fix RCE caused by OpenVPN custom flags field and added in initial module improvements

Author: 3ndG4me

api/module.php

@@ -114,15 +114,15 @@ private function handleDependencies($sd){
                 $this->execBackground('opkg install openvpn-openssl --dest sd');
                 $messsage = "Depedencies should now be installed! (Installed to SD card) Please wait for the page to refresh...";
             }else{
+                $this->execBackground('opkg update');
                 $this->installDependency('openvpn-openssl');
                 $messsage = "Depedencies should now be installed! (Installed to local storage) Please wait for the page to refresh...";
             }
 
         }
 
         $this->response = array("success" => true,
-                                "content" => $messsage,
-                                "test" => $sd);
+                                "content" => $messsage);
     }
 
     // Helper function to handle dependency installation and removal for sd card. Passes the SD flag to the real handleDependencies() function
@@ -190,7 +190,8 @@ private function startVPN(){
 
         if($inputData[3] != ''){
             $openvpn_flags = $inputData[3];
-            $open_vpn_cmd .= $openvpn_flags;
+            $open_vpn_cmd .= escapeshellcmd($openvpn_flags);
+            $this->execBackground("echo '" . $open_vpn_cmd . "' > /pineapple/modules/OpenVPNConnect/log/bug.txt");
         }
 
 

injection-status.json

@@ -1,11 +1,11 @@
 {   
     "name": "OpenVPNConnect",
-    "version": "1.0.2",
+    "version": "1.3",
     "platform": "plugin",
     "progress": "100%",
     "state": "done",   
     "released": true,
-    "release_version": "1.0.2",
+    "release_version": "1.2",
     "download_url": "https://github.com/hak5/wifipineapple-modules/tree/master/OpenVPNConnect",
     "featured": false,
     "featured_image": ""

module.html

@@ -141,15 +141,24 @@ <h5>
 								</div>
 								<div id="collapseChangelog" class="panel-collapse collapse">
 									<div class="panel-body">
-										<ul>
+											<ul>
+											<li>
+												<b>1.3 </b>
+											</li>
+											<ul>
+												<li class="text-muted">Fixed a major RCE caused by not sanitizing user input when passing in custom OpenVPN parameters.</li>
+                                                <li class="text-muted">Added stability improvements for package management for those with fresh upgrades to 2.6.X WiFi Pineapple firmware.</li>
+                                                <li class="text-muted">Lastly, revised the revision numbers to fall in line with the formal releases.</li>
+											</ul>
+                                            <ul>
 											<li>
-												<b>1.0.2 </b>
+												<b>1.2 </b>
 											</li>
 											<ul>
 												<li class="text-muted">Added in current status when revisiting page, logging, and ability to install dependencies to SD card or local storage. Also squashed some bugs :)</li>
 											</ul>
 											<li>
-												<b>1.0.1 </b>
+												<b>1.1 </b>
 											</li>
 											<ul>
 												<li class="text-muted">Minor Revisions: Added better iptables management with dynamic gateway and the ability to use auth-user-pass. Unofficial Release (Github Only)</li>
@@ -166,4 +175,4 @@ <h5>
 							</div>
 						</div>
 					</div>
-				</div>
+				</div>

module.info

@@ -6,5 +6,5 @@
         "tetra"
     ],
     "title": "OpenVPNConnect",
-    "version": "1.0.2"
-}
+    "version": "1.3"
+}