|
2 | 2 |
|
3 | 3 | define('NO_AUTH_REQUIRED',true); |
4 | 4 |
|
5 | | - |
6 | 5 | // Main include |
7 | 6 | include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); |
8 | 7 |
|
|
13 | 12 | session_destroy(); |
14 | 13 | } |
15 | 14 |
|
| 15 | + |
| 16 | + |
16 | 17 | // Login as someone else |
17 | 18 | if (isset($_SESSION['user'])) { |
18 | 19 | if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) { |
|
32 | 33 | exit; |
33 | 34 | } |
34 | 35 |
|
35 | | -if (!empty($_POST['user']) && !empty($_POST['password']) && !empty($_POST['twofa'])){ |
| 36 | +function authenticate_user(){ |
36 | 37 | if(isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) { |
37 | 38 | $v_user = escapeshellarg($_POST['user']); |
38 | 39 | $v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']); |
39 | 40 | if(isset($_SERVER['HTTP_CF_CONNECTING_IP'])){ |
40 | 41 | if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){ |
41 | 42 | $v_ip = escapeshellarg($_SERVER['HTTP_CF_CONNECTING_IP']); |
42 | 43 | } |
43 | | - } |
44 | | - |
45 | | - // Get user's salt |
| 44 | + } |
| 45 | + // Get user's salt |
46 | 46 | $output = ''; |
47 | 47 | exec (HESTIA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var); |
48 | 48 | $pam = json_decode(implode('', $output), true); |
49 | 49 | if ( $return_var > 0 ) { |
50 | | - sleep(5); |
51 | | - unset($_POST['password'], $_POST['user']); |
| 50 | + sleep(2); |
| 51 | + unset($_POST['password']); |
| 52 | + unset($_POST['user']); |
52 | 53 | $error = "<a class=\"error\">".__('Invalid username or password')."</a>"; |
| 54 | + return $error; |
53 | 55 | } else { |
54 | 56 | $user = $_POST['user']; |
55 | 57 | $password = $_POST['password']; |
|
82 | 84 |
|
83 | 85 | // Check API answer |
84 | 86 | if ( $return_var > 0 ) { |
85 | | - sleep(5); |
| 87 | + sleep(2); |
86 | 88 | unset($_POST['password']); |
87 | | - $ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>"; |
| 89 | + $error = "<a class=\"error\">".__('Invalid username or password')."</a>"; |
| 90 | + return $error; |
88 | 91 | } else { |
89 | 92 |
|
90 | 93 | // Make root admin user |
|
96 | 99 |
|
97 | 100 | // Check if 2FA is active |
98 | 101 | if ($data[$_POST['user']]['TWOFA'] != '') { |
99 | | - $v_twofa = $_POST['twofa']; |
100 | | - exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var); |
| 102 | + if (empty($_POST['twofa'])){ |
| 103 | + return false; |
| 104 | + }else{ |
| 105 | + $v_twofa = $_POST['twofa']; |
| 106 | + exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var); |
101 | 107 | unset($output); |
102 | 108 | if ( $return_var > 0 ) { |
103 | | - sleep(1); |
104 | | - $ERROR = "<a class=\"error\">".__('Invalid or missing 2FA token')."</a>"; |
| 109 | + sleep(2); |
| 110 | + $error = "<a class=\"error\">".__('Invalid or missing 2FA token')."</a>"; |
| 111 | + return $error; |
105 | 112 | } |
| 113 | + } |
106 | 114 | } |
107 | 115 | // Define session user |
108 | 116 | $_SESSION['user'] = key($data); |
|
136 | 144 | } |
137 | 145 | } |
138 | 146 | } |
139 | | - } |
140 | | -} else if (!empty($_POST['user']) && !empty($_POST['password'])) { |
141 | | - if(isset($_SESSION['token']) && isset($_POST['token']) && $_POST['token'] == $_SESSION['token']) { |
142 | | - $v_user = escapeshellarg($_POST['user']); |
143 | | - $v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']); |
144 | | - if(isset($_SERVER['HTTP_CF_CONNECTING_IP'])){ |
145 | | - if(!empty($_SERVER['HTTP_CF_CONNECTING_IP'])){ |
146 | | - $v_ip = escapeshellarg($_SERVER['HTTP_CF_CONNECTING_IP']); |
147 | | - } |
148 | 147 | } |
149 | | - |
150 | | - // Get user's salt |
151 | | - $output = ''; |
152 | | - exec (HESTIA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var); |
153 | | - $pam = json_decode(implode('', $output), true); |
154 | | - if ( $return_var > 0 ) { |
155 | | - sleep(5); |
156 | | - unset($_POST['password'], $_POST['user']); |
157 | | - $error = "<a class=\"error\">".__('Invalid username or password')."</a>"; |
158 | | - } else { |
159 | | - $user = $_POST['user']; |
160 | | - $password = $_POST['password']; |
161 | | - $salt = $pam[$user]['SALT']; |
162 | | - $method = $pam[$user]['METHOD']; |
163 | | - |
164 | | - if ($method == 'md5' ) { |
165 | | - $hash = crypt($password, '$1$'.$salt.'$'); |
166 | | - } |
167 | | - if ($method == 'sha-512' ) { |
168 | | - $hash = crypt($password, '$6$rounds=5000$'.$salt.'$'); |
169 | | - $hash = str_replace('$rounds=5000','',$hash); |
170 | | - } |
171 | | - if ($method == 'des' ) { |
172 | | - $hash = crypt($password, $salt); |
173 | | - } |
174 | | - |
175 | | - // Send hash via tmp file |
176 | | - $v_hash = exec('mktemp -p /tmp'); |
177 | | - $fp = fopen($v_hash, "w"); |
178 | | - fwrite($fp, $hash."\n"); |
179 | | - fclose($fp); |
180 | | - |
181 | | - // Check user hash |
182 | | - exec(HESTIA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip, $output, $return_var); |
183 | | - unset($output); |
184 | | - |
185 | | - // Remove tmp file |
186 | | - unlink($v_hash); |
187 | | - |
188 | | - // Check API answer |
189 | | - if ( $return_var > 0 ) { |
190 | | - sleep(5); |
191 | | - unset($_POST['password']); |
192 | | - $ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>"; |
193 | | - } else { |
194 | | - |
195 | | - // Make root admin user |
196 | | - if ($_POST['user'] == 'root') $v_user = 'admin'; |
197 | | - |
198 | | - // Get user speciefic parameters |
199 | | - exec (HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var); |
200 | | - $data = json_decode(implode('', $output), true); |
201 | | - |
202 | | - // Check if 2FA is active |
203 | | - if ($data[$_POST['user']]['TWOFA'] == '') { |
204 | | - // Define session user |
205 | | - $_SESSION['user'] = key($data); |
206 | | - $v_user = $_SESSION['user']; |
207 | | - |
208 | | - // Define language |
209 | | - $output = ''; |
210 | | - exec (HESTIA_CMD."v-list-sys-languages json", $output, $return_var); |
211 | | - $languages = json_decode(implode('', $output), true); |
212 | | - if (in_array($data[$v_user]['LANGUAGE'], $languages)){ |
213 | | - $_SESSION['language'] = $data[$v_user]['LANGUAGE']; |
214 | | - } else { |
215 | | - $_SESSION['language'] = 'en'; |
216 | | - } |
217 | | - |
218 | | - // Regenerate session id to prevent session fixation |
219 | | - session_regenerate_id(); |
220 | | - |
221 | | - // Redirect request to control panel interface |
222 | | - if (!empty($_SESSION['request_uri'])) { |
223 | | - header("Location: ".$_SESSION['request_uri']); |
224 | | - unset($_SESSION['request_uri']); |
225 | | - exit; |
226 | | - } else { |
227 | | - if ($v_user == 'admin') { |
228 | | - header("Location: /list/user/"); |
229 | | - } else { |
230 | | - header("Location: /list/web/"); |
231 | | - } |
232 | | - exit; |
233 | | - } |
234 | | - } |
235 | | - } |
236 | | - } |
237 | | - } |
238 | 148 | } |
239 | 149 |
|
240 | | - |
241 | | - |
| 150 | +if (!empty($_POST['user']) && !empty($_POST['password']) && !empty($_POST['twofa'])){ |
| 151 | + $error = authenticate_user(); |
| 152 | +} else if (!empty($_POST['user']) && !empty($_POST['password'])) { |
| 153 | + $error = authenticate_user(); |
| 154 | +} |
242 | 155 | // Check system configuration |
243 | 156 | load_hestia_config(); |
244 | 157 |
|
|
262 | 175 |
|
263 | 176 | // Generate CSRF token |
264 | 177 | $_SESSION['token'] = md5(uniqid(mt_rand(), true)); |
265 | | - |
266 | 178 | require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php'); |
267 | 179 | require_once('../templates/header.html'); |
268 | 180 | if (empty($_POST['user'])) { |
|
0 commit comments