/**
* Function validatePasswordLogin
*
* compare user password-hash with given user-password
* and check if they are the same
* additionally it updates the hash if the system settings changed
* or if the very old md5() sum is used
*
* @param array $userinfo user-data from table
* @param string $password the password to validate
* @param string $table either panel_customers or panel_admins
* @param string $uid user-id-field in $table
*
* @return boolean
*/
function validatePasswordLogin($userinfo = null, $password = null, $table = 'panel_customers', $uid = 'customerid')
{
$systype = 3;
// SHA256
if (Settings::Get('system.passwordcryptfunc') !== null) {
$systype = (int) Settings::Get('system.passwordcryptfunc');
}
$pwd_hash = $userinfo['password'];
$update_hash = false;
// check for good'ole md5
if (strlen($pwd_hash) == 32 && ctype_xdigit($pwd_hash)) {
$pwd_check = md5($password);
$update_hash = true;
} else {
// cut out the salt from the hash
$pwd_salt = str_replace(substr(strrchr($pwd_hash, "\$"), 1), "", $pwd_hash);
// create same hash to compare
$pwd_check = crypt($password, $pwd_salt);
// check whether the hash needs to be updated
$hash_type_chk = substr($pwd_hash, 0, 3);
if ($systype == 1 && $hash_type_chk != '$1$' || $systype == 2 && $hash_type_chk != '$2$' || $systype == 3 && $hash_type_chk != '$5$' || $systype == 4 && $hash_type_chk != '$6$') {
$update_hash = true;
}
}
if ($pwd_hash == $pwd_check) {
// check for update of hash
if ($update_hash) {
$upd_stmt = Database::prepare("\n\t\t\t\tUPDATE " . $table . " SET `password` = :newpasswd WHERE `" . $uid . "` = :uid\n\t\t\t");
$params = array('newpasswd' => makeCryptPassword($password), 'uid' => $userinfo[$uid]);
Database::pexecute($upd_stmt, $params);
}
return true;
}
return false;
}
// @FIXME use a good path-validating regex here (refs #1231)
$path = validate($_POST['path'], 'path');
$_setnewpass = false;
if (isset($_POST['ftp_password']) && $_POST['ftp_password'] != '') {
$password = validate($_POST['ftp_password'], 'password');
$password = validatePassword($password);
$_setnewpass = true;
}
if ($_setnewpass) {
if ($password == '') {
standard_error(array('stringisempty', 'mypassword'));
} elseif ($result['username'] == $password) {
standard_error('passwordshouldnotbeusername');
}
$log->logAction(USR_ACTION, LOG_INFO, "updated ftp-account password for '" . $result['username'] . "'");
$cryptPassword = makeCryptPassword($password);
$stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "`\n\t\t\t\t\t\tSET `password` = :password\n\t\t\t\t\t\tWHERE `customerid` = :customerid\n\t\t\t\t\t\tAND `id` = :id");
Database::pexecute($stmt, array("customerid" => $userinfo['customerid'], "id" => $id, "password" => $cryptPassword));
}
if ($path != '') {
$path = makeCorrectDir($userinfo['documentroot'] . '/' . $path);
if ($path != $result['homedir']) {
if (!file_exists($path)) {
// it's the task for "new ftp" but that will
// create all directories and correct their permissions
inserttask(5);
}
$log->logAction(USR_ACTION, LOG_INFO, "updated ftp-account homdir for '" . $result['username'] . "'");
$stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "`\n\t\t\t\t\t\t\tSET `homedir` = :homedir\n\t\t\t\t\t\t\tWHERE `customerid` = :customerid\n\t\t\t\t\t\t\tAND `id` = :id");
$params = array("homedir" => $path, "customerid" => $userinfo['customerid'], "id" => $id);
Database::pexecute($stmt, $params);
$new_password_confirm = validatePassword($_POST['new_password_confirm'], 'new password confirm');
}
if ($new_password == '') {
$message = $new_password;
} elseif ($new_password_confirm == '') {
$message = $new_password_confirm;
} elseif ($new_password != $new_password_confirm) {
$message = $new_password . " != " . $new_password_confirm;
} else {
// Update user password
if ($result['admin'] == 1) {
$stmt = Database::prepare("UPDATE `" . TABLE_PANEL_ADMINS . "`\n\t\t\t\t\t\t\t\tSET `password` = :newpassword\n\t\t\t\t\t\t\t\tWHERE `adminid` = :userid");
} else {
$stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "`\n\t\t\t\t\t\t\t\tSET `password` = :newpassword\n\t\t\t\t\t\t\t\tWHERE `customerid` = :userid");
}
Database::pexecute($stmt, array("newpassword" => makeCryptPassword($new_password), "userid" => $result['userid']));
$rstlog = FroxlorLogger::getInstanceOf(array('loginname' => 'password_reset'));
$rstlog->logAction(USR_ACTION, LOG_NOTICE, "changed password using password reset.");
// Remove activation code from DB
$stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`\n\t\t\t\t\t\t\tWHERE `activationcode` = :activationcode\n\t\t\t\t\t\t\tAND `userid` = :userid");
Database::pexecute($stmt, array("activationcode" => $activationcode, "userid" => $result['userid']));
redirectTo('index.php', array("showmessage" => '6'));
}
} else {
redirectTo('index.php', array("showmessage" => '7'));
}
}
eval("echo \"" . getTemplate('rpwd') . "\";");
} else {
redirectTo('index.php', array("showmessage" => '7'));
}
standard_error(array('stringisempty', 'oldpassword'));
} elseif ($new_password == '') {
standard_error(array('stringisempty', 'newpassword'));
} elseif ($new_password_confirm == '') {
standard_error(array('stringisempty', 'newpasswordconfirm'));
} elseif ($new_password != $new_password_confirm) {
standard_error('newpasswordconfirmerror');
} else {
// Update user password
$stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "`\n\t\t\t\tSET `password` = :newpassword\n\t\t\t\tWHERE `customerid` = :customerid\n\t\t\t\tAND `password` = :oldpassword");
$params = array("newpassword" => md5($new_password), "customerid" => $userinfo['customerid'], "oldpassword" => md5($old_password));
Database::pexecute($stmt, $params);
$log->logAction(USR_ACTION, LOG_NOTICE, 'changed password');
// Update ftp password
if (isset($_POST['change_main_ftp']) && $_POST['change_main_ftp'] == 'true') {
$cryptPassword = makeCryptPassword($new_password);
$stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "`\n\t\t\t\t\tSET `password` = :password\n\t\t\t\t\tWHERE `customerid` = :customerid\n\t\t\t\t\tAND `username` = :username");
$params = array("password" => $cryptPassword, "customerid" => $userinfo['customerid'], "username" => $userinfo['loginname']);
Database::pexecute($stmt, $params);
$log->logAction(USR_ACTION, LOG_NOTICE, 'changed main ftp password');
}
// Update webalizer password
if (isset($_POST['change_webalizer']) && $_POST['change_webalizer'] == 'true') {
if (CRYPT_STD_DES == 1) {
$saltfordescrypt = substr(md5(uniqid(microtime(), 1)), 4, 2);
$new_webalizer_password = crypt($new_password, $saltfordescrypt);
} else {
$new_webalizer_password = crypt($new_password);
}
$stmt = Database::prepare("UPDATE `" . TABLE_PANEL_HTPASSWDS . "`\n\t\t\t\t\tSET `password` = :password\n\t\t\t\t\tWHERE `customerid` = :customerid\n\t\t\t\t\tAND `username` = :username");
$params = array("password" => $new_webalizer_password, "customerid" => $userinfo['customerid'], "username" => $userinfo['loginname']);
if (!validatePasswordLogin($userinfo, $old_password, TABLE_PANEL_ADMINS, 'adminid')) {
standard_error('oldpasswordnotcorrect');
}
$new_password = validate($_POST['new_password'], 'new password');
$new_password_confirm = validate($_POST['new_password_confirm'], 'new password confirm');
if ($old_password == '') {
standard_error(array('stringisempty', 'oldpassword'));
} elseif ($new_password == '') {
standard_error(array('stringisempty', 'newpassword'));
} elseif ($new_password_confirm == '') {
standard_error(array('stringisempty', 'newpasswordconfirm'));
} elseif ($new_password != $new_password_confirm) {
standard_error('newpasswordconfirmerror');
} else {
$chgpwd_stmt = Database::prepare("\n\t\t\t\tUPDATE `" . TABLE_PANEL_ADMINS . "`\n\t\t\t\tSET `password`= :newpasswd\n\t\t\t\tWHERE `adminid`= :adminid");
Database::pexecute($chgpwd_stmt, array('newpasswd' => makeCryptPassword($new_password), 'adminid' => (int) $userinfo['adminid']));
$log->logAction(ADM_ACTION, LOG_NOTICE, 'changed password');
redirectTo($filename, array('s' => $s));
}
} else {
eval("echo \"" . getTemplate("index/change_password") . "\";");
}
} elseif ($page == 'change_language') {
if (isset($_POST['send']) && $_POST['send'] == 'send') {
$def_language = validate($_POST['def_language'], 'default language');
if (isset($languages[$def_language])) {
$lng_stmt = Database::prepare("\n\t\t\t\tUPDATE `" . TABLE_PANEL_ADMINS . "`\n\t\t\t\tSET `def_language`= :deflng\n\t\t\t\tWHERE `adminid`= :adminid");
Database::pexecute($lng_stmt, array('deflng' => $def_language, 'adminid' => (int) $userinfo['adminid']));
$lng_stmt = Database::prepare("\n\t\t\t\tUPDATE `" . TABLE_PANEL_SESSIONS . "`\n\t\t\t\tSET `language`= :lng\n\t\t\t\tWHERE `hash`= :hash");
Database::pexecute($lng_stmt, array('lng' => $def_language, 'hash' => $s));
}
