diff --git a/web/inc/main.php b/web/inc/main.php index 7f17ebeb..ae9538ac 100644 --- a/web/inc/main.php +++ b/web/inc/main.php @@ -97,4 +97,21 @@ function get_percentage($used,$total) { return $percent; } +function send_email($to,$subject,$mailtext,$from) { + $charset = "utf-8"; + $to = '<'.$to.'>'; + $boundary='--' . md5( uniqid("myboundary") ); + $priorities = array( '1 (Highest)', '2 (High)', '3 (Normal)', '4 (Low)', '5 (Lowest)' ); + $priority = $priorities[2]; + $ctencoding = "8bit"; + $sep = chr(13) . chr(10); + $disposition = "inline"; + $subject = "=?$charset?B?".base64_encode($subject)."?="; + $header.="From: $from \nX-Priority: $priority\nCC: $cc\n"; + $header.="Mime-Version: 1.0\nContent-Type: text/plain; charset=$charset \n"; + $header.="Content-Transfer-Encoding: $ctencoding\nX-Mailer: Php/libMailv1.3\n"; + $message .= $mailtext; + mail($to, $subject, $message, $header); +} + ?> diff --git a/web/login/index.php b/web/login/index.php index e9873ac6..ddd22597 100644 --- a/web/login/index.php +++ b/web/login/index.php @@ -19,7 +19,9 @@ if (isset($_SESSION['user'])) { } else { if (isset($_POST['user']) && isset($_POST['password'])) { $cmd="/usr/bin/sudo /usr/local/vesta/bin/"; - $command="$cmd"."v_check_user_password '".$_POST['user']."' '".$_POST['password']."' '".$_SERVER["REMOTE_ADDR"]."'"; + $v_user = escapeshellarg($_POST['user']); + $v_password = escapeshellarg($_POST['password']); + $command="$cmd"."v_check_user_password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'"; exec ($command, $output, $return_var); if ( $return_var > 0 ) { $ERROR = "ERROR: Invalid username or password"; diff --git a/web/reset/index.php b/web/reset/index.php new file mode 100644 index 00000000..0b8017c6 --- /dev/null +++ b/web/reset/index.php @@ -0,0 +1,99 @@ +'; + $boundary='--' . md5( uniqid("myboundary") ); + $priorities = array( '1 (Highest)', '2 (High)', '3 (Normal)', '4 (Low)', '5 (Lowest)' ); + $priority = $priorities[2]; + $ctencoding = "8bit"; + $sep = chr(13) . chr(10); + $disposition = "inline"; + $subject = "=?$charset?B?".base64_encode($subject)."?="; + $header.="From: $from \nX-Priority: $priority\nCC: $cc\n"; + $header.="Mime-Version: 1.0\nContent-Type: text/plain; charset=$charset \n"; + $header.="Content-Transfer-Encoding: $ctencoding\nX-Mailer: Php/libMailv1.3\n"; + $message .= $mailtext; + mail($to, $subject, $message, $header); +} + +if ((!empty($_POST['user'])) && (empty($_POST['code']))) { + $v_user = escapeshellarg($_POST['user']); + $user = $_POST['user']; + $cmd="/usr/bin/sudo /usr/local/vesta/bin/v_list_user"; + exec ($cmd." ".$v_user." json", $output, $return_var); + if ( $return_var == 0 ) { + $data = json_decode(implode('', $output), true); + $rkey = $data[$user]['RKEY']; + $fname = $data[$user]['FNAME']; + $lname = $data[$user]['LNAME']; + $contact = $data[$user]['CONTACT']; + $to = $data[$user]['CONTACT']; + $subject = 'Password Reset '.date("Y-m-d H:i:s"); + $hostname = exec('hostname'); + $from = "Vesta Control Panel "; + if (!empty($fname)) { + $mailtext = "Hello ".$fname." ".$lname.",\n"; + } else { + $mailtext = "Hello,\n"; + } + $mailtext .= "You recently asked to reset your control panel password. "; + $mailtext .= "To complete your request, please follow this link:\n"; + $mailtext .= "https://".$_SERVER['HTTP_HOST']."/reset/?action=confirm&user=".$user."&code=".$rkey."\n\n"; + $mailtext .= "Alternately, you may go to https://".$_SERVER['HTTP_HOST']."/reset/?action=code&user=".$user." and enter the following password reset code:\n"; + $mailtext .= $rkey."\n\n"; + $mailtext .= "If you did not request a new password please ignore this letter and accept our apologies — we didn't intend to disturb you.\n"; + $mailtext .= "Thanks,\nThe VestaCP Team\n"; + if (!empty($rkey)) send_email($to, $subject, $mailtext, $from); + unset($output); + } + + header("Location: /reset/?action=code&user=".$_POST['user']); + exit; +} + +if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['password'])) ) { + if ( $_POST['password'] == $_POST['password_confirm'] ) { + $v_user = escapeshellarg($_POST['user']); + $user = $_POST['user']; + $v_password = escapeshellarg($_POST['password']); + $cmd="/usr/bin/sudo /usr/local/vesta/bin/v_list_user"; + exec ($cmd." ".$v_user." json", $output, $return_var); + if ( $return_var == 0 ) { + $data = json_decode(implode('', $output), true); + $rkey = $data[$user]['RKEY']; + if ($rkey == $_POST['code']) { + $cmd="/usr/bin/sudo /usr/local/vesta/bin/v_change_user_password"; + exec ($cmd." ".$v_user." ".$v_password, $output, $return_var); + if ( $return_var > 0 ) { + $ERROR = "ERROR: Internal error"; + } else { + $_SESSION['user'] = $_POST['user']; + header("Location: /"); + exit; + } + } else { + $ERROR = "ERROR: Invalid username or code"; + } + } else { + $ERROR = "ERROR: Invalid username or code"; + } + } else { + $ERROR = "ERROR: Passwords not match"; + } +} + +if (empty($_GET['action'])) { + require_once '../templates/reset_1.html'; +} else { + if ($_GET['action'] == 'code' ) { + require_once '../templates/reset_2.html'; + } + if (($_GET['action'] == 'confirm' ) && (!empty($_GET['code']))) { + require_once '../templates/reset_3.html'; + } +} + +?> diff --git a/web/templates/login.html b/web/templates/login.html index 96859da6..ef4db9eb 100644 --- a/web/templates/login.html +++ b/web/templates/login.html @@ -114,7 +114,7 @@
- Vesta Control Panel + Vesta Control Panel
@@ -123,7 +123,7 @@ - + diff --git a/web/templates/reset_1.html b/web/templates/reset_1.html new file mode 100644 index 00000000..b9227af4 --- /dev/null +++ b/web/templates/reset_1.html @@ -0,0 +1,145 @@ + + VestaCP - Reset Password + + + +
+
+ + + + + diff --git a/web/templates/reset_2.html b/web/templates/reset_2.html new file mode 100644 index 00000000..48848ee7 --- /dev/null +++ b/web/templates/reset_2.html @@ -0,0 +1,150 @@ + + VestaCP - Reset Password + + + +
+ + + +
+ + diff --git a/web/templates/reset_3.html b/web/templates/reset_3.html new file mode 100644 index 00000000..6d3fbd0e --- /dev/null +++ b/web/templates/reset_3.html @@ -0,0 +1,151 @@ + + VestaCP - Reset Password + + + +
+ + + +
+ +