Merge branch 'master' into pu

.gitignore

@@ -18,6 +18,7 @@ debian/alternc-slave
 debian/alternc-squirrelmail
 debian/alternc-upnp
 debian/files
+debian/.debhelper
 lang/de_DE.po
 lang/es_ES.po
 lang/fr_FR.po

README.md

@@ -19,30 +19,30 @@ This project native tongue is French, and the code is commented in English. The
 
 ## Developper information
 
-* This software is built around a Debian package for Jessie whose packaging instructions are located in [debian/](debian/) folder
+* This software is built around a Debian package for Stretch whose packaging instructions are located in [debian/](debian/) folder (this package can be installed on Jessie safely too)
 * To **build the packages**, clone this repository in a Debian machine and use `debuild` or `dpkg-buildpackage` from source code root.
-* If you want to **build it for Squeeze**, clone the source and patch it for Squeeze using [squeeze/patch.sh](squeeze/patch.sh) script. You'll be able to use dpkg-buildpackage to build the Wheezy version.
-* If you want to **build it for Wheezy**, clone the source and patch it for Wheezy using [wheezy/patch.sh](wheezy/patch.sh) script. You'll be able to use dpkg-buildpackage to build the Wheezy version.
-
 * The web control panel pages written in PHP are located in [bureau/admin](bureau/admin) and the associated PHP classes doing the stuff are in [bureau/class](bureau/class).
 
 ## Nightly build
 
-We have 3 nightly build repositories:
+We have 1 nightly build repositories:
+* stretch - [stable 3.5](http://stable-3-5.nightly.alternc.org/)
+
+and 3 nightly from former Debian releases (now unmaintained) 
 * jessie - [stable 3.3](http://stable-3-3.nightly.alternc.org/)
 * wheezy - [stable 3.2](http://stable-3-2.nightly.alternc.org/)
 * squeeze - [stable 3.1](http://stable-3-1.nightly.alternc.org/)
 
-To use one of them, create a file named `/etc/apt/sources.list.d/alternc-nightly-stable-3.3.list` (for debian jessie) as follow :
+To use one of them, create a file named `/etc/apt/sources.list.d/alternc-nightly-stable-3.5.list` (for debian Jessie or Stretch) as follow :
 
 ```
- deb http://stable-3-3.nightly.alternc.org/ latest/
+ deb http://stable-3-5.nightly.alternc.org/ latest/
 ```
 
 The repository and the packages are signed by the pgp key of AlternC nightly build user :
 
 ```
-wget http://stable-3-3.nightly.alternc.org/nightly.key -O - | apt-key add - 
+wget http://stable-3-5.nightly.alternc.org/nightly.key -O - | apt-key add - 
 ```
 
 ## License

bureau/admin/adm_variables.php

@@ -59,7 +59,7 @@ foreach( variables_list() as $vars) {  ?>
 
  <tr class="lst">
     <td><?php ehe($vars['name']); ?></td>
- <td><input type="text" name="<?php ehe($vars['name']); ?>" value="<?php ehe($vars['value']); ?>" /></td>
+ <td><input type="text" class="int" name="<?php ehe($vars['name']); ?>" value="<?php ehe($vars['value']); ?>" style="width: 200px"/></td>
     <td><?php ehe($vars['comment']); ?></td>
  </tr>
 <?php } ?>

bureau/admin/dom_edit.inc.php

@@ -136,7 +136,11 @@ $dom->unlock();
 } else {
  __("Add this subdomain");
 } 
-?>" /></td>
+?>" />
+<?php if ($isedit) { ?>
+              <input type="button" class="inb cancel" name="cancel" value="<?php __("Cancel"); ?>" onclick="document.location = 'dom_edit.php?domain=<?php echo $domain; ?>'"/>
+<?php } ?>
+</td>
         </tr>
     </table>
 </form>

bureau/class/functions.php

@@ -541,7 +541,6 @@ function _md5cr($pass, $salt = "") {
     return crypt($pass, $salt);
 }
 
-
 /** split mysql database name between username and custom database name
  * @param string $dbname database name
  * @return array returns username as first element, custom name as second
@@ -1204,3 +1203,42 @@ function csrf_check($token=null) {
     $db->exec("DELETE FROM csrf WHERE created<DATE_SUB(NOW(), INTERVAL 1 DAY);");
     return 1;
 }
+
+/**
+ * Create a SHA512-CRYPT hash of a string.
+ */
+function _sha512cr($password, $salt = NULL) {
+    if (!$salt) {
+        // Aim to have a 16 character salt for SHA-512 crypt.
+        // @see https://secure.php.net/manual/en/function.crypt.php
+        if (function_exists('random_bytes')) {
+            // PHP >= 7.0
+            $salt = base64_encode(random_bytes(12));
+        }
+        else if (function_exists('mcrypt_create_iv')) {
+            $salt = base64_encode(mcrypt_create_iv(12, MCRYPT_DEV_URANDOM));
+        }
+        else if (function_exists('')) {
+            $salt  = base64_encode(openssl_random_pseudo_bytes(12));
+        }
+        if (!$salt) {
+            throw Error('Unable to generate salt');
+        }
+    }
+    $salt = '$6$rounds=20000$' . $salt;
+    $hash = crypt($password, $salt);
+    return $hash;
+}
+
+/**
+ * Create a password hash for use with dovecot.
+ */
+function _dovecot_hash($password) {
+    // In any case the final password saved for dovecot can store the
+    // scheme to override the default on a per-account basis.
+    // Ideally this is updated to bcrypt or argon2 when those become
+    // available in dovecot.
+    // @see https://wiki.dovecot.org/Authentication/PasswordSchemes
+    $hash = _sha512cr($password);
+    return '{SHA512-CRYPT}' . $hash;
+}

bureau/class/m_admin.php

@@ -634,7 +634,7 @@ class m_admin {
             $msg->raise("ERROR", "admin", _("Login can only contains characters a-z, 0-9 and -"));
             return false;
         }
-        $pass = _md5cr($pass);
+        $pass = password_hash($pass, PASSWORD_BCRYPT);
         $db = new DB_System();
         // Already exist?
         $db->query("SELECT count(*) AS cnt FROM membres WHERE login= ?;", array($login));
@@ -772,7 +772,7 @@ class m_admin {
         $db = new DB_System();
 
         if ($pass) {
-            $pass = _md5cr($pass);
+            $pass = password_hash($pass, PASSWORD_BCRYPT);
             $second_query = "UPDATE membres SET mail= ?, canpass= ?, enabled= ?, `type`= ?, notes= ? , pass = ? WHERE uid= ?;";
             $second_query_args = array($mail, $canpass, $enabled, $type, $notes, $pass, $uid);
         } else {

bureau/class/m_ftp.php

@@ -321,7 +321,7 @@ class m_ftp {
                     return false; // The error has been raised by checkPolicy()
                 }
             }
-            $encrypted_password = _md5cr($pass, strrev(microtime(true)));
+            $encrypted_password = _sha512cr($pass);
             $db->query("UPDATE ftpusers SET name= ? , password='', encrypted_password= ?, homedir= ?, uid= ? WHERE id= ?;", array($full_login, $encrypted_password, $absolute, $cuid, $id));
         } else {
             $db->query("UPDATE ftpusers SET name= ? , homedir= ? , uid= ? WHERE id= ? ;", array($full_login, $absolute, $cuid, $id));
@@ -406,7 +406,7 @@ class m_ftp {
         }
 
         if ($quota->cancreate("ftp")) {
-            $encrypted_password = _md5cr($pass, strrev(microtime(true)));
+            $encrypted_password = _sha512cr($pass);
             $db->query("INSERT INTO ftpusers (name,password, encrypted_password,homedir,uid) VALUES ( ?, '', ?, ?, ?)", array($full_login, $encrypted_password, $absolute, $cuid));
             return true;
         } else {

bureau/class/m_mail.php

@@ -620,8 +620,10 @@ ORDER BY
             return false;
         }
         if ($canbeempty && empty($pass)) {
-            return $db->query("UPDATE address SET password= ? where id = ? ;", array(null, $mail_id ));
-        } else if (!$db->query("UPDATE address SET password= ? where id = ? ;", array(_md5cr($pass), $mail_id ))) {
+            return $db->query("UPDATE address SET password= ? where id = ? ;",
+                              array(null, $mail_id ));
+        } else if (!$db->query("UPDATE address SET password= ? where id = ? ;",
+                               array(_dovecot_hash($pass), $mail_id ))) {
             return false;
         }
         return true;

bureau/class/m_mem.php

@@ -93,7 +93,7 @@ class m_mem {
             return false;
         }
         $db->next_record();
-        if (_md5cr($password, $db->f("pass")) != $db->f("pass")) {
+        if (!password_verify($password, $db->f('pass'))) {
             $db->query("UPDATE membres SET lastfail=lastfail+1 WHERE uid= ? ;", array($db->f("uid")));
             $msg->raise("ERROR", "mem", _("User or password incorrect"));
             return false;
@@ -104,6 +104,12 @@ class m_mem {
         }
         $this->user = $db->Record;
         $cuid = $db->f("uid");
+        // Transitional code to update md5 hashed passwords to those created
+        // with password_hash().
+        if (strncmp($db->f('pass'), '$1$', 3) == 0) {
+            $db->query("update membres set pass = ? where uid = ?",
+                       array(password_hash($password, PASSWORD_BCRYPT), $cuid));
+        }
 
         if (panel_islocked() && $cuid != 2000) {
             $msg->raise("ALERT", "mem", _("This website is currently under maintenance, login is currently disabled."));
@@ -396,7 +402,7 @@ class m_mem {
             $msg->raise("ERROR", "mem", _("You are not allowed to change your password."));
             return false;
         }
-        if ($this->user["pass"] != _md5cr($oldpass, $this->user["pass"])) {
+        if (!password_verify($oldpass, $this->user['pass'])) {
             $msg->raise("ERROR", "mem", _("The old password is incorrect"));
             return false;
         }
@@ -410,7 +416,7 @@ class m_mem {
         if (!$admin->checkPolicy("mem", $login, $newpass)) {
             return false; // The error has been raised by checkPolicy()
         }
-        $newpass = _md5cr($newpass);
+        $newpass = password_hash($newpass, PASSWORD_BCRYPT);
         $db->query("UPDATE membres SET pass= ? WHERE uid= ?;", array($newpass, $cuid));
         $msg->init_msgs();
         return true;

debian/changelog

@@ -1,3 +1,22 @@
+alternc (3.5.0rc1) stable; urgency=low
+
+  * AlternC 3.5 for Jessie & Stretch
+  * added AlternC-ssl natively now, based on cert providers (external package)
+
+ -- Benjamin Sonntag <benjamin@sonntag.fr>  Fri, 21 Jun 2018 15:26:00 +0100
+
+alternc (3.1.11) oldoldstable; urgency=low
+
+  * fix This is a big security upgrade of AlternC 3.x
+  * added CSRF token to all forms (as much as possible) to prevent cross-site attacks
+  * added XSS protection to many form fields and views
+  * migrated the DB abstraction layer from mysql_* functions to PDO
+  * migrated the DB calls from addslases to prepared-queries or quotes
+  * fix many unix rights issues (prevents a root escalation from alterncpanel!)
+  * fix some little interface issues on forms
+
+ -- Benjamin Sonntag <benjamin@sonntag.fr>  Fri, 27 May 2016 10:36:00 +0200
+
 alternc (3.3.10) stable; urgency=low
 
   * Version identical to 3.1 for Squeeze

debian/control

@@ -302,31 +302,3 @@ Description: Rest or get/post API for AlternC
  .
  More information at http://www.alternc.com/
 Homepage: http://www.alternc.com/
-
-Package: alternc-ssl
-Priority: optional
-Section: admin
-Architecture: all
-Depends: openssl
-    , mysql-client | mariadb-client
-    , debconf
-    , alternc (>= 3.0)
-    , php5-cli | php7.0-cli
-    , ${misc:Depends}
-Conflicts: alternc (<< 3.0)
-Description: HTTPS module for AlternC
- AlternC is a mutualized hosting software manager for Linux.
- It allows you to manage your websites, domains, ftp, emails, aliases,
- web statistics, mailing-lists, jabber accounts, etc.
- .
- This package is an optional module that adds HTTPS vhosts and SSL Certificates
- management to the virtual desktop. 
- .
- More information on http://www.alternc.com/
-Description-fr.UTF-8: Module HTTPS pour AlternC
- AlternC est un logiciel d'hébergement mutualisé pour serveur Linux.
- Il permet de gérer les sites web, domaines, ftp, emails, alias,
- statistiques web, listes de discussions, comptes jabber, etc.
- .
- Ce paquet est un module optionnel qui permet aux utilisateurs
- de gérer des hôtes virtuels HTTPS et des certificats SSL dans AlternC.

etc/alternc/templates/alternc/apache2.conf

@@ -11,7 +11,7 @@ AssignUserId www-data www-data
 
 # Deny access to the root filesystem
 <Directory />
-  Options FollowSymLinks
+  Options +FollowSymLinks
   AllowOverride None
   Order allow,deny
   Deny from all
@@ -22,15 +22,13 @@ ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 <Directory "/usr/lib/cgi-bin">
   AllowOverride None
   Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
-  Order allow,deny
-  Allow from all
+  Require all granted
 </Directory>
 
 
 <Directory /usr/share/alternc/panel/admin/>
-  Order allow,deny
-  Allow from all
-
+  Require all granted
+  
   php_admin_flag safe_mode_gid off
   php_admin_flag safe_mode off
   AddDefaultCharset UTF-8
@@ -43,8 +41,8 @@ ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 <Directory %%ALTERNC_HTML%% >
   AllowOverride AuthConfig FileInfo Limit Options Indexes
   Options -Indexes +Includes -FollowSymLinks +MultiViews +SymLinksIfOwnerMatch
-  Order allow,deny
-  Allow from all
+  Require all granted
+
   php_admin_flag safe_mode_gid off
   php_admin_flag safe_mode off
   php_admin_flag enable_dl off
@@ -62,18 +60,16 @@ ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
 
 <Directory /usr/share/phpmyadmin>
   AllowOverride AuthConfig Options FileInfo Limit Indexes
-  Options Indexes Includes FollowSymLinks MultiViews
-  Order allow,deny
-  Allow from all
+  Options +Indexes +Includes +FollowSymLinks +MultiViews
+  Require all granted
 </Directory>
 <Directory /usr/share/squirrelmail>
   AllowOverride AuthConfig Options FileInfo Limit Indexes
-  Options Indexes Includes FollowSymLinks MultiViews
-  Order allow,deny
-  Allow from all
+  Options +Indexes +Includes +FollowSymLinks +MultiViews
+  Require all granted
 </Directory>
 <Directory /var/lib/alternc/ssl-cert-alias/>
-	      allow from all
+  Require all granted
 </Directory>
 
 <VirtualHost *:80>

etc/alternc/templates/apache2/roundcube-ssl.conf

@@ -19,10 +19,9 @@
 
   # Access to tinymce files
   <Directory "/usr/share/tinymce/www/">
-        Options Indexes MultiViews FollowSymLinks
+        Options +Indexes +MultiViews +FollowSymLinks
         AllowOverride None
-        Order allow,deny
-        allow from all
+  	Require all granted
   </Directory>
 
   <Directory /var/lib/roundcube/>
@@ -30,8 +29,7 @@
     # This is needed to parse /var/lib/roundcube/.htaccess. See its
     # content before setting AllowOverride to None.
     AllowOverride All
-    order allow,deny
-    allow from all
+    Require all granted
   </Directory>
 
   # Protecting basic directories:
@@ -57,9 +55,8 @@
   Alias /javascript /usr/share/javascript/
 
   <Directory "/usr/share/javascript/">
-        Options FollowSymLinks MultiViews
-        Order allow,deny
-        Allow from all
+        Options +FollowSymLinks +MultiViews
+  	Require all granted
   </Directory>
 
   SSLEngine On

etc/alternc/templates/apache2/squirrelmail-ssl.conf

@@ -19,13 +19,13 @@
   <Directory /usr/share/squirrelmail>
     php_value open_basedir /usr/share/squirrelmail:/etc/squirrelmail/:/var/lib/squirrelmail/data/:/var/spool/squirrelmail/:/etc/mailname
     php_admin_flag safe_mode off
-    Options Indexes FollowSymLinks
+    Options +Indexes +FollowSymLinks
   </Directory>
 
   Alias /javascript /usr/share/javascript/
 
   <Directory "/usr/share/javascript/">
-        Options FollowSymLinks MultiViews
+        Options +FollowSymLinks +MultiViews
         Order allow,deny
         Allow from all
   </Directory>

install/mysql.sql

@@ -129,7 +129,7 @@ CREATE TABLE IF NOT EXISTS ftpusers (
   id int(10) unsigned NOT NULL auto_increment,
   name varchar(64) NOT NULL default '',
   password varchar(32) NOT NULL default '',
-  encrypted_password VARCHAR(32) default NULL,
+  encrypted_password VARCHAR(255) default NULL,
   homedir varchar(128) NOT NULL default '',
   uid int(10) unsigned NOT NULL default '0',
   enabled boolean NOT NULL DEFAULT TRUE,
@@ -159,7 +159,7 @@ CREATE TABLE IF NOT EXISTS local (
 CREATE TABLE IF NOT EXISTS membres (
   uid int(10) unsigned NOT NULL auto_increment,		-- Numéro du membre (GID)
   login varchar(128) NOT NULL default '',		-- Nom d`utilisateur
-  pass varchar(64) NOT NULL default '',			-- Mot de passe
+  pass varchar(255) NOT NULL default '',			-- Mot de passe
   enabled tinyint(4) NOT NULL default '1',		-- Le compte est-il actif ?
   su tinyint(4) NOT NULL default '0',			-- Le compte est-il super-admin ?
   mail varchar(128) NOT NULL default '',		-- Adresse email du possesseur

install/upgrades/3.4.11.sql

@@ -0,0 +1,2 @@
+ALTER TABLE `membres` MODIFY `pass` varchar(255);
+ALTER TABLE `ftpusers` MODIFY `encrypted_password` varchar(255);

roundcube/class/m_roundcube.php

@@ -101,7 +101,7 @@ class m_roundcube {
     $req=$stmt->execute(array($fullmail));
 
     if ($req) {
-    foreach ( $req->fetchAll() as $t ) {
+    foreach ( $stmt->fetchAll() as $t ) {
       if (empty($t['user_id'])) continue ;
       $rcuser_id=$t['user_id'];
 

roundcube/roundcube-install

@@ -96,3 +96,10 @@ EOF
     
 fi
 
+if [ "$1" = "end" ]; then
+  #This is necessary because upgrading roundcube from 7.1 to 7.2 changes this setting
+  chown alternc-roundcube:root /etc/roundcube/main.inc.php
+  # In case owner is reset to www-data
+  chown alternc-roundcube:nogroup /var/lib/roundcube/temp
+fi
+

wheezy/patch.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-
-# Apply diffs to build for wheezy
-
-# DON'T COMMIT ANYTHING AFTER launching this
-# reset your repos back to the serverside one!
-
-# The patch files were generated by running
-# REV_NEW=ebb3471f04d49dd839237608bafc396e8b5090e5 REV_OLD=3ae6c0a5c2eecf864319dd42afbfc995baee9f68 \
-# for i in `git diff --name-only $REV_NEW $REV_OLD` ; do BASE_NAME=`echo $i | rev | cut -d '/' -f 1 | rev` ; \
-# git diff -p $REV_NEW $REV_OLD -- "$i" > jessie/$BASE_NAME ; done
-
-DIR_NAME=`dirname $0`
-cd "$DIR_NAME"/../
-
-for i in `ls "$DIR_NAME"`; do
-  patch -p1 < "$DIR_NAME/$i"
-done