Update /login/ to enforce security token for loginas (hestiacp#1456)

jaapmarcus · ScIT-Raphael · commit c913245d6b8c · 2020-12-13T09:02:23.000+01:00
* Update /login/ to enforce security token for loginas

* Added missing  Security token

* Fix issue with Exit FM
diff --git a/web/add/user/index.php b/web/add/user/index.php
@@ -105,7 +105,7 @@
     // Flush field values on success
     if (empty($_SESSION['error_msg'])) {
         $_SESSION['ok_msg'] = sprintf(_('USER_CREATED_OK'),htmlentities($_POST['v_username']),htmlentities($_POST['v_username']));
-        $_SESSION['ok_msg'] .= " / <a href=/login/?loginas=".htmlentities($_POST['v_username']).">" . _('login as') ." ".htmlentities($_POST['v_username']). "</a>";
+        $_SESSION['ok_msg'] .= " / <a href=/login/?loginas=".htmlentities($_POST['v_username'])."&token=".htmlentities($_SESSION['token']).">" . _('login as') ." ".htmlentities($_POST['v_username']). "</a>";
         unset($v_username);
         unset($v_password);
         unset($v_email);
diff --git a/web/login/index.php b/web/login/index.php
@@ -16,6 +16,10 @@
 
 // Login as someone else
 if (isset($_SESSION['user'])) {
+    if (empty($_GET['loginas']) ){
+        header("Location: /list/web/");
+        exit;
+    }
     if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) {
         exec (HESTIA_CMD . "v-list-user ".escapeshellarg($_GET['loginas'])." json", $output, $return_var);
         if ( $return_var == 0 ) {
@@ -34,6 +38,7 @@
 }
 
 function authenticate_user($user, $password, $twofa = ''){
+    unset($_SESSION['login']);
     if(isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) {
     $v_user = escapeshellarg($user);
     $v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
diff --git a/web/logout/index.php b/web/logout/index.php
@@ -1,13 +1,13 @@
 <?php
-
 session_start();
 
 if (!empty($_SESSION['look'])) {
+
     unset($_SESSION['look']);
+    header("Location: /");
 } else {
     session_destroy();
+    header("Location: /login/");
 }
-
-header("Location: /login/");
 exit;
 ?>
