Security - Fix (hestiacp#2784)

Fix for Information disclosure vulnerability

Author: mayappear

web/inc/2fa/secret.php

@@ -1,5 +1,8 @@
 <?php
 
+session_start();
+if ((isset($_SESSION['userContext']) === False) && (php_sapi_name() !== 'cli'))  exit;
+
 require_once '/usr/local/hestia/web/inc/2fa/loader.php';
 Loader::register('./','RobThree\\Auth');
 
@@ -10,4 +13,4 @@
 $secret = $tfa->createSecret(160);  // Though the default is an 80 bits secret (for backwards compatibility reasons) we recommend creating 160+ bits secrets (see RFC 4226 - Algorithm Requirements)
 $qrcode = $tfa->getQRCodeImageAsDataUri(gethostname(), $secret);
 
-echo $secret . "-" . $qrcode;
+echo $secret . "-" . $qrcode;