github/myvesta
1
0
Fork 0
mirror of https://github.com/myvesta/vesta synced 2025-08-19 13:01:52 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

password transmission via tmp files

Browse source
This commit is contained in:
Serghey Rodin 2015-03-31 00:01:44 +03:00
commit 1a7612cc66
14 changed files with 172 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

7
web/add/db/index.php
View file

@ -43,7 +43,6 @@ if (!empty($_POST['ok'])) {
// Protect input // Protect input
$v_database = escapeshellarg($_POST['v_database']); $v_database = escapeshellarg($_POST['v_database']);
$v_dbuser = escapeshellarg($_POST['v_dbuser']); $v_dbuser = escapeshellarg($_POST['v_dbuser']);
$v_password = escapeshellarg($_POST['v_password']);
$v_type = $_POST['v_type']; $v_type = $_POST['v_type'];
$v_charset = $_POST['v_charset']; $v_charset = $_POST['v_charset'];
$v_host = $_POST['v_host']; $v_host = $_POST['v_host'];
@ -54,9 +53,15 @@ if (!empty($_POST['ok'])) {
$v_type = escapeshellarg($_POST['v_type']); $v_type = escapeshellarg($_POST['v_type']);
$v_charset = escapeshellarg($_POST['v_charset']); $v_charset = escapeshellarg($_POST['v_charset']);
$v_host = escapeshellarg($_POST['v_host']); $v_host = escapeshellarg($_POST['v_host']);
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['v_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-add-database ".$user." ".$v_database." ".$v_dbuser." ".$v_password." ".$v_type." ".$v_host." ".$v_charset, $output, $return_var); exec (VESTA_CMD."v-add-database ".$user." ".$v_database." ".$v_dbuser." ".$v_password." ".$v_type." ".$v_host." ".$v_charset, $output, $return_var);
check_return_code($return_var,$output); check_return_code($return_var,$output);
unset($output); unset($output);
unlink($v_password);
$v_password = escapeshellarg($_POST['v_password']);
$v_type = $_POST['v_type']; $v_type = $_POST['v_type'];
$v_host = $_POST['v_host']; $v_host = $_POST['v_host'];
$v_charset = $_POST['v_charset']; $v_charset = $_POST['v_charset'];

7
web/add/mail/index.php
View file

@ -87,7 +87,6 @@ if (!empty($_POST['ok_acc'])) {
$v_domain = escapeshellarg($_POST['v_domain']); $v_domain = escapeshellarg($_POST['v_domain']);
$v_domain = strtolower($v_domain); $v_domain = strtolower($v_domain);
$v_account = escapeshellarg($_POST['v_account']); $v_account = escapeshellarg($_POST['v_account']);
$v_password = escapeshellarg($_POST['v_password']);
$v_quota = escapeshellarg($_POST['v_quota']); $v_quota = escapeshellarg($_POST['v_quota']);
$v_aliases = $_POST['v_aliases']; $v_aliases = $_POST['v_aliases'];
$v_fwd = $_POST['v_fwd']; $v_fwd = $_POST['v_fwd'];
@ -96,9 +95,15 @@ if (!empty($_POST['ok_acc'])) {
// Add Mail Account // Add Mail Account
if (empty($_SESSION['error_msg'])) { if (empty($_SESSION['error_msg'])) {
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['v_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-add-mail-account ".$user." ".$v_domain." ".$v_account." ".$v_password." ".$v_quota, $output, $return_var); exec (VESTA_CMD."v-add-mail-account ".$user." ".$v_domain." ".$v_account." ".$v_password." ".$v_quota, $output, $return_var);
check_return_code($return_var,$output); check_return_code($return_var,$output);
unset($output); unset($output);
unlink($v_password);
$v_password = escapeshellarg($_POST['v_password']);
} }
// Add Aliases // Add Aliases

7
web/add/user/index.php
View file

@ -47,7 +47,6 @@ if (!empty($_POST['ok'])) {
// Protect input // Protect input
$v_username = escapeshellarg($_POST['v_username']); $v_username = escapeshellarg($_POST['v_username']);
$v_password = escapeshellarg($_POST['v_password']);
$v_email = escapeshellarg($_POST['v_email']); $v_email = escapeshellarg($_POST['v_email']);
$v_package = escapeshellarg($_POST['v_package']); $v_package = escapeshellarg($_POST['v_package']);
$v_language = escapeshellarg($_POST['v_language']); $v_language = escapeshellarg($_POST['v_language']);
@ -58,9 +57,15 @@ if (!empty($_POST['ok'])) {
// Add user // Add user
if (empty($_SESSION['error_msg'])) { if (empty($_SESSION['error_msg'])) {
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['v_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-add-user ".$v_username." ".$v_password." ".$v_email." ".$v_package." ".$v_fname." ".$v_lname, $output, $return_var); exec (VESTA_CMD."v-add-user ".$v_username." ".$v_password." ".$v_email." ".$v_package." ".$v_fname." ".$v_lname, $output, $return_var);
check_return_code($return_var,$output); check_return_code($return_var,$output);
unset($output); unset($output);
unlink($v_password);
$v_password = escapeshellarg($_POST['v_password']);
} }
// Set language // Set language

14
web/add/web/index.php
View file

@ -196,10 +196,15 @@ if (!empty($_POST['ok'])) {
// Add web stats password // Add web stats password
if ((!empty($_POST['v_stats_user'])) && (empty($_SESSION['error_msg']))) { if ((!empty($_POST['v_stats_user'])) && (empty($_SESSION['error_msg']))) {
$v_stats_user = escapeshellarg($_POST['v_stats_user']); $v_stats_user = escapeshellarg($_POST['v_stats_user']);
$v_stats_password = escapeshellarg($_POST['v_stats_password']); $v_stats_password = tempnam("/tmp","vst");
$fp = fopen($v_stats_password, "w");
fwrite($fp, $_POST['v_stats_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-add-web-domain-stats-user ".$user." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var); exec (VESTA_CMD."v-add-web-domain-stats-user ".$user." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
check_return_code($return_var,$output); check_return_code($return_var,$output);
unset($output); unset($output);
unlink($v_stats_password);
$v_stats_password = escapeshellarg($_POST['v_stats_password']);
} }
// Restart DNS server // Restart DNS server
@ -259,13 +264,16 @@ if (!empty($_POST['ok'])) {
$v_ftp_username = $v_ftp_user_data['v_ftp_user']; $v_ftp_username = $v_ftp_user_data['v_ftp_user'];
$v_ftp_username_full = $user . '_' . $v_ftp_user_data['v_ftp_user']; $v_ftp_username_full = $user . '_' . $v_ftp_user_data['v_ftp_user'];
$v_ftp_user = escapeshellarg($v_ftp_user_data['v_ftp_user']); $v_ftp_user = escapeshellarg($v_ftp_user_data['v_ftp_user']);
$v_ftp_password = escapeshellarg($v_ftp_user_data['v_ftp_password']);
if ($domain_added) { if ($domain_added) {
$v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path'])); $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path']));
$v_ftp_password = tempnam("/tmp","vst");
$fp = fopen($v_ftp_password, "w");
fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var); exec (VESTA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
check_return_code($return_var,$output); check_return_code($return_var,$output);
unset($output); unset($output);
unlink($v_ftp_password);
if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) { if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) {
$to = $v_ftp_user_data['v_ftp_email']; $to = $v_ftp_user_data['v_ftp_email'];
$subject = __("FTP login credentials"); $subject = __("FTP login credentials");

53
web/api/index.php
View file

@ -11,11 +11,15 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
echo 'Error: only admin is allowed to use API'; echo 'Error: only admin is allowed to use API';
exit; exit;
} }
$v_user = escapeshellarg($_POST['user']); $v_user = escapeshellarg($_POST['user']);
$v_password = escapeshellarg($_POST['password']); $v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]); $v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code); exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password);
} else { } else {
$key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']); $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']);
if (file_exists($key) && is_file($key)) { if (file_exists($key) && is_file($key)) {
@ -27,7 +31,7 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
echo 'Error: authentication failed'; echo 'Error: authentication failed';
exit; exit;
} }
// Prepare arguments // Prepare arguments
if (isset($_POST['cmd'])) $cmd = escapeshellarg($_POST['cmd']); if (isset($_POST['cmd'])) $cmd = escapeshellarg($_POST['cmd']);
if (isset($_POST['arg1'])) $arg1 = escapeshellarg($_POST['arg1']); if (isset($_POST['arg1'])) $arg1 = escapeshellarg($_POST['arg1']);
@ -40,31 +44,30 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
if (isset($_POST['arg8'])) $arg8 = escapeshellarg($_POST['arg8']); if (isset($_POST['arg8'])) $arg8 = escapeshellarg($_POST['arg8']);
if (isset($_POST['arg9'])) $arg9 = escapeshellarg($_POST['arg9']); if (isset($_POST['arg9'])) $arg9 = escapeshellarg($_POST['arg9']);
// Build query // Build query
$cmdquery = VESTA_CMD.$cmd." "; $cmdquery = VESTA_CMD.$cmd." ";
if(!empty($arg1)){
if(!empty($arg1)){ $cmdquery = $cmdquery.$arg1." "; }
$cmdquery = $cmdquery.$arg1." "; } if(!empty($arg2)){
if(!empty($arg2)){ $cmdquery = $cmdquery.$arg2." "; }
$cmdquery = $cmdquery.$arg2." "; } if(!empty($arg3)){
if(!empty($arg3)){ $cmdquery = $cmdquery.$arg3." "; }
$cmdquery = $cmdquery.$arg3." "; } if(!empty($arg4)){
if(!empty($arg4)){ $cmdquery = $cmdquery.$arg4." "; }
$cmdquery = $cmdquery.$arg4." "; } if(!empty($arg5)){
if(!empty($arg5)){ $cmdquery = $cmdquery.$arg5." "; }
$cmdquery = $cmdquery.$arg5." "; } if(!empty($arg6)){
if(!empty($arg6)){ $cmdquery = $cmdquery.$arg6." "; }
$cmdquery = $cmdquery.$arg6." "; } if(!empty($arg7)){
if(!empty($arg7)){ $cmdquery = $cmdquery.$arg7." "; }
$cmdquery = $cmdquery.$arg7." "; } if(!empty($arg8)){
if(!empty($arg8)){ $cmdquery = $cmdquery.$arg8." "; }
$cmdquery = $cmdquery.$arg8." "; } if(!empty($arg9)){
if(!empty($arg9)){ $cmdquery = $cmdquery.$arg9; }
$cmdquery = $cmdquery.$arg9; }
// Run query // Run query
exec ($cmdquery, $output, $return_var); exec ($cmdquery, $output, $return_var);
if ((!empty($_POST['returncode'])) && ($_POST['returncode'] == 'yes')) { if ((!empty($_POST['returncode'])) && ($_POST['returncode'] == 'yes')) {
echo $return_var; echo $return_var;
} else { } else {

10
web/edit/db/index.php
View file

@ -64,11 +64,15 @@ if (!empty($_POST['save'])) {
// Change database password // Change database password
if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) { if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) {
$v_password = escapeshellarg($_POST['v_password']); $v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['v_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-change-database-password ".$v_username." ".$v_database." ".$v_password, $output, $return_var); exec (VESTA_CMD."v-change-database-password ".$v_username." ".$v_database." ".$v_password, $output, $return_var);
check_return_code($return_var,$output); check_return_code($return_var,$output);
$v_password = "••••••••";
unset($output); unset($output);
unlink($v_password);
$v_password = "••••••••";
} }
// Set success message // Set success message

8
web/edit/mail/index.php
View file

@ -178,11 +178,15 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
// Change password // Change password
if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) { if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) {
$v_password = escapeshellarg($_POST['v_password']); $v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['v_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-change-mail-account-password ".$v_username." ".$v_domain." ".$v_account." ".$v_password, $output, $return_var); exec (VESTA_CMD."v-change-mail-account-password ".$v_username." ".$v_domain." ".$v_account." ".$v_password, $output, $return_var);
check_return_code($return_var,$output); check_return_code($return_var,$output);
$v_password = "••••••••";
unset($output); unset($output);
unlink($v_password);
$v_password = "••••••••";
} }
// Change quota // Change quota

8
web/edit/user/index.php
View file

@ -76,11 +76,15 @@ if (!empty($_POST['save'])) {
// Change password // Change password
if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) { if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) {
$v_password = escapeshellarg($_POST['v_password']); $v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['v_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-change-user-password ".$v_username." ".$v_password, $output, $return_var); exec (VESTA_CMD."v-change-user-password ".$v_username." ".$v_password, $output, $return_var);
check_return_code($return_var,$output); check_return_code($return_var,$output);
$v_password = "••••••••";
unset($output); unset($output);
unlink($v_password);
$v_password = "••••••••";
} }
// Change package (admin only) // Change package (admin only)

25
web/edit/web/index.php
View file

@ -426,10 +426,14 @@ if (!empty($_POST['save'])) {
$_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg); $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg);
} else { } else {
$v_stats_user = escapeshellarg($_POST['v_stats_user']); $v_stats_user = escapeshellarg($_POST['v_stats_user']);
$v_stats_password = escapeshellarg($_POST['v_stats_password']); $v_stats_password = tempnam("/tmp","vst");
$fp = fopen($v_stats_password, "w");
fwrite($fp, $_POST['v_stats_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-add-web-domain-stats-user ".$v_username." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var); exec (VESTA_CMD."v-add-web-domain-stats-user ".$v_username." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
check_return_code($return_var,$output); check_return_code($return_var,$output);
unset($output); unset($output);
unlink($v_stats_password);
$v_stats_password = "••••••••"; $v_stats_password = "••••••••";
} }
} }
@ -450,10 +454,14 @@ if (!empty($_POST['save'])) {
} }
if (($v_stats_user != $_POST['v_stats_user']) || ($_POST['v_stats_password'] != "••••••••" ) && (empty($_SESSION['error_msg']))) { if (($v_stats_user != $_POST['v_stats_user']) || ($_POST['v_stats_password'] != "••••••••" ) && (empty($_SESSION['error_msg']))) {
$v_stats_user = escapeshellarg($_POST['v_stats_user']); $v_stats_user = escapeshellarg($_POST['v_stats_user']);
$v_stats_password = escapeshellarg($_POST['v_stats_password']); $v_stats_password = tempnam("/tmp","vst");
$fp = fopen($v_stats_password, "w");
fwrite($fp, $_POST['v_stats_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-add-web-domain-stats-user ".$v_username." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var); exec (VESTA_CMD."v-add-web-domain-stats-user ".$v_username." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
check_return_code($return_var,$output); check_return_code($return_var,$output);
unset($output); unset($output);
unlink($v_stats_password);
$v_stats_password = "••••••••"; $v_stats_password = "••••••••";
} }
} }
@ -484,9 +492,12 @@ if (!empty($_POST['save'])) {
$v_ftp_username = $v_ftp_user_data['v_ftp_user']; $v_ftp_username = $v_ftp_user_data['v_ftp_user'];
$v_ftp_username_full = $user . '_' . $v_ftp_user_data['v_ftp_user']; $v_ftp_username_full = $user . '_' . $v_ftp_user_data['v_ftp_user'];
$v_ftp_user = escapeshellarg($v_ftp_username); $v_ftp_user = escapeshellarg($v_ftp_username);
$v_ftp_password = escapeshellarg($v_ftp_user_data['v_ftp_password']);
$v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path'])); $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path']));
if (empty($_SESSION['error_msg'])) { if (empty($_SESSION['error_msg'])) {
$v_ftp_password = tempnam("/tmp","vst");
$fp = fopen($v_ftp_password, "w");
fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-add-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var); exec (VESTA_CMD."v-add-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
check_return_code($return_var,$output); check_return_code($return_var,$output);
if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) { if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) {
@ -499,6 +510,8 @@ if (!empty($_POST['save'])) {
unset($v_ftp_email); unset($v_ftp_email);
} }
unset($output); unset($output);
unlink($v_ftp_password);
$v_ftp_password = escapeshellarg($v_ftp_user_data['v_ftp_password']);
} }
if ($return_var == 0) { if ($return_var == 0) {
@ -552,7 +565,13 @@ if (!empty($_POST['save'])) {
$v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path'])); $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path']));
exec (VESTA_CMD."v-change-web-domain-ftp-path ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_path, $output, $return_var); exec (VESTA_CMD."v-change-web-domain-ftp-path ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_path, $output, $return_var);
if ($v_ftp_user_data['v_ftp_password'] != "'••••••••'" && $v_ftp_user_data['v_ftp_password'] != "••••••••" && !empty($v_ftp_user_data['v_ftp_password'])) { if ($v_ftp_user_data['v_ftp_password'] != "'••••••••'" && $v_ftp_user_data['v_ftp_password'] != "••••••••" && !empty($v_ftp_user_data['v_ftp_password'])) {
$v_ftp_password = tempnam("/tmp","vst");
$fp = fopen($v_ftp_password, "w");
fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
fclose($fp);
exec (VESTA_CMD."v-change-web-domain-ftp-password ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_user_data['v_ftp_password'], $output, $return_var); exec (VESTA_CMD."v-change-web-domain-ftp-password ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_user_data['v_ftp_password'], $output, $return_var);
unlink($v_ftp_password);
$v_ftp_user_data['v_ftp_password'] = escapeshellarg(trim($v_ftp_user_data['v_ftp_password']));
$to = $v_ftp_user_data['v_ftp_email']; $to = $v_ftp_user_data['v_ftp_email'];
$subject = __("FTP login credentials"); $subject = __("FTP login credentials");
$hostname = exec('hostname'); $hostname = exec('hostname');

2
web/list/dns/index.php
View file

@ -23,7 +23,7 @@ if (empty($_GET['domain'])){
include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_dns.html'); include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_dns.html');
} }
} else { } else {
exec (VESTA_CMD."v-list-dns-records '".$user."' '".$_GET['domain']."' 'json'", $output, $return_var); exec (VESTA_CMD."v-list-dns-records '".$user."' '".escapeshellarg($_GET['domain'])."' 'json'", $output, $return_var);
$data = json_decode(implode('', $output), true); $data = json_decode(implode('', $output), true);
$data = array_reverse($data, true); $data = array_reverse($data, true);
unset($output); unset($output);

2
web/list/mail/index.php
View file

@ -23,7 +23,7 @@ if (empty($_GET['domain'])){
include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_mail.html'); include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_mail.html');
} }
} else { } else {
exec (VESTA_CMD."v-list-mail-accounts '".$user."' '".$_GET['domain']."' json", $output, $return_var); exec (VESTA_CMD."v-list-mail-accounts '".$user."' '".escapeshellarg($_GET['domain'])."' json", $output, $return_var);
$data = json_decode(implode('', $output), true); $data = json_decode(implode('', $output), true);
$data = array_reverse($data, true); $data = array_reverse($data, true);
unset($output); unset($output);

99
web/login/index.php
View file

@ -9,23 +9,73 @@ if (isset($_GET['logout'])) {
session_destroy(); session_destroy();
} }
// Main include
include($_SERVER['DOCUMENT_ROOT']."/inc/main.php"); include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
// Login as someone else // Login as someone else
if (isset($_SESSION['user'])) { if (isset($_SESSION['user'])) {
if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) { if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) {
if ($_GET['loginas'] == 'admin') { exec (VESTA_CMD . "v-list-user ".escapeshellarg($_GET['loginas'])." json", $output, $return_var);
unset($_SESSION['look']); if ( $return_var == 0 ) {
} else { $data = json_decode(implode('', $output), true);
$_SESSION['look'] = $_GET['loginas']; reset($data);
$_SESSION['look_alert'] = $_GET['loginas']; $_SESSION['look'] = key($data);
$_SESSION['look_alert'] = 'yes';
} }
} }
header("Location: /"); header("Location: /");
exit; exit;
} }
// Basic auth
if (isset($_POST['user']) && isset($_POST['password'])) {
$v_user = escapeshellarg($_POST['user']);
// Send password via tmp file
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
// Check user & password
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'", $output, $return_var);
unset($output);
// Remove tmp file
unlink($v_password);
// Check API answer
if ( $return_var > 0 ) {
$ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
} else {
// Make root admin user
if ($_POST['user'] == 'root') $v_user = 'admin';
// Get user speciefic parameters
exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
$data = json_decode(implode('', $output), true);
// Define language
if (!empty($data[$v_user]['LANGUAGE'])) $_SESSION['language'] = $data[$v_user]['LANGUAGE'];
// Define session user
reset($data);
$_SESSION['user'] = key($data);
// Redirect request to control panel interface
if (!empty($_SESSION['request_uri'])) {
header("Location: ".$_SESSION['request_uri']);
unset($_SESSION['request_uri']);
exit;
} else {
header("Location: /");
exit;
}
}
}
// Check system configuration // Check system configuration
exec (VESTA_CMD . "v-list-sys-config json", $output, $return_var); exec (VESTA_CMD . "v-list-sys-config json", $output, $return_var);
$data = json_decode(implode('', $output), true); $data = json_decode(implode('', $output), true);
@ -35,39 +85,10 @@ foreach ($sys_arr as $key => $value) {
} }
// Set default language // Set default language
if (empty($_SESSION['language'])) $_SESSION['language']=$_SESSION['LANGUAGE'];
if (empty($_SESSION['language'])) $_SESSION['language']='en'; if (empty($_SESSION['language'])) $_SESSION['language']='en';
// Auth require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
if (isset($_POST['user']) && isset($_POST['password'])) { require_once('../templates/header.html');
$v_user = escapeshellarg($_POST['user']); require_once('../templates/login.html');
$v_password = escapeshellarg($_POST['password']);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'", $output, $return_var);
if ( $return_var > 0 ) {
$ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
require_once('../templates/header.html');
require_once('../templates/login.html');
} else {
unset($output);
exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
$data = json_decode(implode('', $output), true);
$_SESSION['language'] = $data[$_POST['user']]['LANGUAGE'];
if (empty($_SESSION['language'])) $_SESSION['language'] = 'en';
$_SESSION['user'] = $_POST['user'];
if ($_POST['user'] == 'root') $_SESSION['user'] = 'admin';
if (!empty($_SESSION['request_uri'])) {
header("Location: ".$_SESSION['request_uri']);
unset($_SESSION['request_uri']);
exit;
} else {
header("Location: /");
exit;
}
}
} else {
require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
require_once('../templates/header.html');
require_once('../templates/login.html');
}
?> ?>

6
web/reset/index.php
View file

@ -43,15 +43,19 @@ if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['pass
if ( $_POST['password'] == $_POST['password_confirm'] ) { if ( $_POST['password'] == $_POST['password_confirm'] ) {
$v_user = escapeshellarg($_POST['user']); $v_user = escapeshellarg($_POST['user']);
$user = $_POST['user']; $user = $_POST['user'];
$v_password = escapeshellarg($_POST['password']);
$cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user"; $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
exec ($cmd." ".$v_user." json", $output, $return_var); exec ($cmd." ".$v_user." json", $output, $return_var);
if ( $return_var == 0 ) { if ( $return_var == 0 ) {
$data = json_decode(implode('', $output), true); $data = json_decode(implode('', $output), true);
$rkey = $data[$user]['RKEY']; $rkey = $data[$user]['RKEY'];
if ($rkey == $_POST['code']) { if ($rkey == $_POST['code']) {
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$cmd="/usr/bin/sudo /usr/local/vesta/bin/v-change-user-password"; $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-change-user-password";
exec ($cmd." ".$v_user." ".$v_password, $output, $return_var); exec ($cmd." ".$v_user." ".$v_password, $output, $return_var);
unlink($v_password);
if ( $return_var > 0 ) { if ( $return_var > 0 ) {
$ERROR = "<a class=\"error\">".__('An internal error occurred')."</a>"; $ERROR = "<a class=\"error\">".__('An internal error occurred')."</a>";
} else { } else {

11
web/reset/mail/index.php
View file

@ -104,8 +104,7 @@ if ((!empty($_POST['email'])) && (!empty($_POST['password'])) && (!empty($_POST[
list($v_account, $v_domain) = explode('@', $_POST['email']); list($v_account, $v_domain) = explode('@', $_POST['email']);
$v_domain = escapeshellarg($v_domain); $v_domain = escapeshellarg($v_domain);
$v_account = escapeshellarg($v_account); $v_account = escapeshellarg($v_account);
$password = $_POST['password']; $v_password = $_POST['password'];
$new = escapeshellarg($_POST['new']);
// Get domain owner // Get domain owner
exec (VESTA_CMD."v-search-domain-owner ".$v_domain." 'mail'", $output, $return_var); exec (VESTA_CMD."v-search-domain-owner ".$v_domain." 'mail'", $output, $return_var);
@ -126,12 +125,16 @@ if ((!empty($_POST['email'])) && (!empty($_POST['password'])) && (!empty($_POST[
// Compare hashes // Compare hashes
if (!empty($v_hash)) { if (!empty($v_hash)) {
$salt = explode('$', $v_hash); $salt = explode('$', $v_hash);
$n_hash = md5crypt($password, $salt[2]); $n_hash = md5crypt($v_password, $salt[2]);
$n_hash = '{MD5}'.$n_hash; $n_hash = '{MD5}'.$n_hash;
// Change password // Change password
if ( $v_hash == $n_hash ) { if ( $v_hash == $n_hash ) {
exec (VESTA_CMD."v-change-mail-account-password '".$v_user."' ".$v_domain." ".$v_account." ".$new, $output, $return_var); $v_new_password = tempnam("/tmp","vst");
$fp = fopen($v_new_password, "w");
fwrite($fp, $_POST['new']."\n");
fclose($fp);
exec (VESTA_CMD."v-change-mail-account-password '".$v_user."' ".$v_domain." ".$v_account." ".$v_new_password, $output, $return_var);
if ($return_var == 0) { if ($return_var == 0) {
echo "ok"; echo "ok";
exit; exit;