From 1a7612cc66f0e0c47512c8065c200a1463384249 Mon Sep 17 00:00:00 2001
From: Serghey Rodin <serghey.rodin@gmail.com>
Date: Tue, 31 Mar 2015 00:01:44 +0300
Subject: [PATCH] password transmission via tmp files

---
 web/add/db/index.php     |  7 ++-
 web/add/mail/index.php   |  7 ++-
 web/add/user/index.php   |  7 ++-
 web/add/web/index.php    | 14 ++++--
 web/api/index.php        | 53 +++++++++++----------
 web/edit/db/index.php    | 10 ++--
 web/edit/mail/index.php  |  8 +++-
 web/edit/user/index.php  |  8 +++-
 web/edit/web/index.php   | 25 ++++++++--
 web/list/dns/index.php   |  2 +-
 web/list/mail/index.php  |  2 +-
 web/login/index.php      | 99 ++++++++++++++++++++++++----------------
 web/reset/index.php      |  6 ++-
 web/reset/mail/index.php | 11 +++--
 14 files changed, 172 insertions(+), 87 deletions(-)

diff --git a/web/add/db/index.php b/web/add/db/index.php
index 4164f290b..0bb12bd27 100644
--- a/web/add/db/index.php
+++ b/web/add/db/index.php
@@ -43,7 +43,6 @@ if (!empty($_POST['ok'])) {
     // Protect input
     $v_database = escapeshellarg($_POST['v_database']);
     $v_dbuser = escapeshellarg($_POST['v_dbuser']);
-    $v_password = escapeshellarg($_POST['v_password']);
     $v_type = $_POST['v_type'];
     $v_charset = $_POST['v_charset'];
     $v_host = $_POST['v_host'];
@@ -54,9 +53,15 @@ if (!empty($_POST['ok'])) {
         $v_type = escapeshellarg($_POST['v_type']);
         $v_charset = escapeshellarg($_POST['v_charset']);
         $v_host = escapeshellarg($_POST['v_host']);
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-add-database ".$user." ".$v_database." ".$v_dbuser." ".$v_password." ".$v_type." ".$v_host." ".$v_charset, $output, $return_var);
         check_return_code($return_var,$output);
         unset($output);
+        unlink($v_password);
+        $v_password = escapeshellarg($_POST['v_password']);
         $v_type = $_POST['v_type'];
         $v_host = $_POST['v_host'];
         $v_charset = $_POST['v_charset'];
diff --git a/web/add/mail/index.php b/web/add/mail/index.php
index 518b2e7cf..7399f95b7 100644
--- a/web/add/mail/index.php
+++ b/web/add/mail/index.php
@@ -87,7 +87,6 @@ if (!empty($_POST['ok_acc'])) {
     $v_domain = escapeshellarg($_POST['v_domain']);
     $v_domain = strtolower($v_domain);
     $v_account = escapeshellarg($_POST['v_account']);
-    $v_password = escapeshellarg($_POST['v_password']);
     $v_quota = escapeshellarg($_POST['v_quota']);
     $v_aliases = $_POST['v_aliases'];
     $v_fwd = $_POST['v_fwd'];
@@ -96,9 +95,15 @@ if (!empty($_POST['ok_acc'])) {
 
     // Add Mail Account
     if (empty($_SESSION['error_msg'])) {
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-add-mail-account ".$user." ".$v_domain." ".$v_account." ".$v_password." ".$v_quota, $output, $return_var);
         check_return_code($return_var,$output);
         unset($output);
+        unlink($v_password);
+        $v_password = escapeshellarg($_POST['v_password']);
     }
 
     // Add Aliases
diff --git a/web/add/user/index.php b/web/add/user/index.php
index 3324c0464..0047a48b4 100644
--- a/web/add/user/index.php
+++ b/web/add/user/index.php
@@ -47,7 +47,6 @@ if (!empty($_POST['ok'])) {
 
     // Protect input
     $v_username = escapeshellarg($_POST['v_username']);
-    $v_password = escapeshellarg($_POST['v_password']);
     $v_email = escapeshellarg($_POST['v_email']);
     $v_package = escapeshellarg($_POST['v_package']);
     $v_language = escapeshellarg($_POST['v_language']);
@@ -58,9 +57,15 @@ if (!empty($_POST['ok'])) {
 
     // Add user
     if (empty($_SESSION['error_msg'])) {
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-add-user ".$v_username." ".$v_password." ".$v_email." ".$v_package." ".$v_fname." ".$v_lname, $output, $return_var);
         check_return_code($return_var,$output);
         unset($output);
+        unlink($v_password);
+        $v_password = escapeshellarg($_POST['v_password']);
     }
 
     // Set language
diff --git a/web/add/web/index.php b/web/add/web/index.php
index 5050cc5d9..d22bb85e4 100644
--- a/web/add/web/index.php
+++ b/web/add/web/index.php
@@ -196,10 +196,15 @@ if (!empty($_POST['ok'])) {
     // Add web stats password
     if ((!empty($_POST['v_stats_user'])) && (empty($_SESSION['error_msg']))) {
         $v_stats_user = escapeshellarg($_POST['v_stats_user']);
-        $v_stats_password = escapeshellarg($_POST['v_stats_password']);
+        $v_stats_password = tempnam("/tmp","vst");
+        $fp = fopen($v_stats_password, "w");
+        fwrite($fp, $_POST['v_stats_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-add-web-domain-stats-user ".$user." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
         check_return_code($return_var,$output);
         unset($output);
+        unlink($v_stats_password);
+        $v_stats_password = escapeshellarg($_POST['v_stats_password']);
     }
 
     // Restart DNS server
@@ -259,13 +264,16 @@ if (!empty($_POST['ok'])) {
                 $v_ftp_username      = $v_ftp_user_data['v_ftp_user'];
                 $v_ftp_username_full = $user . '_' . $v_ftp_user_data['v_ftp_user'];
                 $v_ftp_user = escapeshellarg($v_ftp_user_data['v_ftp_user']);
-                $v_ftp_password = escapeshellarg($v_ftp_user_data['v_ftp_password']);
-
                 if ($domain_added) {
                     $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path']));
+                    $v_ftp_password = tempnam("/tmp","vst");
+                    $fp = fopen($v_ftp_password, "w");
+                    fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
+                    fclose($fp);
                     exec (VESTA_CMD."v-add-web-domain-ftp ".$user." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
                     check_return_code($return_var,$output);
                     unset($output);
+                    unlink($v_ftp_password);
                     if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) {
                         $to = $v_ftp_user_data['v_ftp_email'];
                         $subject = __("FTP login credentials");
diff --git a/web/api/index.php b/web/api/index.php
index c938512a5..cfa74ff76 100644
--- a/web/api/index.php
+++ b/web/api/index.php
@@ -11,11 +11,15 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
             echo 'Error: only admin is allowed to use API';
             exit;
         }
-        
+
         $v_user = escapeshellarg($_POST['user']);
-        $v_password = escapeshellarg($_POST['password']);
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['password']."\n");
+        fclose($fp);
         $v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
         exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'",  $output, $auth_code);
+        unlink($v_password);
     } else {
         $key = '/usr/local/vesta/data/keys/' . basename($_POST['hash']);
         if (file_exists($key) && is_file($key)) {
@@ -27,7 +31,7 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
         echo 'Error: authentication failed';
         exit;
     }
-    
+
     // Prepare arguments
     if (isset($_POST['cmd'])) $cmd = escapeshellarg($_POST['cmd']);
     if (isset($_POST['arg1'])) $arg1 = escapeshellarg($_POST['arg1']);
@@ -40,31 +44,30 @@ if (isset($_POST['user']) || isset($_POST['hash'])) {
     if (isset($_POST['arg8'])) $arg8 = escapeshellarg($_POST['arg8']);
     if (isset($_POST['arg9'])) $arg9 = escapeshellarg($_POST['arg9']);
 
- // Build query
+    // Build query
     $cmdquery = VESTA_CMD.$cmd." ";
-     
-     if(!empty($arg1)){
-                     $cmdquery = $cmdquery.$arg1." "; }
-     if(!empty($arg2)){
-                     $cmdquery = $cmdquery.$arg2." "; }
-     if(!empty($arg3)){
-                     $cmdquery = $cmdquery.$arg3." "; }
-     if(!empty($arg4)){
-                     $cmdquery = $cmdquery.$arg4." "; }
-     if(!empty($arg5)){
-                     $cmdquery = $cmdquery.$arg5." "; }
-     if(!empty($arg6)){
-                     $cmdquery = $cmdquery.$arg6." "; }
-     if(!empty($arg7)){
-                     $cmdquery = $cmdquery.$arg7." "; }
-     if(!empty($arg8)){
-                     $cmdquery = $cmdquery.$arg8." "; }
-     if(!empty($arg9)){
-                     $cmdquery = $cmdquery.$arg9; }
+    if(!empty($arg1)){
+         $cmdquery = $cmdquery.$arg1." "; }
+    if(!empty($arg2)){
+         $cmdquery = $cmdquery.$arg2." "; }
+    if(!empty($arg3)){
+         $cmdquery = $cmdquery.$arg3." "; }
+    if(!empty($arg4)){
+         $cmdquery = $cmdquery.$arg4." "; }
+    if(!empty($arg5)){
+         $cmdquery = $cmdquery.$arg5." "; }
+    if(!empty($arg6)){
+         $cmdquery = $cmdquery.$arg6." "; }
+    if(!empty($arg7)){
+         $cmdquery = $cmdquery.$arg7." "; }
+    if(!empty($arg8)){
+         $cmdquery = $cmdquery.$arg8." "; }
+    if(!empty($arg9)){
+         $cmdquery = $cmdquery.$arg9; }
 
-   // Run query
+    // Run query
     exec ($cmdquery, $output, $return_var);
-    
+
     if ((!empty($_POST['returncode'])) && ($_POST['returncode'] == 'yes')) {
         echo $return_var;
     } else {
diff --git a/web/edit/db/index.php b/web/edit/db/index.php
index c64e53046..f5f0e536c 100644
--- a/web/edit/db/index.php
+++ b/web/edit/db/index.php
@@ -64,11 +64,15 @@ if (!empty($_POST['save'])) {
 
     // Change database password
     if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) {
-        $v_password = escapeshellarg($_POST['v_password']);
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-change-database-password ".$v_username." ".$v_database." ".$v_password, $output, $return_var);
-        check_return_code($return_var,$output);
-        $v_password = "••••••••";
+        check_return_code($return_var,$output);    
         unset($output);
+        unlink($v_password);
+        $v_password = "••••••••";
     }
 
     // Set success message
diff --git a/web/edit/mail/index.php b/web/edit/mail/index.php
index 6ff029351..457a897f4 100644
--- a/web/edit/mail/index.php
+++ b/web/edit/mail/index.php
@@ -178,11 +178,15 @@ if ((!empty($_POST['save'])) && (!empty($_GET['domain'])) && (!empty($_GET['acco
 
     // Change password
     if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) {
-        $v_password = escapeshellarg($_POST['v_password']);
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-change-mail-account-password ".$v_username." ".$v_domain." ".$v_account." ".$v_password, $output, $return_var);
         check_return_code($return_var,$output);
-        $v_password = "••••••••";
         unset($output);
+        unlink($v_password);
+        $v_password = "••••••••";
     }
 
     // Change quota
diff --git a/web/edit/user/index.php b/web/edit/user/index.php
index 5b886af52..e052301ec 100644
--- a/web/edit/user/index.php
+++ b/web/edit/user/index.php
@@ -76,11 +76,15 @@ if (!empty($_POST['save'])) {
 
     // Change password
     if (($v_password != $_POST['v_password']) && (empty($_SESSION['error_msg']))) {
-        $v_password = escapeshellarg($_POST['v_password']);
+        $v_password = tempnam("/tmp","vst");
+        $fp = fopen($v_password, "w");
+        fwrite($fp, $_POST['v_password']."\n");
+        fclose($fp);
         exec (VESTA_CMD."v-change-user-password ".$v_username." ".$v_password, $output, $return_var);
         check_return_code($return_var,$output);
-        $v_password = "••••••••";
         unset($output);
+        unlink($v_password);
+        $v_password = "••••••••";
     }
 
     // Change package (admin only)
diff --git a/web/edit/web/index.php b/web/edit/web/index.php
index 1c1b88502..98bdd029a 100644
--- a/web/edit/web/index.php
+++ b/web/edit/web/index.php
@@ -426,10 +426,14 @@ if (!empty($_POST['save'])) {
             $_SESSION['error_msg'] = __('Field "%s" can not be blank.',$error_msg);
         } else {
             $v_stats_user = escapeshellarg($_POST['v_stats_user']);
-            $v_stats_password = escapeshellarg($_POST['v_stats_password']);
+            $v_stats_password = tempnam("/tmp","vst");
+            $fp = fopen($v_stats_password, "w");
+            fwrite($fp, $_POST['v_stats_password']."\n");
+            fclose($fp);
             exec (VESTA_CMD."v-add-web-domain-stats-user ".$v_username." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
             check_return_code($return_var,$output);
             unset($output);
+            unlink($v_stats_password);
             $v_stats_password = "••••••••";
         }
     }
@@ -450,10 +454,14 @@ if (!empty($_POST['save'])) {
         }
         if (($v_stats_user != $_POST['v_stats_user']) || ($_POST['v_stats_password'] != "••••••••" ) && (empty($_SESSION['error_msg']))) {
             $v_stats_user = escapeshellarg($_POST['v_stats_user']);
-            $v_stats_password = escapeshellarg($_POST['v_stats_password']);
+            $v_stats_password = tempnam("/tmp","vst");
+            $fp = fopen($v_stats_password, "w");
+            fwrite($fp, $_POST['v_stats_password']."\n");
+            fclose($fp);
             exec (VESTA_CMD."v-add-web-domain-stats-user ".$v_username." ".$v_domain." ".$v_stats_user." ".$v_stats_password, $output, $return_var);
             check_return_code($return_var,$output);
             unset($output);
+            unlink($v_stats_password);
             $v_stats_password = "••••••••";
         }
     }
@@ -484,9 +492,12 @@ if (!empty($_POST['save'])) {
                 $v_ftp_username      = $v_ftp_user_data['v_ftp_user'];
                 $v_ftp_username_full = $user . '_' . $v_ftp_user_data['v_ftp_user'];
                 $v_ftp_user = escapeshellarg($v_ftp_username);
-                $v_ftp_password = escapeshellarg($v_ftp_user_data['v_ftp_password']);
                 $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path']));
                 if (empty($_SESSION['error_msg'])) {
+                    $v_ftp_password = tempnam("/tmp","vst");
+                    $fp = fopen($v_ftp_password, "w");
+                    fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
+                    fclose($fp);
                     exec (VESTA_CMD."v-add-web-domain-ftp ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_password . " " . $v_ftp_path, $output, $return_var);
                     check_return_code($return_var,$output);
                     if ((!empty($v_ftp_user_data['v_ftp_email'])) && (empty($_SESSION['error_msg']))) {
@@ -499,6 +510,8 @@ if (!empty($_POST['save'])) {
                         unset($v_ftp_email);
                     }
                     unset($output);
+                    unlink($v_ftp_password);
+                    $v_ftp_password = escapeshellarg($v_ftp_user_data['v_ftp_password']);
                 }
 
                 if ($return_var == 0) {
@@ -552,7 +565,13 @@ if (!empty($_POST['save'])) {
                 $v_ftp_path = escapeshellarg(trim($v_ftp_user_data['v_ftp_path']));
                 exec (VESTA_CMD."v-change-web-domain-ftp-path ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_path, $output, $return_var);
                 if ($v_ftp_user_data['v_ftp_password'] != "'••••••••'" && $v_ftp_user_data['v_ftp_password'] != "••••••••" && !empty($v_ftp_user_data['v_ftp_password'])) {
+                    $v_ftp_password = tempnam("/tmp","vst");
+                    $fp = fopen($v_ftp_password, "w");
+                    fwrite($fp, $v_ftp_user_data['v_ftp_password']."\n");
+                    fclose($fp);
                     exec (VESTA_CMD."v-change-web-domain-ftp-password ".$v_username." ".$v_domain." ".$v_ftp_username." ".$v_ftp_user_data['v_ftp_password'], $output, $return_var);
+                    unlink($v_ftp_password);
+                    $v_ftp_user_data['v_ftp_password'] = escapeshellarg(trim($v_ftp_user_data['v_ftp_password']));
                     $to = $v_ftp_user_data['v_ftp_email'];
                     $subject = __("FTP login credentials");
                     $hostname = exec('hostname');
diff --git a/web/list/dns/index.php b/web/list/dns/index.php
index eb7f65282..d33f9a8da 100644
--- a/web/list/dns/index.php
+++ b/web/list/dns/index.php
@@ -23,7 +23,7 @@ if (empty($_GET['domain'])){
         include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_dns.html');
     }
 } else {
-    exec (VESTA_CMD."v-list-dns-records '".$user."' '".$_GET['domain']."' 'json'", $output, $return_var);
+    exec (VESTA_CMD."v-list-dns-records '".$user."' '".escapeshellarg($_GET['domain'])."' 'json'", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     $data = array_reverse($data, true);
     unset($output);
diff --git a/web/list/mail/index.php b/web/list/mail/index.php
index d0d9cf2cd..541f872c3 100644
--- a/web/list/mail/index.php
+++ b/web/list/mail/index.php
@@ -23,7 +23,7 @@ if (empty($_GET['domain'])){
         include($_SERVER['DOCUMENT_ROOT'].'/templates/user/list_mail.html');
     }
 } else {
-    exec (VESTA_CMD."v-list-mail-accounts '".$user."' '".$_GET['domain']."' json", $output, $return_var);
+    exec (VESTA_CMD."v-list-mail-accounts '".$user."' '".escapeshellarg($_GET['domain'])."' json", $output, $return_var);
     $data = json_decode(implode('', $output), true);
     $data = array_reverse($data, true);
     unset($output);
diff --git a/web/login/index.php b/web/login/index.php
index a76e3de18..52d49251a 100644
--- a/web/login/index.php
+++ b/web/login/index.php
@@ -9,23 +9,73 @@ if (isset($_GET['logout'])) {
     session_destroy();
 }
 
+// Main include
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
 
-
 // Login as someone else
 if (isset($_SESSION['user'])) {
     if ($_SESSION['user'] ==  'admin' && !empty($_GET['loginas'])) {
-        if ($_GET['loginas'] == 'admin') {
-            unset($_SESSION['look']);
-        } else {
-            $_SESSION['look'] = $_GET['loginas'];
-            $_SESSION['look_alert'] = $_GET['loginas'];
+        exec (VESTA_CMD . "v-list-user ".escapeshellarg($_GET['loginas'])." json", $output, $return_var);
+        if ( $return_var == 0 ) {
+            $data = json_decode(implode('', $output), true);
+            reset($data);
+            $_SESSION['look'] = key($data);
+            $_SESSION['look_alert'] = 'yes';
         }
     }
     header("Location: /");
     exit;
 }
 
+// Basic auth
+if (isset($_POST['user']) && isset($_POST['password'])) {
+    $v_user = escapeshellarg($_POST['user']);
+
+    // Send password via tmp file
+    $v_password = tempnam("/tmp","vst");
+    $fp = fopen($v_password, "w");
+    fwrite($fp, $_POST['password']."\n");
+    fclose($fp);
+
+    // Check user & password
+    exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'",  $output, $return_var);
+    unset($output);
+
+    // Remove tmp file
+    unlink($v_password);
+
+    // Check API answer
+    if ( $return_var > 0 ) {
+        $ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
+
+    } else {
+
+        // Make root admin user
+        if ($_POST['user'] == 'root') $v_user = 'admin';
+
+        // Get user speciefic parameters
+        exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
+        $data = json_decode(implode('', $output), true);
+
+        // Define language
+        if (!empty($data[$v_user]['LANGUAGE'])) $_SESSION['language'] = $data[$v_user]['LANGUAGE'];
+
+        // Define session user
+        reset($data);
+        $_SESSION['user'] = key($data);
+
+        // Redirect request to control panel interface
+        if (!empty($_SESSION['request_uri'])) {
+            header("Location: ".$_SESSION['request_uri']);
+            unset($_SESSION['request_uri']);
+            exit;
+        } else {
+            header("Location: /");
+            exit;
+        }
+    }
+}
+
 // Check system configuration
 exec (VESTA_CMD . "v-list-sys-config json", $output, $return_var);
 $data = json_decode(implode('', $output), true);
@@ -35,39 +85,10 @@ foreach ($sys_arr as $key => $value) {
 }
 
 // Set default language
-if (empty($_SESSION['language'])) $_SESSION['language']=$_SESSION['LANGUAGE'];
 if (empty($_SESSION['language'])) $_SESSION['language']='en';
 
-// Auth
-if (isset($_POST['user']) && isset($_POST['password'])) {
-    $v_user = escapeshellarg($_POST['user']);
-    $v_password = escapeshellarg($_POST['password']);
-    exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$_SERVER["REMOTE_ADDR"]."'",  $output, $return_var);
-    if ( $return_var > 0 ) {
-        $ERROR = "<a class=\"error\">".__('Invalid username or password')."</a>";
-        require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
-        require_once('../templates/header.html');
-        require_once('../templates/login.html');
-    } else {
-        unset($output);
-        exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
-        $data = json_decode(implode('', $output), true);
-        $_SESSION['language'] = $data[$_POST['user']]['LANGUAGE'];
-        if (empty($_SESSION['language'])) $_SESSION['language'] = 'en';
-        $_SESSION['user'] = $_POST['user'];
-        if ($_POST['user'] == 'root') $_SESSION['user'] = 'admin';
-        if (!empty($_SESSION['request_uri'])) {
-            header("Location: ".$_SESSION['request_uri']);
-            unset($_SESSION['request_uri']);
-            exit;
-        } else {
-            header("Location: /");
-            exit;
-        }
-    }
-} else {
-    require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
-    require_once('../templates/header.html');
-    require_once('../templates/login.html');
-}
+require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php');
+require_once('../templates/header.html');
+require_once('../templates/login.html');
+
 ?>
diff --git a/web/reset/index.php b/web/reset/index.php
index bd8ccdc5e..f84fb38da 100644
--- a/web/reset/index.php
+++ b/web/reset/index.php
@@ -43,15 +43,19 @@ if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['pass
     if ( $_POST['password'] == $_POST['password_confirm'] ) {
         $v_user = escapeshellarg($_POST['user']);
         $user = $_POST['user'];
-        $v_password = escapeshellarg($_POST['password']);
         $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-list-user";
         exec ($cmd." ".$v_user." json", $output, $return_var);
         if ( $return_var == 0 ) {
             $data = json_decode(implode('', $output), true);
             $rkey = $data[$user]['RKEY'];
             if ($rkey == $_POST['code']) {
+                $v_password = tempnam("/tmp","vst");
+                $fp = fopen($v_password, "w");
+                fwrite($fp, $_POST['password']."\n");
+                fclose($fp);
                 $cmd="/usr/bin/sudo /usr/local/vesta/bin/v-change-user-password";
                 exec ($cmd." ".$v_user." ".$v_password, $output, $return_var);
+                unlink($v_password);
                 if ( $return_var > 0 ) {
                     $ERROR = "<a class=\"error\">".__('An internal error occurred')."</a>";
                 } else {
diff --git a/web/reset/mail/index.php b/web/reset/mail/index.php
index db29acdf7..9315d0418 100644
--- a/web/reset/mail/index.php
+++ b/web/reset/mail/index.php
@@ -104,8 +104,7 @@ if ((!empty($_POST['email'])) && (!empty($_POST['password'])) && (!empty($_POST[
     list($v_account, $v_domain) = explode('@', $_POST['email']);
     $v_domain = escapeshellarg($v_domain);
     $v_account = escapeshellarg($v_account);
-    $password = $_POST['password'];
-    $new = escapeshellarg($_POST['new']);
+    $v_password = $_POST['password'];
 
     // Get domain owner
     exec (VESTA_CMD."v-search-domain-owner ".$v_domain." 'mail'", $output, $return_var);
@@ -126,12 +125,16 @@ if ((!empty($_POST['email'])) && (!empty($_POST['password'])) && (!empty($_POST[
     // Compare hashes
     if (!empty($v_hash)) {
         $salt = explode('$', $v_hash);
-        $n_hash = md5crypt($password, $salt[2]);
+        $n_hash = md5crypt($v_password, $salt[2]);
         $n_hash = '{MD5}'.$n_hash;
 
         // Change password
         if ( $v_hash == $n_hash ) {
-            exec (VESTA_CMD."v-change-mail-account-password '".$v_user."' ".$v_domain." ".$v_account." ".$new, $output, $return_var);
+            $v_new_password = tempnam("/tmp","vst");
+            $fp = fopen($v_new_password, "w");
+            fwrite($fp, $_POST['new']."\n");
+            fclose($fp);
+            exec (VESTA_CMD."v-change-mail-account-password '".$v_user."' ".$v_domain." ".$v_account." ".$v_new_password, $output, $return_var);
             if ($return_var == 0) {
                 echo "ok";
                 exit;