From d97adaeb6aa762925f3c26e5c5df0c5692f124b7 Mon Sep 17 00:00:00 2001 From: Anton Reutov Date: Wed, 28 Jul 2021 14:19:12 +0300 Subject: [PATCH] Disabling login with 'root' --- web/login/index.php | 143 +++++++++++++++++++++++--------------------- 1 file changed, 74 insertions(+), 69 deletions(-) diff --git a/web/login/index.php b/web/login/index.php index acb68e561..849eead26 100644 --- a/web/login/index.php +++ b/web/login/index.php @@ -22,7 +22,6 @@ if (isset($_SESSION['user'])) { header('Location: /login/'); exit(); } - if ($_SESSION['user'] == 'admin' && !empty($_GET['loginas'])) { exec (VESTA_CMD . "v-list-user ".escapeshellarg($_GET['loginas'])." json", $output, $return_var); if ( $return_var == 0 ) { @@ -32,7 +31,7 @@ if (isset($_SESSION['user'])) { $_SESSION['look_alert'] = 'yes'; } } - header("Location: /"); + header("Location: /list/user/"); exit; } @@ -42,82 +41,88 @@ if (isset($_POST['user']) && isset($_POST['password'])) { $v_user = escapeshellarg($_POST['user']); $v_ip = escapeshellarg($_SERVER['REMOTE_ADDR']); - // Get user's salt - $output = ''; - exec (VESTA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var); - $pam = json_decode(implode('', $output), true); - if ( $return_var > 0 ) { - $ERROR = "".__('Invalid username or password').""; + if($_POST['user'] == 'root'){ + unset($_POST['password']); + unset($_POST['user']); + $ERROR = "".__('Login with root has been disabled').""; } else { - $user = $_POST['user']; - $password = $_POST['password']; - $salt = $pam[$user]['SALT']; - $method = $pam[$user]['METHOD']; - - if ($method == 'md5' ) { - $hash = crypt($password, '$1$'.$salt.'$'); - } - if ($method == 'sha-512' ) { - $hash = crypt($password, '$6$rounds=5000$'.$salt.'$'); - $hash = str_replace('$rounds=5000','',$hash); - } - if ($method == 'des' ) { - $hash = crypt($password, $salt); - } - - // Send hash via tmp file - $v_hash = exec('mktemp -p /tmp'); - $fp = fopen($v_hash, "w"); - fwrite($fp, $hash."\n"); - fclose($fp); - - // Check user hash - exec(VESTA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip, $output, $return_var); - unset($output); - - // Remove tmp file - unlink($v_hash); - - // Check API answer + // Get user's salt + $output = ''; + exec (VESTA_CMD."v-get-user-salt ".$v_user." ".$v_ip." json" , $output, $return_var); + $pam = json_decode(implode('', $output), true); if ( $return_var > 0 ) { $ERROR = "".__('Invalid username or password').""; } else { + $user = $_POST['user']; + $password = $_POST['password']; + $salt = $pam[$user]['SALT']; + $method = $pam[$user]['METHOD']; - // Make root admin user - if ($_POST['user'] == 'root') $v_user = 'admin'; - - // Get user speciefic parameters - exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var); - $data = json_decode(implode('', $output), true); - - // Define session user - $_SESSION['user'] = key($data); - $v_user = $_SESSION['user']; - - // Get user favorites - get_favourites(); - - // Define language - $output = ''; - exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var); - $languages = json_decode(implode('', $output), true); - if (in_array($data[$v_user]['LANGUAGE'], $languages)){ - $_SESSION['language'] = $data[$v_user]['LANGUAGE']; - } else { - $_SESSION['language'] = 'en'; + if ($method == 'md5' ) { + $hash = crypt($password, '$1$'.$salt.'$'); + } + if ($method == 'sha-512' ) { + $hash = crypt($password, '$6$rounds=5000$'.$salt.'$'); + $hash = str_replace('$rounds=5000','',$hash); + } + if ($method == 'des' ) { + $hash = crypt($password, $salt); } - // Regenerate session id to prevent session fixation - session_regenerate_id(); + // Send hash via tmp file + $v_hash = exec('mktemp -p /tmp'); + $fp = fopen($v_hash, "w"); + fwrite($fp, $hash."\n"); + fclose($fp); - // Redirect request to control panel interface - if (!empty($_SESSION['request_uri'])) { - header("Location: ".$_SESSION['request_uri']); - unset($_SESSION['request_uri']); - exit; + // Check user hash + exec(VESTA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip, $output, $return_var); + unset($output); + + // Remove tmp file + unlink($v_hash); + + // Check API answer + if ( $return_var > 0 ) { + $ERROR = "".__('Invalid username or password').""; } else { - header("Location: /"); - exit; + + // Make root admin user + // if ($_POST['user'] == 'root') $v_user = 'admin'; + + // Get user speciefic parameters + exec (VESTA_CMD . "v-list-user ".$v_user." json", $output, $return_var); + $data = json_decode(implode('', $output), true); + + // Define session user + $_SESSION['user'] = key($data); + $v_user = $_SESSION['user']; + + // Get user favorites + get_favourites(); + + // Define language + $output = ''; + exec (VESTA_CMD."v-list-sys-languages json", $output, $return_var); + $languages = json_decode(implode('', $output), true); + if (in_array($data[$v_user]['LANGUAGE'], $languages)){ + $_SESSION['language'] = $data[$v_user]['LANGUAGE']; + } else { + $_SESSION['language'] = 'en'; + } + + // Regenerate session id to prevent session fixation + session_regenerate_id(); + + // Redirect request to control panel interface + if (!empty($_SESSION['request_uri'])) { + header("Location: ".$_SESSION['request_uri']); + unset($_SESSION['request_uri']); + exit; + } else { + header("Location: /list/user/"); + exit; + } } } }