Skip to content

Commit 2d4295c

Browse files
jaapmarcusjaapmarcus
committed
Fix bug on logout page
Ue HESTIA_CMD every where instead Remove rand()
1 parent 3fec435 commit 2d4295c

File tree

2 files changed

+6
-10
lines changed

2 files changed

+6
-10
lines changed

web/logout/index.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@
55
// Main include
66
include($_SERVER['DOCUMENT_ROOT'] . '/inc/main.php');
77
// Check token
8-
verify_csrf($_POST);
8+
verify_csrf($_GET);
99

1010
if (!empty($_SESSION['look'])) {
1111
$v_user = escapeshellarg($_SESSION['look']);

web/reset/index.php

Lines changed: 5 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -22,14 +22,13 @@
2222
if ($return_var == 0) {
2323
$data = json_decode(implode('', $output), true);
2424
if ($email == $data[$user]['CONTACT']) {
25-
//genrate new rkey
26-
$rkey = substr(password_hash(rand(0, 10), PASSWORD_DEFAULT), 5, 12);
25+
$rkey = substr(password_hash("", PASSWORD_DEFAULT), 8, 12);
2726
$hash = password_hash($rkey, PASSWORD_DEFAULT);
2827
$v_rkey = tempnam("/tmp", "vst");
2928
$fp = fopen($v_rkey, "w");
3029
fwrite($fp, $hash."\n");
3130
fclose($fp);
32-
exec("/usr/bin/sudo /usr/local/hestia/bin/v-change-user-rkey ".$v_user." ".$v_rkey."", $output, $return_var);
31+
exec(HESTIA_CMD . "v-change-user-rkey ".$v_user." ".$v_rkey."", $output, $return_var);
3332
unset($output);
3433
unlink($v_rkey);
3534
$name = $data[$user]['NAME'];
@@ -65,21 +64,19 @@
6564
if ($_POST['password'] == $_POST['password_confirm']) {
6665
$v_user = escapeshellarg($_POST['user']);
6766
$user = $_POST['user'];
68-
$cmd="/usr/bin/sudo /usr/local/hestia/bin/v-list-user";
69-
exec($cmd." ".$v_user." json", $output, $return_var);
67+
exec(HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
7068
if ($return_var == 0) {
7169
$data = json_decode(implode('', $output), true);
7270
$rkey = $data[$user]['RKEY'];
7371
if (password_verify($_POST['code'], $rkey)) {
7472
unset($output);
75-
exec("/usr/bin/sudo /usr/local/hestia/bin/v-get-user-value ".$v_user." RKEYEXP", $output, $return_var);
73+
exec(HESTIA_CMD . "v-get-user-value ".$v_user." RKEYEXP", $output, $return_var);
7674
if ($output[0] > time() - 900) {
7775
$v_password = tempnam("/tmp", "vst");
7876
$fp = fopen($v_password, "w");
7977
fwrite($fp, $_POST['password']."\n");
8078
fclose($fp);
81-
$cmd="/usr/bin/sudo /usr/local/hestia/bin/v-change-user-password";
82-
exec($cmd." ".$v_user." ".$v_password, $output, $return_var);
79+
exec(HESTIA_CMD . "v-change-user-password ".$v_user." ".$v_password, $output, $return_var);
8380
unlink($v_password);
8481
if ($return_var > 0) {
8582
sleep(5);
@@ -102,7 +99,6 @@
10299
} else {
103100
sleep(5);
104101
$ERROR = "<a class=\"error\">"._('Invalid username or code')."</a>";
105-
exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent .' yes "Invalid Username or Code"', $output, $return_var);
106102
}
107103
} else {
108104
$ERROR = "<a class=\"error\">"._('Passwords not match')."</a>";

0 commit comments

Comments
 (0)