TALOS-2023-1900

CVE-2023-49599

objects/configuration.php

@@ -356,68 +356,58 @@ class AVideoConf extends ObjectYPT{
         $this->autoplay = ($autoplay == 'true' || $autoplay == '1') ? 1 : 0;
     }
 
-    // end version 2.7
-
-    public static function rewriteConfigFile()
-    {
-        global $global, $mysqlHost, $mysqlUser, $mysqlPass, $mysqlDatabase;
-        if (empty($global['salt'])) {
-            $global['salt'] = uniqid();
+    static function updateConfigFile($additions, $replacements, $newVersion) {
+        global $global;
+        $filePath = "{$global['systemRootPath']}videos/configuration.php"; // Hardcoded file path
+        
+        // Check if the file exists
+        if (!file_exists($filePath)) {
+            return false;
         }
-        if (empty($global['disableTimeFix'])) {
-            $global['disableTimeFix'] = 0;
+    
+        // Read the file into an array
+        $lines = file($filePath);
+    
+        // Check if the configuration version is already the new version
+        foreach ($lines as $line) {
+            if (preg_match('/\$global\[\'configurationVersion\'\] = ([0-9]+(?:\.[0-9]+)?);/', $line, $matches)) {
+                if (isset($matches[1]) && (float)$matches[1] === (float)$newVersion) {
+                    // Version is already the new version, no need to modify the file
+                    return false;
+                }
+                break; // Break out of the loop once the version line is found
+            }
         }
-        if (empty($global['logfile'])) {
-            $global['logfile'] = $global['systemRootPath'] . 'videos/avideo.log';
+        
+        // Create a backup of the file
+        copy($filePath, "{$global['systemRootPath']}videos/configuration_bkp_".date('YmdHis').".php");
+    
+        // Process each line for replacements
+        foreach ($lines as &$line) {
+            foreach ($replacements as $pattern => $replacement) {
+                if (preg_match($pattern, $line)) {
+                    $line = preg_replace($pattern, $replacement, $line);
+                }
+            }
+            if(preg_match('/\$global\[\'configurationVersion\'\] = [0-9]+(\.[0-9]+)?;/', $line)){
+                $line = "\$global['configurationVersion'] = {$newVersion};".PHP_EOL;                
+            }
         }
-        $content = "<?php
-\$global['configurationVersion'] = 3.1;
-\$global['disableAdvancedConfigurations'] = {$global['disableAdvancedConfigurations']};
-\$global['videoStorageLimitMinutes'] = {$global['videoStorageLimitMinutes']};
-\$global['disableTimeFix'] = {$global['disableTimeFix']};
-\$global['logfile'] = '{$global['logfile']}';
-if(!empty(\$_SERVER['SERVER_NAME']) && \$_SERVER['SERVER_NAME']!=='localhost' && !filter_var(\$_SERVER['SERVER_NAME'], FILTER_VALIDATE_IP)) {
-    // get the subdirectory, if exists
-    \$file = str_replace(\"\\\\\", \"/\", __FILE__);
-    \$subDir = str_replace(array(\$_SERVER[\"DOCUMENT_ROOT\"], 'videos/configuration.php'), array('',''), \$file);
-    \$global['webSiteRootURL'] = \"http\".(!empty(\$_SERVER['HTTPS'])?\"s\":\"\").\"://\".\$_SERVER['SERVER_NAME'].\$subDir;
-}else{
-    \$global['webSiteRootURL'] = '{$global['webSiteRootURL']}';
-}
-\$global['systemRootPath'] = '{$global['systemRootPath']}';
-\$global['salt'] = '{$global['salt']}';
-\$global['enableDDOSprotection'] = {$global['enableDDOSprotection']};
-\$global['ddosMaxConnections'] = {$global['ddosMaxConnections']};
-\$global['ddosSecondTimeout'] = {$global['ddosSecondTimeout']};
-\$global['strictDDOSprotection'] = {$global['strictDDOSprotection']};
-\$global['noDebug'] = 0;
-\$global['webSiteRootPath'] = '';
-if(empty(\$global['webSiteRootPath'])){
-    preg_match('/https?:\/\/[^\/]+(.*)/i', \$global['webSiteRootURL'], \$matches);
-    if(!empty(\$matches[1])){
-        \$global['webSiteRootPath'] = \$matches[1];
-    }
-}
-if(empty(\$global['webSiteRootPath'])){
-    die('Please configure your webSiteRootPath');
-}
-
-\$mysqlHost = '{$mysqlHost}';
-\$mysqlUser = '{$mysqlUser}';
-\$mysqlPass = '{$mysqlPass}';
-\$mysqlDatabase = '{$mysqlDatabase}';
-
-/**
- * Do NOT change from here
- */
-
-require_once \$global['systemRootPath'].'objects/include_config.php';
-";
-
-        $fp = fopen($global['systemRootPath'] . "videos/configuration.php", "wb");
-        fwrite($fp, $content);
-        fclose($fp);
+    
+        // Process each line for additions
+        foreach ($additions as $pattern => $addition) {
+            foreach ($lines as $index => &$line) {
+                if (preg_match($pattern, $line)) {
+                    array_splice($lines, $index + 1, 0, $addition . "\n");
+                    break; // Assuming only one addition per pattern
+                }
+            }
+        }
+    
+        // Write the array back to the file    
+        return file_put_contents($filePath, implode('', $lines));;
     }
+    
 
     public function getTheme()
     {

objects/functions.php

@@ -5701,7 +5701,6 @@ function encrypt_decrypt($string, $action)
         return false;
     }
     $encrypt_method = "AES-256-CBC";
-    $secret_key = 'This is my secret key';
     $secret_iv = $global['systemRootPath'];
     while (strlen($secret_iv) < 16) {
         $secret_iv .= $global['systemRootPath'];
@@ -5709,8 +5708,9 @@ function encrypt_decrypt($string, $action)
     if (empty($secret_iv)) {
         $secret_iv = '1234567890abcdef';
     }
+    $salt = empty($global['saltV2'])?$global['salt']:$global['saltV2'];
     // hash
-    $key = hash('sha256', $global['salt']);
+    $key = hash('sha256', $salt);
 
     // iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning
     $iv = substr(hash('sha256', $secret_iv), 0, 16);
@@ -11976,3 +11976,22 @@ function getValueOrBlank($array, $default=''){
     }
     return $text;
 }
+
+/*
+secure salt in PHP using standard characters and numbers.
+This code will generate a 10 to 32-character string
+*/
+function _uniqid() {
+    // Generate 16 bytes of random data
+    $randomBytes = random_bytes(16);
+
+    // Convert the binary data to a hexadecimal string
+    $hex = bin2hex($randomBytes);
+
+    // If you want a variable length output, you can truncate the MD5 hash
+    // For example, to get a random length between 10 and 32 characters:
+    $randomLength = rand(10, 32);
+    $randomString = substr($hex, 0, $randomLength);
+
+    return $randomString;
+}

objects/include_config.php

@@ -12,7 +12,7 @@ if (!empty($doNotIncludeConfig)) {
     return false;
 }
 
-if(!isset($global['skippPlugins'])){
+if (!isset($global['skippPlugins'])) {
     $global['skippPlugins'] = array();
 }
 /*
@@ -47,12 +47,13 @@ if (!empty($global['stopBotsList']) && is_array($global['stopBotsList'])) {
 
 $global['avideoStartMicrotime'] = microtime(true);
 
-function includeConfigLog($line, $desc=''){
-    if(empty($_REQUEST['debug'])){
+function includeConfigLog($line, $desc = '')
+{
+    if (empty($_REQUEST['debug'])) {
         return false;
     }
     global $global, $_includeConfigLogID, $_includeConfigLogLastCheck;
-    if(!isset($_includeConfigLogID)){
+    if (!isset($_includeConfigLogID)) {
         $_includeConfigLogID = date('H:i:s');
     }
     $_includeConfigLogLastCheck = microtime(true);
@@ -123,8 +124,14 @@ includeConfigLog(__LINE__);
 require_once $global['systemRootPath'] . 'objects/images.php';
 includeConfigLog(__LINE__);
 // for update config from old versions 2020-05-11
-if (empty($global['webSiteRootPath']) || $global['configurationVersion'] < 3.1) {
-    Configuration::rewriteConfigFile();
+if ($global['configurationVersion'] < 4.0 && empty($global['saltV2'])) {
+    $additions = [
+        '/\$global\[\'salt\'\].*/' => "\$global['saltV2'] = '"._uniqid()."';", // Add this line below the line that matches the pattern
+    ];
+
+    $replacements = [];
+
+    Configuration::updateConfigFile($additions, $replacements, 4.0);
 }
 
 includeConfigLog(__LINE__);
@@ -261,4 +268,4 @@ if (!empty($_GET['type'])) {
     $metaDescription = " {$_GET['showOnly']}";
 }
 
-includeConfigLog(__LINE__);
+includeConfigLog(__LINE__);