<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <?php error_reporting(E_ERROR); include '../includes/include.php'; include '../includes/settings.php'; //Class loader require_once '../sources/SplClassLoader.php'; if (empty($_SESSION['key'])) { $pwgen = new SplClassLoader('Encryption\\PwGen', '../includes/libraries'); $pwgen->register(); $pwgen = new Encryption\PwGen\pwgen(); $pwgen->setLength(20); $pwgen->setSecure(true); $pwgen->setSymbols(true); $pwgen->setCapitalize(true); $pwgen->setNumerals(true); $_SESSION['key'] = $pwgen->generate(); } $_SESSION['prefix_length'] = "15"; // connect to the server require_once '../includes/libraries/Database/Meekrodb/db.class.php'; DB::$host = $server; DB::$user = $user; DB::$password = $pass; DB::$dbName = $database; DB::$port = $port; DB::$encoding = $encoding; DB::$error_handler = 'db_error_handler'; $link = mysqli_connect($server, $user, $pass, $database, $port); $link->set_charset($encoding); // get some numbers
function IdentifyUser($sentData) { global $k; include $_SESSION['settings']['cpassman_dir'] . '/includes/settings.php'; header("Content-type: text/html; charset=utf-8"); error_reporting(E_ERROR); require_once $_SESSION['settings']['cpassman_dir'] . '/sources/main.functions.php'; require_once $_SESSION['settings']['cpassman_dir'] . '/sources/SplClassLoader.php'; // connect to the server require_once $_SESSION['settings']['cpassman_dir'] . '/includes/libraries/Database/Meekrodb/db.class.php'; DB::$host = $server; DB::$user = $user; DB::$password = $pass; DB::$dbName = $database; DB::$port = $port; DB::$error_handler = 'db_error_handler'; $link = mysqli_connect($server, $user, $pass, $database, $port); //Load AES $aes = new SplClassLoader('Encryption\\Crypt', '../includes/libraries'); $aes->register(); // User's language loading $k['langage'] = @$_SESSION['user_language']; require_once $_SESSION['settings']['cpassman_dir'] . '/includes/language/' . $_SESSION['user_language'] . '.php'; // decrypt and retreive data in JSON format $dataReceived = prepareExchangedData($sentData, "decode"); // Prepare variables $passwordClear = htmlspecialchars_decode($dataReceived['pw']); $passwordOldEncryption = encryptOld(htmlspecialchars_decode($dataReceived['pw'])); $username = htmlspecialchars_decode($dataReceived['login']); $logError = ""; // GET SALT KEY LENGTH if (strlen(SALT) > 32) { $_SESSION['error']['salt'] = true; } $_SESSION['user_language'] = $k['langage']; $ldapConnection = false; /* LDAP connection */ if ($debugLdap == 1) { // create temp file $dbgLdap = fopen($_SESSION['settings']['path_to_files_folder'] . "/ldap.debug.txt", "w"); } if (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1 && $username != "admin") { //Multiple Domain Names if (strpos(html_entity_decode($username), '\\') == true) { $ldap_suffix = "@" . substr(html_entity_decode($username), 0, strpos(html_entity_decode($username), '\\')); $username = substr(html_entity_decode($username), strpos(html_entity_decode($username), '\\') + 1); } if ($_SESSION['settings']['ldap_type'] == 'posix-search') { $ldapconn = ldap_connect($_SESSION['settings']['ldap_domain_controler']); ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); if ($ldapconn) { $ldapbind = ldap_bind($ldapconn, $_SESSION['settings']['ldap_bind_dn'], $_SESSION['settings']['ldap_bind_passwd']); if ($ldapbind) { $filter = "(&(" . $_SESSION[settings][ldap_user_attribute] . "={$username})(objectClass=posixAccount))"; $result = ldap_search($ldapconn, $_SESSION['settings']['ldap_search_base'], $filter, array('dn')); if (ldap_count_entries($ldapconn, $result)) { // try auth $result = ldap_get_entries($ldapconn, $result); $user_dn = $result[0]['dn']; $ldapbind = ldap_bind($ldapconn, $user_dn, $passwordClear); if ($ldapbind) { $ldapConnection = true; } else { $ldapConnection = false; } } } else { $ldapConnection = false; } } else { $ldapConnection = false; } } else { if ($debugLdap == 1) { fputs($dbgLdap, "Get all ldap params : \n" . 'base_dn : ' . $_SESSION['settings']['ldap_domain_dn'] . "\n" . 'account_suffix : ' . $_SESSION['settings']['ldap_suffix'] . "\n" . 'domain_controllers : ' . $_SESSION['settings']['ldap_domain_controler'] . "\n" . 'use_ssl : ' . $_SESSION['settings']['ldap_ssl'] . "\n" . 'use_tls : ' . $_SESSION['settings']['ldap_tls'] . "\n*********\n\n"); } $adldap = new SplClassLoader('LDAP\\adLDAP', '../includes/libraries'); $adldap->register(); // Posix style LDAP handles user searches a bit differently if ($_SESSION['settings']['ldap_type'] == 'posix') { $ldap_suffix = ',' . $_SESSION['settings']['ldap_suffix'] . ',' . $_SESSION['settings']['ldap_domain_dn']; } elseif ($_SESSION['settings']['ldap_type'] == 'windows' and $ldap_suffix == '') { //Multiple Domain Names $ldap_suffix = $_SESSION['settings']['ldap_suffix']; } $adldap = new LDAP\adLDAP\adLDAP(array('base_dn' => $_SESSION['settings']['ldap_domain_dn'], 'account_suffix' => $ldap_suffix, 'domain_controllers' => explode(",", $_SESSION['settings']['ldap_domain_controler']), 'use_ssl' => $_SESSION['settings']['ldap_ssl'], 'use_tls' => $_SESSION['settings']['ldap_tls'])); /*try { $adldap = new SplClassLoader('LDAP\adLDAP', '../includes/libraries'); $adldap->register(); $adldap = new LDAP\adLDAP\adLDAP( array( 'base_dn' => $_SESSION['settings']['ldap_domain_dn'], 'account_suffix' => $_SESSION['settings']['ldap_suffix'], 'domain_controllers' => array( $_SESSION['settings']['ldap_domain_controler'] ), 'use_ssl' => $_SESSION['settings']['ldap_ssl'], 'use_tls' => $_SESSION['settings']['ldap_tls'] ) ); } catch(Exception $e) { echo $e->getMessage(); }*/ /*$adldap = new adLDAP( array( 'base_dn' => $_SESSION['settings']['ldap_domain_dn'], 'account_suffix' => $_SESSION['settings']['ldap_suffix'], 'domain_controllers' => array( $_SESSION['settings']['ldap_domain_controler'] ), 'use_ssl' => $_SESSION['settings']['ldap_ssl'], 'use_tls' => $_SESSION['settings']['ldap_tls'] ) );*/ if ($debugLdap == 1) { fputs($dbgLdap, "Create new adldap object : " . $adldap->get_last_error() . "\n\n\n"); //Debug } // openLDAP expects an attribute=value pair if ($_SESSION['settings']['ldap_type'] == 'posix') { $auth_username = $_SESSION['settings']['ldap_user_attribute'] . '=' . $username; } else { $auth_username = $username; } // authenticate the user if ($adldap->authenticate($auth_username, $passwordClear)) { $ldapConnection = true; } else { $ldapConnection = false; } if ($debugLdap == 1) { fputs($dbgLdap, "After authenticate : " . $adldap->get_last_error() . "\n\n\n" . "ldap status : " . $ldapConnection . "\n\n\n"); //Debug } } } else { if (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 2) { // nothing } } // Check if user exists $data = DB::queryFirstRow("SELECT * FROM " . $pre . "users WHERE login=%s_login", array('login' => $username)); $counter = DB::count(); if ($counter == 0) { echo '[{"value" : "error", "text":"user_not_exists"}]'; exit; } // Check PSK if (isset($_SESSION['settings']['psk_authentication']) && $_SESSION['settings']['psk_authentication'] == 1 && $data['admin'] != 1) { $psk = htmlspecialchars_decode($dataReceived['psk']); $pskConfirm = htmlspecialchars_decode($dataReceived['psk_confirm']); if (empty($psk)) { echo '[{"value" : "psk_required"}]'; exit; } elseif (empty($data['psk'])) { if (empty($pskConfirm)) { echo '[{"value" : "bad_psk_confirmation"}]'; exit; } else { $_SESSION['my_sk'] = $psk; } } elseif (crypt($psk, $data['psk']) != $data['psk']) { echo '[{"value" : "bad_psk"}]'; //echo $psk." - ".crypt($psk, $data['psk']) ." - ". $data['psk']." - ".bCrypt(htmlspecialchars_decode($psk), COST); exit; } } $proceedIdentification = false; if ($counter > 0) { $proceedIdentification = true; } elseif ($counter == 0 && $ldapConnection == true && isset($_SESSION['settings']['ldap_elusers']) && $_SESSION['settings']['ldap_elusers'] == 0) { // If LDAP enabled, create user in CPM if doesn't exist DB::insert($pre . 'users', array('login' => $username, 'pw' => $password, 'email' => "", 'admin' => '0', 'gestionnaire' => '0', 'personal_folder' => $_SESSION['settings']['enable_pf_feature'] == "1" ? '1' : '0', 'fonction_id' => '0', 'groupes_interdits' => '0', 'groupes_visibles' => '0', 'last_pw_change' => time())); $newUserId = DB::insertId(); // Create personnal folder if ($_SESSION['settings']['enable_pf_feature'] == "1") { DB::insert($pre . "nested_tree", array('parent_id' => '0', 'title' => $newUserId, 'bloquer_creation' => '0', 'bloquer_modification' => '0', 'personal_folder' => '1')); } // Get info for user //$sql = "SELECT * FROM ".$pre."users WHERE login = '******'"; //$row = $db->query($sql); $proceedIdentification = true; } // check GA code if (isset($_SESSION['settings']['2factors_authentication']) && $_SESSION['settings']['2factors_authentication'] == 1 && $username != "admin") { if (isset($dataReceived['GACode']) && !empty($dataReceived['GACode'])) { include_once $_SESSION['settings']['cpassman_dir'] . "/includes/libraries/Authentication/GoogleAuthenticator/FixedBitNotation.php"; include_once $_SESSION['settings']['cpassman_dir'] . "/includes/libraries/Authentication/GoogleAuthenticator/GoogleAuthenticator.php"; $g = new Authentication\GoogleAuthenticator\GoogleAuthenticator(); if ($g->checkCode($data['ga'], $dataReceived['GACode'])) { $proceedIdentification = true; } else { $proceedIdentification = false; $logError = "ga_code_wrong"; } } else { $proceedIdentification = false; $logError = "ga_code_wrong"; } } if ($proceedIdentification === true) { // User exists in the DB //$data = $db->fetchArray($row); //v2.1.17 -> change encryption for users password if ($passwordOldEncryption == $data['pw'] && !empty($data['pw'])) { //update user's password $data['pw'] = bCrypt($passwordClear, COST); DB::update($pre . 'users', array('pw' => $data['pw']), "id=%i", $data['id']); } // Can connect if // 1- no LDAP mode + user enabled + pw ok // 2- LDAP mode + user enabled + ldap connection ok + user is not admin // 3- LDAP mode + user enabled + pw ok + usre is admin // This in order to allow admin by default to connect even if LDAP is activated if (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 0 && crypt($passwordClear, $data['pw']) == $data['pw'] && $data['disabled'] == 0 || isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1 && $ldapConnection == true && $data['disabled'] == 0 && $username != "admin" || isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 2 && $ldapConnection == true && $data['disabled'] == 0 && $username != "admin" || isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1 && $username == "admin" && crypt($passwordClear, $data['pw']) == $data['pw'] && $data['disabled'] == 0) { $_SESSION['autoriser'] = true; //Load PWGEN $pwgen = new SplClassLoader('Encryption\\PwGen', '../includes/libraries'); $pwgen->register(); $pwgen = new Encryption\PwGen\pwgen(); // Generate a ramdom ID $key = ""; $pwgen->setLength(50); $pwgen->setSecure(true); $pwgen->setSymbols(false); $pwgen->setCapitalize(true); $pwgen->setNumerals(true); $key = $pwgen->generate(); // Log into DB the user's connection if (isset($_SESSION['settings']['log_connections']) && $_SESSION['settings']['log_connections'] == 1) { logEvents('user_connection', 'connection', $data['id']); } // Save account in SESSION $_SESSION['login'] = stripslashes($username); $_SESSION['name'] = stripslashes($data['name']); $_SESSION['lastname'] = stripslashes($data['lastname']); $_SESSION['user_id'] = $data['id']; $_SESSION['user_admin'] = $data['admin']; $_SESSION['user_manager'] = $data['gestionnaire']; $_SESSION['user_read_only'] = $data['read_only']; $_SESSION['last_pw_change'] = $data['last_pw_change']; $_SESSION['last_pw'] = $data['last_pw']; $_SESSION['can_create_root_folder'] = $data['can_create_root_folder']; $_SESSION['key'] = $key; $_SESSION['personal_folder'] = $data['personal_folder']; $_SESSION['fin_session'] = time() + $dataReceived['duree_session'] * 60; $_SESSION['user_language'] = $data['user_language']; $_SESSION['user_email'] = $data['email']; $_SESSION['user']['ga'] = $data['ga']; /* If this option is set user password MD5 is used as personal SALTKey */ if (isset($_SESSION['settings']['use_md5_password_as_salt']) && $_SESSION['settings']['use_md5_password_as_salt'] == 1) { $_SESSION['my_sk'] = md5($passwordClear); setcookie("TeamPass_PFSK_" . md5($_SESSION['user_id']), encrypt($_SESSION['my_sk'], ""), time() + 60 * 60 * 24 * $_SESSION['settings']['personal_saltkey_cookie_duration'], '/'); } @syslog(LOG_WARNING, "User logged in - " . $_SESSION['user_id'] . " - " . date("Y/m/d H:i:s") . " {$_SERVER['REMOTE_ADDR']} ({$_SERVER['HTTP_USER_AGENT']})"); // user type if ($_SESSION['user_admin'] == 1) { $_SESSION['user_privilege'] = $LANG['god']; } elseif ($_SESSION['user_manager'] == 1) { $_SESSION['user_privilege'] = $LANG['gestionnaire']; } elseif ($_SESSION['user_read_only'] == 1) { $_SESSION['user_privilege'] = $LANG['read_only_account']; } else { $_SESSION['user_privilege'] = $LANG['user']; } if (empty($data['last_connexion'])) { $_SESSION['derniere_connexion'] = time(); } else { $_SESSION['derniere_connexion'] = $data['last_connexion']; } if (!empty($data['latest_items'])) { $_SESSION['latest_items'] = explode(';', $data['latest_items']); } else { $_SESSION['latest_items'] = array(); } if (!empty($data['favourites'])) { $_SESSION['favourites'] = explode(';', $data['favourites']); } else { $_SESSION['favourites'] = array(); } if (!empty($data['groupes_visibles'])) { $_SESSION['groupes_visibles'] = @implode(';', $data['groupes_visibles']); } else { $_SESSION['groupes_visibles'] = array(); } if (!empty($data['groupes_interdits'])) { $_SESSION['groupes_interdits'] = @implode(';', $data['groupes_interdits']); } else { $_SESSION['groupes_interdits'] = array(); } // User's roles $_SESSION['fonction_id'] = $data['fonction_id']; $_SESSION['user_roles'] = explode(";", $data['fonction_id']); // build array of roles $_SESSION['user_pw_complexity'] = 0; $_SESSION['arr_roles'] = array(); foreach (array_filter(explode(';', $_SESSION['fonction_id'])) as $role) { $resRoles = DB::queryFirstRow("SELECT title, complexity FROM " . $pre . "roles_title WHERE id=%i", $role); $_SESSION['arr_roles'][$role] = array('id' => $role, 'title' => $resRoles['title']); // get highest complexity if ($_SESSION['user_pw_complexity'] < $resRoles['complexity']) { $_SESSION['user_pw_complexity'] = $resRoles['complexity']; } } // build complete array of roles $_SESSION['arr_roles_full'] = array(); $rows = DB::query("SELECT id, title FROM " . $pre . "roles_title ORDER BY title ASC"); foreach ($rows as $record) { $_SESSION['arr_roles_full'][$record['id']] = array('id' => $record['id'], 'title' => $record['title']); } // Set some settings $_SESSION['user']['find_cookie'] = false; $_SESSION['settings']['update_needed'] = ""; // Update table DB::update($pre . 'users', array('key_tempo' => $_SESSION['key'], 'last_connexion' => time(), 'timestamp' => time(), 'disabled' => 0, 'no_bad_attempts' => 0, 'session_end' => $_SESSION['fin_session'], 'psk' => bCrypt(htmlspecialchars_decode($psk), COST)), "id=%i", $data['id']); // Get user's rights identifyUserRights($data['groupes_visibles'], $_SESSION['groupes_interdits'], $data['admin'], $data['fonction_id'], false); // Get some more elements $_SESSION['screenHeight'] = $dataReceived['screenHeight']; // Get last seen items $_SESSION['latest_items_tab'][] = ""; foreach ($_SESSION['latest_items'] as $item) { if (!empty($item)) { $data = DB::queryFirstRow("SELECT id,label,id_tree FROM " . $pre . "items WHERE id=%i", $item); $_SESSION['latest_items_tab'][$item] = array('id' => $item, 'label' => $data['label'], 'url' => 'index.php?page=items&group=' . $data['id_tree'] . '&id=' . $item); } } // send back the random key $return = $dataReceived['randomstring']; // Send email if (isset($_SESSION['settings']['enable_send_email_on_user_login']) && $_SESSION['settings']['enable_send_email_on_user_login'] == 1 && $_SESSION['user_admin'] != 1) { // get all Admin users $receivers = ""; $rows = DB::query("SELECT email FROM " . $pre . "users WHERE admin = %i", 1); foreach ($rows as $record) { if (empty($receivers)) { $receivers = $record['email']; } else { $receivers = "," . $record['email']; } } // Add email to table DB::insert($pre . 'emails', array('timestamp' => time(), 'subject' => $LANG['email_subject_on_user_login'], 'body' => str_replace(array('#tp_user#', '#tp_date#', '#tp_time#'), array(" " . $_SESSION['login'], date($_SESSION['settings']['date_format'], $_SESSION['derniere_connexion']), date($_SESSION['settings']['time_format'], $_SESSION['derniere_connexion'])), $LANG['email_body_on_user_login']), 'receivers' => $receivers, 'status' => "not sent")); } } elseif ($data['disabled'] == 1) { // User and password is okay but account is locked $return = "user_is_locked"; } else { // User exists in the DB but Password is false // check if user is locked $userIsLocked = 0; $nbAttempts = intval($data['no_bad_attempts'] + 1); if ($_SESSION['settings']['nb_bad_authentication'] > 0 && intval($_SESSION['settings']['nb_bad_authentication']) < $nbAttempts) { $userIsLocked = 1; // log it if (isset($_SESSION['settings']['log_connections']) && $_SESSION['settings']['log_connections'] == 1) { logEvents('user_locked', 'connection', $data['id']); } } DB::update($pre . 'users', array('key_tempo' => $_SESSION['key'], 'last_connexion' => time(), 'disabled' => $userIsLocked, 'no_bad_attempts' => $nbAttempts), "id=%i", $data['id']); // What return shoulb we do if ($userIsLocked == 1) { $return = "user_is_locked"; } elseif ($_SESSION['settings']['nb_bad_authentication'] == 0) { $return = "false"; } else { $return = $nbAttempts; } } } else { $return = "false"; } echo '[{"value" : "' . $return . '", "user_admin":"', isset($_SESSION['user_admin']) ? $_SESSION['user_admin'] : "", '", "initial_url" : "' . @$_SESSION['initial_url'] . '", "error" : "' . $logError . '"}]'; $_SESSION['initial_url'] = ""; if ($_SESSION['settings']['cpassman_dir'] == "..") { $_SESSION['settings']['cpassman_dir'] = "."; } }
*/ case "generate_a_password": if ($_POST['size'] > $_SESSION['settings']['pwd_maximum_length']) { echo prepareExchangedData(array("error_msg" => "Password length is too long!", "error" => "true"), "encode"); break; } //Load PWGEN $pwgen = new SplClassLoader('Encryption\\PwGen', '../includes/libraries'); $pwgen->register(); $pwgen = new Encryption\PwGen\pwgen(); $pwgen->setLength($_POST['size']); if (isset($_POST['secure']) && $_POST['secure'] == "true") { $pwgen->setSecure(true); $pwgen->setSymbols(true); $pwgen->setCapitalize(true); $pwgen->setNumerals(true); } else { $pwgen->setSecure($_POST['secure'] == "true" ? true : false); $pwgen->setNumerals($_POST['numerals'] == "true" ? true : false); $pwgen->setCapitalize($_POST['capitalize'] == "true" ? true : false); $pwgen->setSymbols($_POST['symbols'] == "true" ? true : false); } echo prepareExchangedData(array("key" => $pwgen->generate(), "error" => ""), "encode"); break; /** * Check if user exists and send back if psk is set */ /** * Check if user exists and send back if psk is set */ case "check_login_exists":
function GenerateCryptKey($size = "", $secure = "", $numerals = "", $capitalize = "", $ambiguous = "", $symbols = "") { // load library $pwgen = new SplClassLoader('Encryption\\PwGen', '../includes/libraries'); $pwgen->register(); $pwgen = new Encryption\PwGen\pwgen(); // init if (!empty($size)) { $pwgen->setLength($size); } if (!empty($secure)) { $pwgen->setSecure($secure); } if (!empty($numerals)) { $pwgen->setNumerals($numerals); } if (!empty($capitalize)) { $pwgen->setCapitalize($capitalize); } if (!empty($ambiguous)) { $pwgen->setAmbiguous($ambiguous); } if (!empty($symbols)) { $pwgen->setSymbols($symbols); } // generate and send back return $pwgen->generate(); }