function do_login() { global $hesk_settings, $hesklang; $hesk_error_buffer = array(); $user = hesk_input(hesk_POST('user')); if (empty($user)) { $myerror = $hesk_settings['list_users'] ? $hesklang['select_username'] : $hesklang['enter_username']; $hesk_error_buffer['user'] = $myerror; } define('HESK_USER', $user); $pass = hesk_input(hesk_POST('pass')); if (empty($pass)) { $hesk_error_buffer['pass'] = $hesklang['enter_pass']; } if ($hesk_settings['secimg_use'] == 2 && !isset($_SESSION['img_a_verified'])) { // Using ReCaptcha? if ($hesk_settings['recaptcha_use']) { require_once HESK_PATH . 'inc/recaptcha/recaptchalib.php'; $resp = recaptcha_check_answer($hesk_settings['recaptcha_private_key'], $_SERVER['REMOTE_ADDR'], hesk_POST('recaptcha_challenge_field', ''), hesk_POST('recaptcha_response_field', '')); if ($resp->is_valid) { $_SESSION['img_a_verified'] = true; } else { $hesk_error_buffer['mysecnum'] = $hesklang['recaptcha_error']; } } else { $mysecnum = intval(hesk_POST('mysecnum', 0)); if (empty($mysecnum)) { $hesk_error_buffer['mysecnum'] = $hesklang['sec_miss']; } else { require HESK_PATH . 'inc/secimg.inc.php'; $sc = new PJ_SecurityImage($hesk_settings['secimg_sum']); if (isset($_SESSION['checksum']) && $sc->checkCode($mysecnum, $_SESSION['checksum'])) { $_SESSION['img_a_verified'] = true; } else { $hesk_error_buffer['mysecnum'] = $hesklang['sec_wrng']; } } } } /* Any missing fields? */ if (count($hesk_error_buffer) != 0) { $_SESSION['a_iserror'] = array_keys($hesk_error_buffer); $tmp = ''; foreach ($hesk_error_buffer as $error) { $tmp .= "<li>{$error}</li>\n"; } $hesk_error_buffer = $tmp; $hesk_error_buffer = $hesklang['pcer'] . '<br /><br /><ul>' . $hesk_error_buffer . '</ul>'; hesk_process_messages($hesk_error_buffer, 'NOREDIRECT'); print_login(); exit; } elseif (isset($_SESSION['img_a_verified'])) { unset($_SESSION['img_a_verified']); } /* User entered all required info, now lets limit brute force attempts */ hesk_limitBfAttempts(); $result = hesk_dbQuery("SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` WHERE `user` = '" . hesk_dbEscape($user) . "' LIMIT 1"); if (hesk_dbNumRows($result) != 1) { hesk_session_stop(); $_SESSION['a_iserror'] = array('user', 'pass'); hesk_process_messages($hesklang['wrong_user'], 'NOREDIRECT'); print_login(); exit; } $res = hesk_dbFetchAssoc($result); foreach ($res as $k => $v) { $_SESSION[$k] = $v; } /* Check password */ if (hesk_Pass2Hash($pass) != $_SESSION['pass']) { hesk_session_stop(); $_SESSION['a_iserror'] = array('pass'); hesk_process_messages($hesklang['wrong_pass'], 'NOREDIRECT'); print_login(); exit; } $pass_enc = hesk_Pass2Hash($_SESSION['pass'] . strtolower($user) . $_SESSION['pass']); /* Check if default password */ if ($_SESSION['pass'] == '499d74967b28a841c98bb4baaabaad699ff3c079') { hesk_process_messages($hesklang['chdp'], 'NOREDIRECT', 'NOTICE'); } unset($_SESSION['pass']); /* Login successful, clean brute force attempts */ hesk_cleanBfAttempts(); /* Regenerate session ID (security) */ hesk_session_regenerate_id(); /* Remember username? */ if ($hesk_settings['autologin'] && hesk_POST('remember_user') == 'AUTOLOGIN') { setcookie('hesk_username', "{$user}", strtotime('+1 year')); setcookie('hesk_p', "{$pass_enc}", strtotime('+1 year')); } elseif (hesk_POST('remember_user') == 'JUSTUSER') { setcookie('hesk_username', "{$user}", strtotime('+1 year')); setcookie('hesk_p', ''); } else { // Expire cookie if set otherwise setcookie('hesk_username', ''); setcookie('hesk_p', ''); } /* Close any old tickets here so Cron jobs aren't necessary */ if ($hesk_settings['autoclose']) { $revision = sprintf($hesklang['thist3'], hesk_date(), $hesklang['auto']); hesk_dbQuery("UPDATE `" . hesk_dbEscape($hesk_settings['db_pfix']) . "tickets` SET `status`='3', `history`=CONCAT(`history`,'" . hesk_dbEscape($revision) . "') WHERE `status` = '2' AND `lastchange` <= '" . hesk_dbEscape(date('Y-m-d H:i:s', time() - $hesk_settings['autoclose'] * 86400)) . "'"); } /* Redirect to the destination page */ if (hesk_isREQUEST('goto')) { $url = hesk_REQUEST('goto'); $url = str_replace('&', '&', $url); /* goto parameter can be set to the local domain only */ $myurl = parse_url($hesk_settings['hesk_url']); $goto = parse_url($url); if (isset($myurl['host']) && isset($goto['host'])) { if (str_replace('www.', '', strtolower($myurl['host'])) != str_replace('www.', '', strtolower($goto['host']))) { $url = 'admin_main.php'; } } header('Location: ' . $url); } else { header('Location: admin_main.php'); } exit; }
if (isset($_POST["g-recaptcha-response"])) { $resp = $reCaptcha->verifyResponse($_SERVER["REMOTE_ADDR"], hesk_POST("g-recaptcha-response")); } if ($resp != null && $resp->success) { //$_SESSION['img_a_verified']=true; } else { $hesk_error_buffer['mysecnum'] = $hesklang['recaptcha_error']; } } else { $mysecnum = intval(hesk_POST('mysecnum', 0)); if (empty($mysecnum)) { $hesk_error_buffer['mysecnum'] = $hesklang['sec_miss']; } else { require HESK_PATH . 'inc/secimg.inc.php'; $sc = new PJ_SecurityImage($hesk_settings['secimg_sum']); if (isset($_SESSION['checksum']) && $sc->checkCode($mysecnum, $_SESSION['checksum'])) { //$_SESSION['img_a_verified'] = true; } else { $hesk_error_buffer['mysecnum'] = $hesklang['sec_wrng']; } } } } // Connect to database and check for brute force attempts hesk_load_database_functions(); hesk_dbConnect(); hesk_limitBfAttempts(); // Get email $email = hesk_validateEmail(hesk_POST('email'), 'ERR', 0) or $hesk_error_buffer['email'] = $hesklang['enter_valid_email']; // Any errors? if (count($hesk_error_buffer) != 0) {
function do_login() { global $hesk_settings, $hesklang; $hesk_error_buffer = array(); $user = hesk_input(hesk_POST('user')); if (empty($user)) { $myerror = $hesk_settings['list_users'] ? $hesklang['select_username'] : $hesklang['enter_username']; $hesk_error_buffer['user'] = $myerror; } define('HESK_USER', $user); $pass = hesk_input(hesk_POST('pass')); if (empty($pass)) { $hesk_error_buffer['pass'] = $hesklang['enter_pass']; } if ($hesk_settings['secimg_use'] == 2 && !isset($_SESSION['img_a_verified'])) { // Using ReCaptcha? if ($hesk_settings['recaptcha_use'] == 1) { require_once HESK_PATH . 'inc/recaptcha/recaptchalib.php'; $resp = recaptcha_check_answer($hesk_settings['recaptcha_private_key'], $_SERVER['REMOTE_ADDR'], hesk_POST('recaptcha_challenge_field', ''), hesk_POST('recaptcha_response_field', '')); if ($resp->is_valid) { $_SESSION['img_a_verified'] = true; } else { $hesk_error_buffer['mysecnum'] = $hesklang['recaptcha_error']; } } elseif ($hesk_settings['recaptcha_use'] == 2) { require HESK_PATH . 'inc/recaptcha/recaptchalib_v2.php'; $resp = null; $reCaptcha = new ReCaptcha($hesk_settings['recaptcha_private_key']); // Was there a reCAPTCHA response? if (isset($_POST["g-recaptcha-response"])) { $resp = $reCaptcha->verifyResponse($_SERVER["REMOTE_ADDR"], hesk_POST("g-recaptcha-response")); } if ($resp != null && $resp->success) { $_SESSION['img_a_verified'] = true; } else { $hesk_error_buffer['mysecnum'] = $hesklang['recaptcha_error']; } } else { $mysecnum = intval(hesk_POST('mysecnum', 0)); if (empty($mysecnum)) { $hesk_error_buffer['mysecnum'] = $hesklang['sec_miss']; } else { require HESK_PATH . 'inc/secimg.inc.php'; $sc = new PJ_SecurityImage($hesk_settings['secimg_sum']); if (isset($_SESSION['checksum']) && $sc->checkCode($mysecnum, $_SESSION['checksum'])) { $_SESSION['img_a_verified'] = true; } else { $hesk_error_buffer['mysecnum'] = $hesklang['sec_wrng']; } } } } /* Any missing fields? */ if (count($hesk_error_buffer) != 0) { $_SESSION['a_iserror'] = array_keys($hesk_error_buffer); $tmp = ''; foreach ($hesk_error_buffer as $error) { $tmp .= "<li>{$error}</li>\n"; } $hesk_error_buffer = $tmp; $hesk_error_buffer = $hesklang['pcer'] . '<br /><br /><ul>' . $hesk_error_buffer . '</ul>'; hesk_process_messages($hesk_error_buffer, 'NOREDIRECT'); print_login(); exit; } elseif (isset($_SESSION['img_a_verified'])) { unset($_SESSION['img_a_verified']); } /* User entered all required info, now lets limit brute force attempts */ hesk_limitBfAttempts(); $result = hesk_dbQuery("SELECT * FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "users` WHERE `user` = '" . hesk_dbEscape($user) . "' LIMIT 1"); if (hesk_dbNumRows($result) != 1) { hesk_session_stop(); $_SESSION['a_iserror'] = array('user', 'pass'); hesk_process_messages($hesklang['wrong_user'], 'NOREDIRECT'); print_login(); exit; } $res = hesk_dbFetchAssoc($result); foreach ($res as $k => $v) { $_SESSION[$k] = $v; } /* Check password */ if (hesk_Pass2Hash($pass) != $_SESSION['pass']) { hesk_session_stop(); $_SESSION['a_iserror'] = array('pass'); hesk_process_messages($hesklang['wrong_pass'], 'NOREDIRECT'); print_login(); exit; } $pass_enc = hesk_Pass2Hash($_SESSION['pass'] . strtolower($user) . $_SESSION['pass']); /* Check if default password */ if ($_SESSION['pass'] == '499d74967b28a841c98bb4baaabaad699ff3c079') { hesk_process_messages($hesklang['chdp'], 'NOREDIRECT', 'NOTICE'); } // Set a tag that will be used to expire sessions after username or password change $_SESSION['session_verify'] = hesk_activeSessionCreateTag($user, $_SESSION['pass']); // We don't need the password hash anymore unset($_SESSION['pass']); /* Login successful, clean brute force attempts */ hesk_cleanBfAttempts(); /* Make sure our user is active */ if (!$_SESSION['active']) { hesk_session_stop(); $_SESSION['a_iserror'] = array('active'); hesk_process_messages($hesklang['inactive_user'], 'NOREDIRECT'); print_login(); exit; } /* Regenerate session ID (security) */ hesk_session_regenerate_id(); /* Remember username? */ if ($hesk_settings['autologin'] && hesk_POST('remember_user') == 'AUTOLOGIN') { setcookie('hesk_username', "{$user}", strtotime('+1 year')); setcookie('hesk_p', "{$pass_enc}", strtotime('+1 year')); } elseif (hesk_POST('remember_user') == 'JUSTUSER') { setcookie('hesk_username', "{$user}", strtotime('+1 year')); setcookie('hesk_p', ''); } else { // Expire cookie if set otherwise setcookie('hesk_username', ''); setcookie('hesk_p', ''); } /* Close any old tickets here so Cron jobs aren't necessary */ if ($hesk_settings['autoclose']) { $revision = sprintf($hesklang['thist3'], hesk_date(), $hesklang['auto']); $dt = date('Y-m-d H:i:s', time() - $hesk_settings['autoclose'] * 86400); $closedStatusRs = hesk_dbQuery('SELECT `ID`, `Closable` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `IsDefaultStaffReplyStatus` = 1'); $closedStatus = hesk_dbFetchAssoc($closedStatusRs); // Are we allowed to close tickets in this status? if ($closedStatus['Closable'] == 'yes' || $closedStatus['Closable'] == 'sonly') { // Notify customer of closed ticket? if ($hesk_settings['notify_closed']) { // Get list of tickets $result = hesk_dbQuery("SELECT * FROM `" . $hesk_settings['db_pfix'] . "tickets` WHERE `status` = " . $closedStatus['ID'] . " AND `lastchange` <= '" . hesk_dbEscape($dt) . "' "); if (hesk_dbNumRows($result) > 0) { global $ticket; // Load required functions? if (!function_exists('hesk_notifyCustomer')) { require HESK_PATH . 'inc/email_functions.inc.php'; } while ($ticket = hesk_dbFetchAssoc($result)) { $ticket['dt'] = hesk_date($ticket['dt'], true); $ticket['lastchange'] = hesk_date($ticket['lastchange'], true); $ticket = hesk_ticketToPlain($ticket, 1, 0); hesk_notifyCustomer('ticket_closed'); } } } // Update ticket statuses and history in database if we're allowed to do so $defaultCloseRs = hesk_dbQuery('SELECT `ID` FROM `' . hesk_dbEscape($hesk_settings['db_pfix']) . 'statuses` WHERE `IsAutocloseOption` = 1'); $defaultCloseStatus = hesk_dbFetchAssoc($defaultCloseRs); hesk_dbQuery("UPDATE `" . $hesk_settings['db_pfix'] . "tickets` SET `status`=" . intval($defaultCloseStatus['ID']) . ", `closedat`=NOW(), `closedby`='-1', `history`=CONCAT(`history`,'" . hesk_dbEscape($revision) . "') WHERE `status` = '" . $closedStatus['ID'] . "' AND `lastchange` <= '" . hesk_dbEscape($dt) . "' "); } } /* Redirect to the destination page */ header('Location: ' . hesk_verifyGoto()); exit; }