vesta/web/bulk/db/index.php

<?php
// Init
error_reporting(NULL);
ob_start();
session_start();

include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

// Check token
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
    header('location: /login/');
    exit();
}

$database = $_POST['database'];
$action = $_POST['action'];

if ($_SESSION['user'] == 'admin') {
    switch ($action) {
        case 'delete': $cmd='v-delete-database';
            break;
        case 'suspend': $cmd='v-suspend-database';
            break;
        case 'unsuspend': $cmd='v-unsuspend-database';
            break;
        default: header("Location: /list/db/"); exit;
    }
} else {
    switch ($action) {
        case 'delete': $cmd='v-delete-database';
            break;
        default: header("Location: /list/db/"); exit;
    }
}

foreach ($database as $value) {
    $value = escapeshellarg($value);
    exec (VESTA_CMD.$cmd." ".$user." ".$value, $output, $return_var);
}

header("Location: /list/db/");
added backup/cron/db/ip/package bulk operations 2012-09-27 23:20:37 +03:00			`<?php`
			`// Init`
			`error_reporting(NULL);`
			`ob_start();`
			`session_start();`

			`include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");`

UI update 2015-06-03 02:31:03 +03:00			`// Check token`
			`if ((!isset($_POST['token'])) \|\| ($_SESSION['token'] != $_POST['token'])) {`
			`header('location: /login/');`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`exit();`
UI update 2015-06-03 02:31:03 +03:00			`}`

added backup/cron/db/ip/package bulk operations 2012-09-27 23:20:37 +03:00			`$database = $_POST['database'];`
			`$action = $_POST['action'];`

			`if ($_SESSION['user'] == 'admin') {`
			`switch ($action) {`
replaced underscore with dash in api syscalls 2012-11-09 18:26:32 +02:00			`case 'delete': $cmd='v-delete-database';`
added backup/cron/db/ip/package bulk operations 2012-09-27 23:20:37 +03:00			`break;`
replaced underscore with dash in api syscalls 2012-11-09 18:26:32 +02:00			`case 'suspend': $cmd='v-suspend-database';`
added backup/cron/db/ip/package bulk operations 2012-09-27 23:20:37 +03:00			`break;`
replaced underscore with dash in api syscalls 2012-11-09 18:26:32 +02:00			`case 'unsuspend': $cmd='v-unsuspend-database';`
added backup/cron/db/ip/package bulk operations 2012-09-27 23:20:37 +03:00			`break;`
			`default: header("Location: /list/db/"); exit;`
			`}`
			`} else {`
			`switch ($action) {`
replaced underscore with dash in api syscalls 2012-11-09 18:26:32 +02:00			`case 'delete': $cmd='v-delete-database';`
added backup/cron/db/ip/package bulk operations 2012-09-27 23:20:37 +03:00			`break;`
			`default: header("Location: /list/db/"); exit;`
			`}`
			`}`

			`foreach ($database as $value) {`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$value = escapeshellarg($value);`
			`exec (VESTA_CMD.$cmd." ".$user." ".$value, $output, $return_var);`
added backup/cron/db/ip/package bulk operations 2012-09-27 23:20:37 +03:00			`}`

			`header("Location: /list/db/");`