MOON
Server: Apache
System: Linux kvm.asjudinet.com 5.14.0-611.54.6.el9_7.x86_64 #1 SMP PREEMPT_DYNAMIC Fri May 15 04:23:18 EDT 2026 x86_64
User: asjudine (1001)
PHP: 8.0.30
Disabled: exec,passthru,shell_exec,system
Upload Files
File: //usr/share/cloudlinux-awp-plugin/user-plugins/cpanel/wpos.live.pl
#!/usr/local/cpanel/3rdparty/bin/perl

# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2023 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT

BEGIN {
    unshift @INC, '/usr/local/cpanel', '/usr/local/cpanel/whostmgr/docroot/3rdparty/cloudlinux',
        '/usr/share/l.v.e-manager/cpanel/cgi';
    #use CGI::Carp qw(fatalsToBrowser); # for detail comments
}

use strict;
use warnings;
use locale ':not_characters';   # utf-8

use Cpanel::LiveAPI();
use Cpanel::JSON;
use Cpanel::Form;
use CloudLinux;
use CGI;

#use CGI::Carp qw(fatalsToBrowser); # uncomment to debug 500 error

use constant ASSETS_PATH => "/3rdparty/cloudlinux/assets/awp-user";

my $panel = Cpanel::LiveAPI->new();

my $cgi = CGI->new;

my %GET_REQUESTS    = CloudLinux::parseForm(Cpanel::Form::parseform());
my %REQUEST    = CloudLinux::parseForm($cgi->Vars);
my $cgiaction = $GET_REQUESTS{'cgiaction'} || 'default';

CloudLinux::setOwner(CloudLinux::OWNER_USER);
CloudLinux::detectLocale($cgi);

my %dispatchTable = (
    default => \&main,
    sendRequest => \&CloudLinux::lvemanagerHandler,
    knockKnock => \&CloudLinux::knockKnock,
);es

$cgiaction = 'default' unless exists $dispatchTable{$cgiaction};
$dispatchTable{$cgiaction}->(\%REQUEST, 'wpos');

$panel->end();


sub main {
    CloudLinux::checkMethod('GET', 'POST');
    print "Content-type: text/html; charset=utf-8\n\n";

    # Print header: arg1 - page_title; arg2 - app_key
    print $panel->header('', 'lvewpos');

    CloudLinux::getDataContent('templates', 'index.html', 1);

     printf(
        '<script type="text/javascript">' .
            'mainAction = "wpos.live.pl?cgiaction=sendRequest";'.
            'pingAction = "wpos.live.pl?cgiaction=knockKnock";'.
            'imagePath = "/images/spa/";'.
            'panelName = "Cpanel";'.
            'logoutUrl = "/logout";'.
        '</script>'
    );

    if (
        'POST' eq $cgi->request_method
        && $cgi->param('advice_id')
        && $cgi->param('event')
        && $cgi->param('journey_id')
        && $cgi->param('source')
        && $cgi->param('user_hash')
        ) {
            printf(
                '<script type="text/javascript">' .
                    'analytics_advice_id = "%s";'.
                    'analytics_event = "%s";'.
                    'analytics_journey_id = "%s";'.
                    'analytics_source = "%s";'.
                    'analytics_user_hash = "%s";'.
                '</script>',
                escape_js_string($cgi->param('advice_id')),
                escape_js_string($cgi->param('event')),
                escape_js_string($cgi->param('journey_id')),
                escape_js_string($cgi->param('source')),
                escape_js_string($cgi->param('user_hash'))
            );
    }

    CloudLinux::loadGlobalVariables('../../..'.ASSETS_PATH);

    Whostmgr::HTMLInterface::load_css(ASSETS_PATH.'/common-styles.css');

    Whostmgr::HTMLInterface::load_css(ASSETS_PATH.'/bootstrap.min.css');

    Whostmgr::HTMLInterface::load_js(sprintf('%s/polyfills.bundle.min.js', ASSETS_PATH));
    Whostmgr::HTMLInterface::load_js(sprintf('%s/vendor.bundle.min.js', ASSETS_PATH));
    Whostmgr::HTMLInterface::load_js(sprintf('%s/wpos.bundle.min.js', ASSETS_PATH));

    print $panel->footer();
}

sub escape_js_string {
    my ($str) = @_;
    $str =~ s/\\/\\\\/g;
    $str =~ s/"/\\"/g;
    $str =~ s/'/\\'/g;
    # Escape '<' to < so an attacker cannot inject '<!--<script>' or
    # '</script>' inside the embedded JS string literal and put the HTML5
    # parser into script-data-double-escaped state (or close the enclosing
    # <script> tag outright).
    $str =~ s/</\\u003C/g;
    $str =~ s/\n/\\n/g;
    $str =~ s/\r/\\r/g;
    $str =~ s{/}{\\/}g;
    # U+2028 / U+2029 are treated as line terminators by older ECMAScript
    # parsers. $cgi->param() returns byte strings without UTF-8 decoding,
    # so match the UTF-8 byte sequences (E2 80 A8 / E2 80 A9) directly —
    # the prior \x{2028}/\x{2029} regex was a no-op on Latin-1-flagged
    # byte strings per Perl semantics.
    $str =~ s/\xE2\x80\xA8/\\u2028/g;
    $str =~ s/\xE2\x80\xA9/\\u2029/g;
    return $str;
}