/** * Function validatePasswordLogin * * compare user password-hash with given user-password * and check if they are the same * additionally it updates the hash if the system settings changed * or if the very old md5() sum is used * * @param array $userinfo user-data from table * @param string $password the password to validate * @param string $table either panel_customers or panel_admins * @param string $uid user-id-field in $table * * @return boolean */ function validatePasswordLogin($userinfo = null, $password = null, $table = 'panel_customers', $uid = 'customerid') { $systype = 3; // SHA256 if (Settings::Get('system.passwordcryptfunc') !== null) { $systype = (int) Settings::Get('system.passwordcryptfunc'); } $pwd_hash = $userinfo['password']; $update_hash = false; // check for good'ole md5 if (strlen($pwd_hash) == 32 && ctype_xdigit($pwd_hash)) { $pwd_check = md5($password); $update_hash = true; } else { // cut out the salt from the hash $pwd_salt = str_replace(substr(strrchr($pwd_hash, "\$"), 1), "", $pwd_hash); // create same hash to compare $pwd_check = crypt($password, $pwd_salt); // check whether the hash needs to be updated $hash_type_chk = substr($pwd_hash, 0, 3); if ($systype == 1 && $hash_type_chk != '$1$' || $systype == 2 && $hash_type_chk != '$2$' || $systype == 3 && $hash_type_chk != '$5$' || $systype == 4 && $hash_type_chk != '$6$') { $update_hash = true; } } if ($pwd_hash == $pwd_check) { // check for update of hash if ($update_hash) { $upd_stmt = Database::prepare("\n\t\t\t\tUPDATE " . $table . " SET `password` = :newpasswd WHERE `" . $uid . "` = :uid\n\t\t\t"); $params = array('newpasswd' => makeCryptPassword($password), 'uid' => $userinfo[$uid]); Database::pexecute($upd_stmt, $params); } return true; } return false; }
// @FIXME use a good path-validating regex here (refs #1231) $path = validate($_POST['path'], 'path'); $_setnewpass = false; if (isset($_POST['ftp_password']) && $_POST['ftp_password'] != '') { $password = validate($_POST['ftp_password'], 'password'); $password = validatePassword($password); $_setnewpass = true; } if ($_setnewpass) { if ($password == '') { standard_error(array('stringisempty', 'mypassword')); } elseif ($result['username'] == $password) { standard_error('passwordshouldnotbeusername'); } $log->logAction(USR_ACTION, LOG_INFO, "updated ftp-account password for '" . $result['username'] . "'"); $cryptPassword = makeCryptPassword($password); $stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "`\n\t\t\t\t\t\tSET `password` = :password\n\t\t\t\t\t\tWHERE `customerid` = :customerid\n\t\t\t\t\t\tAND `id` = :id"); Database::pexecute($stmt, array("customerid" => $userinfo['customerid'], "id" => $id, "password" => $cryptPassword)); } if ($path != '') { $path = makeCorrectDir($userinfo['documentroot'] . '/' . $path); if ($path != $result['homedir']) { if (!file_exists($path)) { // it's the task for "new ftp" but that will // create all directories and correct their permissions inserttask(5); } $log->logAction(USR_ACTION, LOG_INFO, "updated ftp-account homdir for '" . $result['username'] . "'"); $stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "`\n\t\t\t\t\t\t\tSET `homedir` = :homedir\n\t\t\t\t\t\t\tWHERE `customerid` = :customerid\n\t\t\t\t\t\t\tAND `id` = :id"); $params = array("homedir" => $path, "customerid" => $userinfo['customerid'], "id" => $id); Database::pexecute($stmt, $params);
$new_password_confirm = validatePassword($_POST['new_password_confirm'], 'new password confirm'); } if ($new_password == '') { $message = $new_password; } elseif ($new_password_confirm == '') { $message = $new_password_confirm; } elseif ($new_password != $new_password_confirm) { $message = $new_password . " != " . $new_password_confirm; } else { // Update user password if ($result['admin'] == 1) { $stmt = Database::prepare("UPDATE `" . TABLE_PANEL_ADMINS . "`\n\t\t\t\t\t\t\t\tSET `password` = :newpassword\n\t\t\t\t\t\t\t\tWHERE `adminid` = :userid"); } else { $stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "`\n\t\t\t\t\t\t\t\tSET `password` = :newpassword\n\t\t\t\t\t\t\t\tWHERE `customerid` = :userid"); } Database::pexecute($stmt, array("newpassword" => makeCryptPassword($new_password), "userid" => $result['userid'])); $rstlog = FroxlorLogger::getInstanceOf(array('loginname' => 'password_reset')); $rstlog->logAction(USR_ACTION, LOG_NOTICE, "changed password using password reset."); // Remove activation code from DB $stmt = Database::prepare("DELETE FROM `" . TABLE_PANEL_ACTIVATION . "`\n\t\t\t\t\t\t\tWHERE `activationcode` = :activationcode\n\t\t\t\t\t\t\tAND `userid` = :userid"); Database::pexecute($stmt, array("activationcode" => $activationcode, "userid" => $result['userid'])); redirectTo('index.php', array("showmessage" => '6')); } } else { redirectTo('index.php', array("showmessage" => '7')); } } eval("echo \"" . getTemplate('rpwd') . "\";"); } else { redirectTo('index.php', array("showmessage" => '7')); }
standard_error(array('stringisempty', 'oldpassword')); } elseif ($new_password == '') { standard_error(array('stringisempty', 'newpassword')); } elseif ($new_password_confirm == '') { standard_error(array('stringisempty', 'newpasswordconfirm')); } elseif ($new_password != $new_password_confirm) { standard_error('newpasswordconfirmerror'); } else { // Update user password $stmt = Database::prepare("UPDATE `" . TABLE_PANEL_CUSTOMERS . "`\n\t\t\t\tSET `password` = :newpassword\n\t\t\t\tWHERE `customerid` = :customerid\n\t\t\t\tAND `password` = :oldpassword"); $params = array("newpassword" => md5($new_password), "customerid" => $userinfo['customerid'], "oldpassword" => md5($old_password)); Database::pexecute($stmt, $params); $log->logAction(USR_ACTION, LOG_NOTICE, 'changed password'); // Update ftp password if (isset($_POST['change_main_ftp']) && $_POST['change_main_ftp'] == 'true') { $cryptPassword = makeCryptPassword($new_password); $stmt = Database::prepare("UPDATE `" . TABLE_FTP_USERS . "`\n\t\t\t\t\tSET `password` = :password\n\t\t\t\t\tWHERE `customerid` = :customerid\n\t\t\t\t\tAND `username` = :username"); $params = array("password" => $cryptPassword, "customerid" => $userinfo['customerid'], "username" => $userinfo['loginname']); Database::pexecute($stmt, $params); $log->logAction(USR_ACTION, LOG_NOTICE, 'changed main ftp password'); } // Update webalizer password if (isset($_POST['change_webalizer']) && $_POST['change_webalizer'] == 'true') { if (CRYPT_STD_DES == 1) { $saltfordescrypt = substr(md5(uniqid(microtime(), 1)), 4, 2); $new_webalizer_password = crypt($new_password, $saltfordescrypt); } else { $new_webalizer_password = crypt($new_password); } $stmt = Database::prepare("UPDATE `" . TABLE_PANEL_HTPASSWDS . "`\n\t\t\t\t\tSET `password` = :password\n\t\t\t\t\tWHERE `customerid` = :customerid\n\t\t\t\t\tAND `username` = :username"); $params = array("password" => $new_webalizer_password, "customerid" => $userinfo['customerid'], "username" => $userinfo['loginname']);
if (!validatePasswordLogin($userinfo, $old_password, TABLE_PANEL_ADMINS, 'adminid')) { standard_error('oldpasswordnotcorrect'); } $new_password = validate($_POST['new_password'], 'new password'); $new_password_confirm = validate($_POST['new_password_confirm'], 'new password confirm'); if ($old_password == '') { standard_error(array('stringisempty', 'oldpassword')); } elseif ($new_password == '') { standard_error(array('stringisempty', 'newpassword')); } elseif ($new_password_confirm == '') { standard_error(array('stringisempty', 'newpasswordconfirm')); } elseif ($new_password != $new_password_confirm) { standard_error('newpasswordconfirmerror'); } else { $chgpwd_stmt = Database::prepare("\n\t\t\t\tUPDATE `" . TABLE_PANEL_ADMINS . "`\n\t\t\t\tSET `password`= :newpasswd\n\t\t\t\tWHERE `adminid`= :adminid"); Database::pexecute($chgpwd_stmt, array('newpasswd' => makeCryptPassword($new_password), 'adminid' => (int) $userinfo['adminid'])); $log->logAction(ADM_ACTION, LOG_NOTICE, 'changed password'); redirectTo($filename, array('s' => $s)); } } else { eval("echo \"" . getTemplate("index/change_password") . "\";"); } } elseif ($page == 'change_language') { if (isset($_POST['send']) && $_POST['send'] == 'send') { $def_language = validate($_POST['def_language'], 'default language'); if (isset($languages[$def_language])) { $lng_stmt = Database::prepare("\n\t\t\t\tUPDATE `" . TABLE_PANEL_ADMINS . "`\n\t\t\t\tSET `def_language`= :deflng\n\t\t\t\tWHERE `adminid`= :adminid"); Database::pexecute($lng_stmt, array('deflng' => $def_language, 'adminid' => (int) $userinfo['adminid'])); $lng_stmt = Database::prepare("\n\t\t\t\tUPDATE `" . TABLE_PANEL_SESSIONS . "`\n\t\t\t\tSET `language`= :lng\n\t\t\t\tWHERE `hash`= :hash"); Database::pexecute($lng_stmt, array('lng' => $def_language, 'hash' => $s)); }