From 9aab6f1cf48f2d4a3aec7ceacc0febdb91b6a1c9 Mon Sep 17 00:00:00 2001
From: antisnatchor <antisnatchor@gmail.com>
Date: Mon, 22 Oct 2012 17:19:46 +1100
Subject: [PATCH] Patched jquery-encoder to prevent exception on
 encoderForJavascript. Patched wterm.jquery.js to prevent XSS. Added IP/port
 validation to IPEC shell.

---
 .../javascript/esapi/jquery-encoder-0.1.0.js  |  2 +-
 .../javascript/ui/panel/tabs/ZombieTabIpec.js | 43 ++++++-------------
 .../media/javascript/wterm/wterm.jquery.js    |  7 ++-
 3 files changed, 18 insertions(+), 34 deletions(-)

diff --git a/extensions/admin_ui/media/javascript/esapi/jquery-encoder-0.1.0.js b/extensions/admin_ui/media/javascript/esapi/jquery-encoder-0.1.0.js
index d120d8c74..d05281662 100644
--- a/extensions/admin_ui/media/javascript/esapi/jquery-encoder-0.1.0.js
+++ b/extensions/admin_ui/media/javascript/esapi/jquery-encoder-0.1.0.js
@@ -21,7 +21,7 @@ encoded+=': ';}
 for(var i=0;i<input.length;i++){var ch=input.charAt(i),cc=input.charCodeAt(i);if(!ch.match(/[a-zA-Z0-9]/)&&$.inArray(ch,immune)<0){var hex=cc.toString(16);var pad='000000'.substr((hex.length));encoded+='\\'+pad+hex;}else{encoded+=ch;}}
 return encoded;},encodeForURL:function(input,attr){hasBeenInitialized=true;var encoded='';if(attr){if(attr.match(/^[A-Za-z\-0-9]{1,}$/)){encoded+=$.encoder.canonicalize(attr).toLowerCase();}else{throw"Illegal Attribute Name Specified";}
 encoded+='="';}
-encoded+=encodeURIComponent(input);encoded+=attr?'"':'';return encoded;},encodeForJavascript:function(input){hasBeenInitialized=true;if(!immune)immune=default_immune['js'];var encoded='';for(var i=0;i<input.length;i++){var ch=input.charAt(i),cc=input.charCodeAt(i);if($.inArray(ch,immune)>=0||hex[cc]==null){encoded+=ch;continue;}
+encoded+=encodeURIComponent(input);encoded+=attr?'"':'';return encoded;},encodeForJavascript:function(input){hasBeenInitialized=true;immune=default_immune['js'];var encoded='';for(var i=0;i<input.length;i++){var ch=input.charAt(i),cc=input.charCodeAt(i);if($.inArray(ch,immune)>=0||hex[cc]==null){encoded+=ch;continue;}
 var temp=cc.toString(16),pad;if(cc<256){pad='00'.substr(temp.length);encoded+='\\x'+pad+temp.toUpperCase();}else{pad='0000'.substr(temp.length);encoded+='\\u'+pad+temp.toUpperCase();}}
 return encoded;},canonicalize:function(input,strict){hasBeenInitialized=true;if(input===null)return null;var out=input,cycle_out=input;var decodeCount=0,cycles=0;var codecs=[new HTMLEntityCodec(),new PercentCodec(),new CSSCodec()];while(true){cycle_out=out;for(var i=0;i<codecs.length;i++){var new_out=codecs[i].decode(out);if(new_out!=out){decodeCount++;out=new_out;}}
 if(cycle_out==out){break;}
diff --git a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabIpec.js b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabIpec.js
index 5015d9ad4..509956179 100644
--- a/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabIpec.js
+++ b/extensions/admin_ui/media/javascript/ui/panel/tabs/ZombieTabIpec.js
@@ -85,6 +85,11 @@ ZombieTab_IpecTab = function(zombie) {
         return str;
     }
 
+    function validateNumber(input, min, max) {
+        var value = parseInt(input);
+        return (!isNaN(value) && value >= min && value <= max);
+    }
+
 
     function initTerminal(zombie){
         String.prototype.reverse = function() {
@@ -99,42 +104,18 @@ ZombieTab_IpecTab = function(zombie) {
         var target_port = "";
 
         var command_directory = {
-            'eval': function( tokens ) {
-                tokens.shift();
-                var expression = tokens.join( ' ' );
-                var result = '';
-                try {
-                    result = eval( expression );
-                } catch( e ) {
-                    result = 'Error: ' + e.message;
-                }
-                return result;
-            },
-
-            'date': function( tokens ) {
-                var now = new Date();
-                return now.getDate() + '-' +
-                    now.getMonth() + '-' +
-                    ( 1900 + now.getYear() )
-            },
-
-            'cap': function( tokens ) {
-                tokens.shift();
-                return tokens.join( ' ' ).toUpperCase();
-            },
-
-            'go': function( tokens ) {
-                var url = tokens[1];
-                document.location.href = url;
-            },
 
             'target': function(tokens){
+                var ip_regex = new RegExp('^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$');
                 target_ip = tokens[1];
-                target_port = tokens[2];
-                return "Target is now " + tokens[1] + ":" + tokens[2];
+                target_port =  tokens[2];
+                if(ip_regex.test(target_ip) && validateNumber(target_port, 1, 65535)){
+                    return "Target is now " + tokens[1] + ":" + tokens[2];
+                }else{
+                    return "Target error: invalid IP or port.";
+                }
             },
 
-
             'exec': function(tokens){
                 if(target_ip.length == 0 || target_port.length == 0)
                    return "Error: target ip or port not set."
diff --git a/extensions/admin_ui/media/javascript/wterm/wterm.jquery.js b/extensions/admin_ui/media/javascript/wterm/wterm.jquery.js
index 11262b0d1..cce76761f 100644
--- a/extensions/admin_ui/media/javascript/wterm/wterm.jquery.js
+++ b/extensions/admin_ui/media/javascript/wterm/wterm.jquery.js
@@ -9,7 +9,7 @@
  * Command History.
  * Commandline Editing. 
  *
- * Modified by antisnatchor
+ * Modified by antisnatchor (also to prevent XSS, see line 270)
  * */
 
 ( function( $ ) {
@@ -266,7 +266,10 @@
 
           if( typeof key === 'function' ) {
               data = key( tokens );
-              if( data ) { update_content( get_current_prompt(), value, data ) }
+              /*
+               * antisnatchor: preventing XSS
+               */
+              if( data ) { update_content( get_current_prompt(), $jEncoder.encoder.encodeForJavascript(value), data)}
           } else if( typeof key === 'string' ) {
             var to_send = { };
             to_send[ settings.AJAX_PARAM ] = tokens.join( ' ' );