ext + "&chan_uuid=" + chan_uuid + "&destination=" + destination; + return url; } function get_record_cmd(uuid) { - cmd = "uuid_record " + uuid + " start /archive////" + uuid + ".wav"; - return cmd; + url = "exec.php?cmd=uuid_record&uuid=" + uuid; + return url; } //virtual functions @@ -441,11 +440,11 @@ cmd = get_transfer_cmd(document.getElementById('vd_call_id').value, document.getElementById('vd_ext_to').value); //transfer a call } else { - cmd = get_originate_cmd(document.getElementById('vd_ext_from').value + '@', document.getElementById('vd_ext_to').value); //originate a call + cmd = get_originate_cmd(document.getElementById('vd_ext_from').value, document.getElementById('vd_ext_to').value); //originate a call } if (cmd != '') { //alert(cmd); - send_cmd('exec.php?cmd='+escape(cmd)); + send_cmd(cmd); } } virtual_drag_reset();