File Manager

Viewing File: /usr/local/cpanel/whostmgr/docroot/cgi/softaculous/enduser/index.live.php

<?php

//////////////////////////////////////////////////////////////
//===========================================================
// index.php
//===========================================================
// SOFTACULOUS 
// Version : 1.1
// Inspired by the DESIRE to be the BEST OF ALL
// ----------------------------------------------------------
// Started by: Alons
// Date:       10th Jan 2009
// Time:       21:00 hrs
// Site:       http://www.softaculous.com/ (SOFTACULOUS)
// ----------------------------------------------------------
// Please Read the Terms of use at http://www.softaculous.com
// ----------------------------------------------------------
//===========================================================
// (c)Softaculous Inc.
//===========================================================
//////////////////////////////////////////////////////////////

function soft_unlink_user_file($file){
	
	// Is the file safe to delete ?
	if(!soft_is_safe_file($file)) return false; // Security Fix
	
	@unlink($file);
}

function soft_is_safe_file($path){

	// Is it a symlink ?
	if(is_link($path)) return false;
	
	// Is it a file and is a link ?
	$stat = @stat($path);
	if(!is_dir($path) && $stat['nlink'] > 1) return false;
	
	return true;
}

// Is the effective and real userID the same ?
if(posix_getuid() != posix_geteuid()){
	echo "EUID differs from UID. Haching Attempt !";
	exit;
}

if(posix_getuid() != 0){
	
	$TMP_USER = posix_getpwuid(posix_geteuid());
	$TMP_HOME = $TMP_USER['dir'];

	if((@$_GET['act'] == 'backups' || @$_GET['act'] == 'templates') && !empty($_GET['download']) && substr_count($_GET['download'], './') == 0){
		header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
		header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
		header("Content-Type: text/html; charset=UTF-8");
		header('Content-Disposition: attachment; filename="'.$_GET['download'].'"');
		include_once('inc.php');
		exit(0);
	}

	if(@$_GET['act'] == 'wordpress' && !empty($_GET['render_image'])){
		header('Content-Type: image/png');
	}

	// If we have already passed the call to binary and still we are not root we need to die here to avoid infinite loop
	if(!empty($argv[1]) && strlen($argv[1]) == 32){
		echo 'Incorrect binary permission ';
		exit(1);
	}

	header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
	header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past
	
	//cPanel recently enabled tweak setting(Use X-Frame-Options and X-Content-Type-Options headers) by default which blocks script tags which was causing issue to load the "top act" via index.auto.tmpl, hence to load "act top" we pass Content-Type: text/javascript
	if(@$_GET['act'] == 'top'){
		header("Content-Type: text/javascript; charset=UTF-8");
	}else{
		header("Content-Type: text/html; charset=UTF-8");
	}
	
	if(@$_GET['act'] == 'backups' && !empty($_GET['download']) && substr_count($_GET['download'], './') == 0){
		header('Content-Disposition: attachment; filename="'.$_GET['download'].'"');
	}
	
	if(!is_dir($TMP_HOME.'/.softaculous/sess/')){
		@mkdir($TMP_HOME.'/.softaculous/sess/', 0711, true);
	}

	$array = array();
	$array['SERVER'] = $_SERVER;
	$array['POST'] = $_POST;
	$array['GET'] = $_GET;
	$array['REQUEST'] = $_REQUEST;
	$array['COOKIE'] = $_COOKIE;
	$array['FILES'] = $_FILES;

	if(function_exists('random_bytes')){
		$sess = md5(bin2hex(random_bytes(32)));
	}else{
		$sess = str_shuffle(md5(uniqid(microtime())));
	}
	
	$file = $TMP_HOME.'/.softaculous/sess/'.$sess;
	
	// Touch the file
	touch($file);
	chmod($file, 0600);
	
	$fp = fopen($file, "a");

	if(empty($fp)){
		die('Could not write SESSION DATA.');
	}

	fwrite($fp, json_encode($array));
	fclose($fp);
	chmod($file, 0600);
	
	echo shell_exec('/usr/local/cpanel/whostmgr/docroot/cgi/softaculous/bin/soft sess '.$sess);
	@soft_unlink_user_file($file); // load.php will also try to delete it!

	// Just to ensure that there should not be any files as a security measures.
	$d = date('i');
	if($d % 2 == 0){
		
		if ($dh = opendir($TMP_HOME.'/.softaculous/sess/')) {
			
			while (($dfile = readdir($dh)) !== false) {
				if($dfile == '.' || $dfile == '..') continue;
				
				clearstatcache();
				$stime = filemtime($TMP_HOME.'/.softaculous/sess/'.$dfile);

				// Delete the file if its there for more than 10 seconds
				if($stime < (time() - 10)){
					@soft_unlink_user_file($TMP_HOME.'/.softaculous/sess/'.$dfile);
				}
			}
			
			closedir($dh);
		}
	}
	
	exit(0);
}

if(empty($argv[1])){
	die('Hacking Attempt');
}

if(strlen($argv[1]) != 32 || preg_match('/[^A-Za-z0-9]/is', $argv[1])){
	die('Wrong input file given');
}

// Security check
$orig_gid = (int) getenv('soft_egid');
$orig_uid = (int) getenv('soft_euid');

// Get the home folder
$TMP_USER = posix_getpwuid($orig_uid);
$TMP_HOME = $TMP_USER['dir'];

$tmpstat = stat($TMP_HOME.'/.softaculous/sess/'.$argv[1]);

if(empty($tmpstat) || $tmpstat['uid'] !== $orig_uid || $tmpstat['gid'] !== $orig_gid){
	die('Unauthorised web access');
}

$env_userdata = posix_getpwnam($_ENV['REMOTE_USER']);

// Is it a Team sub-user ? 
if(empty($env_userdata) && !empty($_ENV['USER'])){
	$team_user = strtok($_ENV['REMOTE_USER'], '@');
	if(file_exists('/var/cpanel/team/'.$_ENV['USER'])){
		$team_list = file('/var/cpanel/team/'.$_ENV['USER']);
		foreach($team_list as $tv){
			if(preg_match('/^'.preg_quote($team_user.':', '/').'/', $tv, $matches)){
				$tdata = explode(':', $tv);
				if(!empty($tdata[2])){
					$roles = explode(',', $tdata[2]);
					if(in_array('admin', $roles)){
						$env_userdata = posix_getpwnam($_ENV['USER']);
					}
				}
				
				if(empty($env_userdata)){
					die('Unauthorised access : Insufficient privileges');
				}
				
				break;
			}
		}
	}	
}

if(empty($env_userdata) || $env_userdata['uid'] !== $orig_uid || $env_userdata['gid'] !== $orig_gid){
	die('Unauthorised web access : Incorrect username');
}

$sessdata = @file_get_contents($TMP_HOME.'/.softaculous/sess/'.$argv[1]);
$array = json_decode($sessdata, true);

// Check if its a Valid SESSION File
if(empty($array)){
	die('ERROR LOADING DATA');
}

$_SERVER = $array['SERVER'];
$_POST = $array['POST'];
$_GET = $array['GET'];
$_REQUEST = $array['REQUEST'];
$_COOKIE = $array['COOKIE'];
$_FILES = $array['FILES'];

@soft_unlink_user_file($TMP_HOME.'/.softaculous/sess/'.$argv[1]);
unset($sessdata, $array);

//echo posix_getuid().'<br />';

define('SOFTACULOUS', 1);
include_once(dirname(__FILE__).'/universal.php');

if(file_exists($globals['path'].'/conf/universal.json') && is_readable($globals['path'].'/conf/universal.json') && (filesize($globals['path'].'/conf/universal.json') > 0)){
	
	$secure_file = @file_get_contents($globals['path'].'/conf/universal.json');
	
	if(empty($secure_file)){
		die('Failed to load universal.json');
	}
	
	$secure_val = json_decode($secure_file, true);
	if(is_array($secure_val)){
		$globals = array_merge($globals, $secure_val);
	}
}

posix_setgid($orig_gid);
posix_setuid($orig_uid);
putenv('soft_egid');
putenv('soft_euid');

// Still Root ?
if(posix_getuid() == 0 || posix_geteuid() == 0){
	echo 'ERROR IN SHIFTING TO USER LEVEL';exit(1);
}

//echo posix_getuid().'<br />';
//echo posix_getgid().'<br />';

include_once('inc.php');
Back to Directory File Manager