From d6eb5f0ba72a972b459d89b701948708623c910e Mon Sep 17 00:00:00 2001
From: myvesta <38690722+myvesta@users.noreply.github.com>
Date: Sun, 30 Aug 2020 00:10:04 +0200
Subject: [PATCH] Disabling login with 'root'
tnx @jaapmarcus and HestiaCP
---
web/login/index.php | 140 +++++++++++++++++++++++---------------------
1 file changed, 73 insertions(+), 67 deletions(-)
diff --git a/web/login/index.php b/web/login/index.php
index b2e7c7149..87aa6f1ab 100644
--- a/web/login/index.php
+++ b/web/login/index.php
@@ -35,82 +35,88 @@ if (isset($_POST['user']) && isset($_POST['password'])) {
$v_user = escapeshellarg($_POST['user']);
$v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']);
- // Get user's salt
- $output = '';
- exec (VESTA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
- $pam = json_decode(implode('', $output), true);
- if ( $return_var > 0 ) {
- $ERROR = "".__('Invalid username or password')."";
+ if($_POST['user'] == 'root'){
+ unset($_POST['password']);
+ unset($_POST['user']);
+ $ERROR = "".__('Login with root has been disabled')."";
} else {
- $user = $_POST['user'];
- $password = $_POST['password'];
- $salt = $pam[$user]['SALT'];
- $method = $pam[$user]['METHOD'];
-
- if ($method == 'md5' ) {
- $hash = crypt($password, '$1$'.$salt.'$');
- }
- if ($method == 'sha-512' ) {
- $hash = crypt($password, '$6$rounds=5000$'.$salt.'$');
- $hash = str_replace('$rounds=5000','',$hash);
- }
- if ($method == 'des' ) {
- $hash = crypt($password, $salt);
- }
-
- // Send hash via tmp file
- $v_hash = exec('mktemp -p /tmp');
- $fp = fopen($v_hash, "w");
- fwrite($fp, $hash."\n");
- fclose($fp);
-
- // Check user hash
- exec(VESTA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip, $output, $return_var);
- unset($output);
-
- // Remove tmp file
- unlink($v_hash);
-
- // Check API answer
+ // Get user's salt
+ $output = '';
+ exec (VESTA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var);
+ $pam = json_decode(implode('', $output), true);
if ( $return_var > 0 ) {
$ERROR = "".__('Invalid username or password')."";
} else {
+ $user = $_POST['user'];
+ $password = $_POST['password'];
+ $salt = $pam[$user]['SALT'];
+ $method = $pam[$user]['METHOD'];
- // Make root admin user
- if ($_POST['user'] == 'root') $v_user = 'admin';
-
- // Get user speciefic parameters
- exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
- $data = json_decode(implode('', $output), true);
-
- // Define session user
- $_SESSION['user'] = key($data);
- $v_user = $_SESSION['user'];
-
- // Get user favorites
- get_favourites();
-
- // Define language
- $output = '';
- exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var);
- $languages = json_decode(implode('', $output), true);
- if (in_array($data[$v_user]['LANGUAGE'], $languages)){
- $_SESSION['language'] = $data[$v_user]['LANGUAGE'];
- } else {
- $_SESSION['language'] = 'en';
+ if ($method == 'md5' ) {
+ $hash = crypt($password, '$1$'.$salt.'$');
+ }
+ if ($method == 'sha-512' ) {
+ $hash = crypt($password, '$6$rounds=5000$'.$salt.'$');
+ $hash = str_replace('$rounds=5000','',$hash);
+ }
+ if ($method == 'des' ) {
+ $hash = crypt($password, $salt);
}
- // Regenerate session id to prevent session fixation
- session_regenerate_id();
+ // Send hash via tmp file
+ $v_hash = exec('mktemp -p /tmp');
+ $fp = fopen($v_hash, "w");
+ fwrite($fp, $hash."\n");
+ fclose($fp);
- // Redirect request to control panel interface
- if (!empty($_SESSION['request_uri'])) {
- header("Location: ".$_SESSION['request_uri']);
- unset($_SESSION['request_uri']);
- exit;
+ // Check user hash
+ exec(VESTA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip, $output, $return_var);
+ unset($output);
+
+ // Remove tmp file
+ unlink($v_hash);
+
+ // Check API answer
+ if ( $return_var > 0 ) {
+ $ERROR = "".__('Invalid username or password')."";
} else {
- header("Location: /list/user/");
- exit;
+
+ // Make root admin user
+ // if ($_POST['user'] == 'root') $v_user = 'admin';
+
+ // Get user speciefic parameters
+ exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
+ $data = json_decode(implode('', $output), true);
+
+ // Define session user
+ $_SESSION['user'] = key($data);
+ $v_user = $_SESSION['user'];
+
+ // Get user favorites
+ get_favourites();
+
+ // Define language
+ $output = '';
+ exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var);
+ $languages = json_decode(implode('', $output), true);
+ if (in_array($data[$v_user]['LANGUAGE'], $languages)){
+ $_SESSION['language'] = $data[$v_user]['LANGUAGE'];
+ } else {
+ $_SESSION['language'] = 'en';
+ }
+
+ // Regenerate session id to prevent session fixation
+ session_regenerate_id();
+
+ // Redirect request to control panel interface
+ if (!empty($_SESSION['request_uri'])) {
+ header("Location: ".$_SESSION['request_uri']);
+ unset($_SESSION['request_uri']);
+ exit;
+ } else {
+ header("Location: /list/user/");
+ exit;
+ }
}
}
}