function update_password() { $cfg = EasySCP_Registry::get('Config'); $sql = EasySCP_Registry::get('Db'); if (isset($_POST['uaction']) && $_POST['uaction'] === 'updt_pass') { if (empty($_POST['pass']) || empty($_POST['pass_rep']) || empty($_POST['curr_pass'])) { set_page_message(tr('Please fill up all data fields!'), 'warning'); } else { if (!chk_password($_POST['pass'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } } else { if ($_POST['pass'] !== $_POST['pass_rep']) { set_page_message(tr('Passwords do not match!'), 'warning'); } else { if (check_udata($_SESSION['user_id'], $_POST['curr_pass']) === false) { set_page_message(tr('The current password is wrong!'), 'warning'); } else { $upass = crypt_user_pass($_POST['pass']); $_SESSION['user_pass'] = $upass; $user_id = $_SESSION['user_id']; $query = "\n\t\t\t\tUPDATE\n\t\t\t\t\t`admin`\n\t\t\t\tSET\n\t\t\t\t\t`admin_pass` = ?\n\t\t\t\tWHERE\n\t\t\t\t\t`admin_id` = ?\n\t\t\t"; exec_query($sql, $query, array($upass, $user_id)); set_page_message(tr('User password updated successfully!'), 'success'); } } } } } }
function pedit_user($tpl, $sql, &$dmn_id, &$uuser_id) { $cfg = EasySCP_Registry::get('Config'); if (isset($_POST['uaction']) && $_POST['uaction'] == 'modify_user') { // we have to add the user if (isset($_POST['pass']) && isset($_POST['pass_rep'])) { if (!chk_password($_POST['pass'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } return; } if ($_POST['pass'] !== $_POST['pass_rep']) { set_page_message(tr('Passwords do not match!'), 'warning'); return; } $nadmin_password = crypt_user_pass_with_salt($_POST['pass']); $change_status = $cfg->ITEM_CHANGE_STATUS; $query = "\n\t\t\t\tUPDATE\n\t\t\t\t\t`htaccess_users`\n\t\t\t\tSET\n\t\t\t\t\t`upass` = ?,\n\t\t\t\t\t`status` = ?\n\t\t\t\tWHERE\n\t\t\t\t\t`dmn_id` = ?\n\t\t\t\tAND\n\t\t\t\t\t`id` = ?\n\t\t\t"; exec_query($sql, $query, array($nadmin_password, $change_status, $dmn_id, $uuser_id)); send_request(); $query = "\n\t\t\t\tSELECT\n\t\t\t\t\t`uname`\n\t\t\t\tFROM\n\t\t\t\t\t`htaccess_users`\n\t\t\t\tWHERE\n\t\t\t\t\t`dmn_id` = ?\n\t\t\t\tAND\n\t\t\t\t\t`id` = ?\n\t\t\t"; $rs = exec_query($sql, $query, array($dmn_id, $uuser_id)); $uname = $rs->fields['uname']; $admin_login = $_SESSION['user_logged']; write_log("{$admin_login}: modify user ID (protected areas): {$uname}"); user_goto('protected_user_manage.php'); } } else { return; } }
function padd_user(&$tpl, &$sql, &$dmn_id) { if (isset($_POST['uaction']) && $_POST['uaction'] == 'add_user') { // we have user to add if (isset($_POST['username']) && isset($_POST['pass']) && isset($_POST['pass_rep'])) { if (chk_username($_POST['username']) > 0) { set_page_message(tr('Wrong username!')); return; } if (chk_password($_POST['pass']) > 0) { set_page_message(tr('Incorrect password range or syntax!')); return; } if ($_POST['pass'] !== $_POST['pass_rep']) { set_page_message(tr('Passwords does not match!')); return; } $uname = $_POST['username']; $upass = crypt($_POST['pass']); $query = <<<SQL_QUERY select \t\t\tid from htaccess_users where uname = ? \t\t\t and \t\t\t dmn_id = ? SQL_QUERY; $rs = exec_query($sql, $query, array($uname, $dmn_id)); if ($rs->RecordCount() == 0) { $query = <<<SQL_QUERY insert into htaccess_users (dmn_id, uname, upass) values (?, ?, ?) SQL_QUERY; $rs = exec_query($sql, $query, array($dmn_id, $uname, $upass)); $admin_login = $_SESSION['user_logged']; write_log("{$admin_login}: add user (protected areas) -> {$uname}"); header('Location: puser_manage.php'); die; } else { set_page_message(tr('User already exist !')); return; } } } else { return; } }
function change_sql_user_pass($sql, $db_user_id, $db_user_name) { $cfg = EasySCP_Registry::get('Config'); if (!isset($_POST['uaction'])) { return; } if ($_POST['pass'] === '' && $_POST['pass_rep'] === '') { set_page_message(tr('Please specify user password!'), 'warning'); return; } if ($_POST['pass'] !== $_POST['pass_rep']) { set_page_message(tr('Entered passwords do not match!'), 'warning'); return; } if (strlen($_POST['pass']) > $cfg->MAX_SQL_PASS_LENGTH) { set_page_message(tr('User password too long!'), 'warning'); return; } if (isset($_POST['pass']) && !preg_match('/^[[:alnum:]:!\\*\\+\\#_.-]+$/', $_POST['pass'])) { set_page_message(tr('Don\'t use special chars like "@, $, %..." in the password!'), 'warning'); return; } if (!chk_password($_POST['pass'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } return; } $user_pass = $_POST['pass']; // update user pass in the EasySCP sql_user table; $query = "\n\t\tUPDATE\n\t\t\t`sql_user`\n\t\tSET\n\t\t\t`sqlu_pass` = ?\n\t\tWHERE\n\t\t\t`sqlu_name` = ?\n\t"; exec_query($sql, $query, array(encrypt_db_password($user_pass), $db_user_name)); // update user pass in the mysql system tables; // TODO use prepared statement for $user_pass $query = "SET PASSWORD FOR '{$db_user_name}'@'%' = PASSWORD('{$user_pass}')"; execute_query($sql, $query); // TODO use prepared statement for $user_pass $query = "SET PASSWORD FOR '{$db_user_name}'@localhost = PASSWORD('{$user_pass}')"; execute_query($sql, $query); write_log($_SESSION['user_logged'] . ": update SQL user password: " . tohtml($db_user_name)); set_page_message(tr('SQL user password was successfully changed!'), 'warning'); user_goto('sql_manage.php'); }
function padd_user($tpl, $sql, $dmn_id) { $cfg = EasySCP_Registry::get('Config'); if (isset($_POST['uaction']) && $_POST['uaction'] == 'add_user') { // we have to add the user if (isset($_POST['username']) && isset($_POST['pass']) && isset($_POST['pass_rep'])) { if (!validates_username($_POST['username'])) { set_page_message(tr('Wrong username!'), 'warning'); return; } if (!chk_password($_POST['pass'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } return; } if ($_POST['pass'] !== $_POST['pass_rep']) { set_page_message(tr('Passwords do not match!'), 'warning'); return; } $status = $cfg->ITEM_ADD_STATUS; $uname = clean_input($_POST['username']); $upass = crypt_user_pass_with_salt($_POST['pass']); $query = "\n\t\t\t\tSELECT\n\t\t\t\t\t`id`\n\t\t\t\tFROM\n\t\t\t\t\t`htaccess_users`\n\t\t\t\tWHERE\n\t\t\t\t\t`uname` = ?\n\t\t\t\tAND\n\t\t\t\t\t`dmn_id` = ?\n\t\t\t"; $rs = exec_query($sql, $query, array($uname, $dmn_id)); if ($rs->recordCount() == 0) { $query = "\n\t\t\t\t\tINSERT INTO `htaccess_users`\n\t\t\t\t\t\t(`dmn_id`, `uname`, `upass`, `status`)\n\t\t\t\t\tVALUES\n\t\t\t\t\t\t(?, ?, ?, ?)\n\t\t\t\t"; exec_query($sql, $query, array($dmn_id, $uname, $upass, $status)); send_request('110 DOMAIN htaccess ' . $dmn_id); $admin_login = $_SESSION['user_logged']; write_log("{$admin_login}: add user (protected areas): {$uname}"); user_goto('protected_user_manage.php'); } else { set_page_message(tr('User already exist !'), 'error'); return; } } } else { return; } }
function update_data(&$sql) { global $edit_id; if (isset($_POST['uaction']) && $_POST['uaction'] === 'edit_user') { if (check_user_data()) { $user_id = $_SESSION['user_id']; $fname = $_POST['fname']; $lname = $_POST['lname']; $firm = $_POST['firm']; $zip = $_POST['zip']; $city = $_POST['city']; $country = $_POST['country']; $email = $_POST['email']; $phone = $_POST['phone']; $fax = $_POST['fax']; $street1 = $_POST['street1']; $street2 = $_POST['street2']; if ($_POST['pass'] == '') { $query = <<<SQL_QUERY update admin set fname = ?, lname = ?, firm = ?, zip = ?, city = ?, country = ?, email = ?, phone = ?, fax = ?, street1 = ?, street2 = ? where admin_id= ? SQL_QUERY; $rs = exec_query($sql, $query, array($fname, $lname, $firm, $zip, $city, $country, $email, $phone, $fax, $street1, $street2, $edit_id)); } else { $edit_id = $_POST['edit_id']; if (chk_password($_POST['pass'])) { set_page_message(tr("Incorrect password range or syntax!")); header("Location: edit_user.php?edit_id={$edit_id}"); die; } if ($_POST['pass'] != $_POST['pass_rep']) { set_page_message(tr("Entered passwords does not match!")); header("Location: edit_user.php?edit_id={$edit_id}"); die; } $upass = crypt_user_pass($_POST['pass']); $query = <<<SQL_QUERY update admin set admin_pass = ?, fname = ?, lname = ?, firm = ?, zip = ?, city = ?, country = ?, email = ?, phone = ?, fax = ?, street1 = ?, street2 = ? where admin_id = ? SQL_QUERY; $rs = exec_query($sql, $query, array($upass, $fname, $lname, $firm, $zip, $city, $country, $email, $phone, $fax, $street1, $street2, $edit_id)); } $edit_username = $_POST['edit_username']; $user_logged = $_SESSION['user_logged']; write_log("{$user_logged}: change data/password for {$edit_username}!"); $_SESSION['user_updated'] = 1; header("Location: manage_users.php"); die; } } }
function check_ftp_acc_data($tpl, $sql, $dmn_id, $dmn_name) { $cfg = EasySCP_Registry::get('Config'); if (!isset($_POST['username']) || $_POST['username'] === '') { set_page_message(tr('Please enter FTP account username!'), 'warning'); return; } if (!isset($_POST['pass']) || empty($_POST['pass']) || !isset($_POST['pass_rep']) || $_POST['pass_rep'] === '') { set_page_message(tr('Password is missing!'), 'warning'); return; } if ($_POST['pass'] !== $_POST['pass_rep']) { set_page_message(tr('Entered passwords do not match!'), 'warning'); return; } if (!chk_password($_POST['pass'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } return; } if ($_POST['dmn_type'] === 'sub' && $_POST['sub_id'] === 'n/a') { set_page_message(tr('Subdomain list is empty! You cannot add FTP accounts there!'), 'warning'); return; } if ($_POST['dmn_type'] === 'als' && $_POST['als_id'] === 'n/a') { set_page_message(tr('Alias list is empty! You cannot add FTP accounts there!'), 'warning'); return; } if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on' && empty($_POST['other_dir'])) { set_page_message(tr('Please specify other FTP account dir!'), 'warning'); return; } add_ftp_user($sql, $dmn_name); }
function check_user_data() { global $reseller_ips; $cfg = EasySCP_Registry::get('Config'); $sql = EasySCP_Registry::get('Db'); $username = clean_input($_POST['username']); $query = "\n\t\tSELECT\n\t\t\t`admin_id`\n\t\tFROM\n\t\t\t`admin`\n\t\tWHERE\n\t\t\t`admin_name` = ?\n\t;"; $rs = exec_query($sql, $query, $username); if ($rs->recordCount() != 0) { set_page_message(tr('This user name already exist!'), 'warning'); return false; } if (!validates_username(clean_input($_POST['username']))) { set_page_message(tr("Incorrect username length or syntax!"), 'warning'); return false; } if (!chk_password($_POST['pass'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } return false; } if ($_POST['pass'] != $_POST['pass_rep']) { set_page_message(tr("Entered passwords do not match!"), 'warning'); return false; } if (!chk_email(clean_input($_POST['email']))) { set_page_message(tr("Incorrect email syntax!"), 'warning'); return false; } if (!easyscp_limit_check($_POST['nreseller_max_domain_cnt'], null)) { set_page_message(tr("Incorrect domains limit!"), 'warning'); return false; } if (!easyscp_limit_check($_POST['nreseller_max_subdomain_cnt'], -1)) { set_page_message(tr("Incorrect subdomains limit!"), 'warning'); return false; } if (!easyscp_limit_check($_POST['nreseller_max_alias_cnt'], -1)) { set_page_message(tr('Incorrect aliases limit!'), 'warning'); return false; } if (!easyscp_limit_check($_POST['nreseller_max_ftp_cnt'], -1)) { set_page_message(tr('Incorrect FTP accounts limit!'), 'warning'); return false; } if (!easyscp_limit_check($_POST['nreseller_max_mail_cnt'], -1)) { set_page_message(tr('Incorrect mail accounts limit!'), 'warning'); return false; } if (!easyscp_limit_check($_POST['nreseller_max_sql_db_cnt'], -1)) { set_page_message(tr('Incorrect SQL databases limit!'), 'warning'); return false; } else { if ($_POST['nreseller_max_sql_db_cnt'] == -1 && $_POST['nreseller_max_sql_user_cnt'] != -1) { set_page_message(tr('SQL databases limit is <em>disabled</em> but SQL users limit not!'), 'warning'); return false; } } if (!easyscp_limit_check($_POST['nreseller_max_sql_user_cnt'], -1)) { set_page_message(tr('Incorrect SQL users limit!'), 'warning'); return false; } else { if ($_POST['nreseller_max_sql_db_cnt'] != -1 && $_POST['nreseller_max_sql_user_cnt'] == -1) { set_page_message(tr('SQL users limit is <em>disabled</em> but SQL databases limit not!'), 'warning'); return false; } } if (!easyscp_limit_check($_POST['nreseller_max_traffic'], null)) { set_page_message(tr('Incorrect traffic limit!'), 'warning'); return false; } if (!easyscp_limit_check($_POST['nreseller_max_disk'], null)) { set_page_message(tr('Incorrect disk quota limit!'), 'warning'); return false; } if ($reseller_ips == '') { set_page_message(tr('You must assign at least one IP number for a reseller!'), 'warning'); return false; } return true; }
function check_user_data() { global $reseller_ips, $sql; $username = $_POST['username']; $query = <<<SQL_QUERY select admin_id from admin where admin_name=? SQL_QUERY; $rs = exec_query($sql, $query, array($username)); if ($rs->RecordCount() != 0) { set_page_message(tr('This user name already exist!')); return false; } if (chk_username($_POST['username'])) { set_page_message(tr("Incorrect username range or syntax!")); return false; } if (chk_password($_POST['pass'])) { set_page_message(tr("Incorrect password range or syntax!")); return false; } if ($_POST['pass'] != $_POST['pass_rep']) { set_page_message(tr("Entered passwords does not match!")); return false; } if (chk_email($_POST['email'])) { set_page_message(tr("Incorrect email range or syntax!")); return false; } if (!vhcs_limit_check($_POST['nreseller_max_domain_cnt'], 999) || $_POST['nreseller_max_domain_cnt'] == -1) { set_page_message(tr("Incorrect max domain count or syntax!")); return false; } if (!vhcs_limit_check($_POST['nreseller_max_subdomain_cnt'], 999) || $_POST['nreseller_max_subdomain_cnt'] == -1) { set_page_message(tr("Incorrect max subdomain count or syntax!")); return false; } if (!vhcs_limit_check($_POST['nreseller_max_alias_cnt'], 999) || $_POST['nreseller_max_alias_cnt'] == -1) { set_page_message(tr('Incorrect max alias count or syntax!')); return false; } if (!vhcs_limit_check($_POST['nreseller_max_ftp_cnt'], 999) || $_POST['nreseller_max_ftp_cnt'] == -1) { set_page_message(tr('Incorrect max FTP count or syntax!')); return false; } if (!vhcs_limit_check($_POST['nreseller_max_mail_cnt'], 999) || $_POST['nreseller_max_mail_cnt'] == -1) { set_page_message(tr('Incorrect max mail count or syntax!')); return false; } else { if (!vhcs_limit_check($_POST['nreseller_max_sql_db_cnt'], 999) || $_POST['nreseller_max_sql_db_cnt'] == -1) { set_page_message(tr('Incorrect max SQL databases count or syntax!')); return false; } else { if (!vhcs_limit_check($_POST['nreseller_max_sql_user_cnt'], 999) || $_POST['nreseller_max_sql_user_cnt'] == -1) { set_page_message(tr('Incorrect max SQL users count or syntax!')); return false; } else { if (!vhcs_limit_check($_POST['nreseller_max_traffic'], 999999) || $_POST['nreseller_max_traffic'] == -1) { set_page_message(tr('Incorrect max traffic amount or syntax!')); return false; } else { if (!vhcs_limit_check($_POST['nreseller_max_disk'], 999999) || $_POST['nreseller_max_disk'] == -1) { set_page_message(tr('Incorrect max disk amount or syntax!')); return false; } else { if ($reseller_ips == '') { set_page_message(tr('You must assign at least one IP number for a reseller!')); return false; } } } } } } return true; }
function check_user_data() { global $sql; $username = $_POST['username']; $query = <<<SQL_QUERY select admin_id from admin where admin_name = ? SQL_QUERY; $rs = exec_query($sql, $query, array($username)); if ($rs->RecordCount() != 0) { set_page_message(tr('This user name already exist!')); return false; } if (chk_username($_POST['username'])) { set_page_message(tr("Incorrect username range or syntax!")); return false; } if (chk_password($_POST['pass'])) { set_page_message(tr("Incorrect password range or syntax!")); return false; } if ($_POST['pass'] != $_POST['pass_rep']) { set_page_message(tr("Entered passwords does not match!")); return false; } if (chk_email($_POST['email'])) { set_page_message(tr("Incorrect email range or syntax!")); return false; } return true; }
* @link http://www.easyscp.net * @author EasySCP Team */ require '../../include/easyscp-lib.php'; check_login(__FILE__); $cfg = EasySCP_Registry::get('Config'); $tpl = EasySCP_TemplateEngine::getInstance(); $template = 'common/password_change.tpl'; if (isset($_POST['uaction']) && $_POST['uaction'] === 'updt_pass') { if (empty($_POST['pass']) || empty($_POST['pass_rep']) || empty($_POST['curr_pass'])) { set_page_message(tr('Please fill up all data fields!'), 'warning'); } else { if ($_POST['pass'] !== $_POST['pass_rep']) { set_page_message(tr('Passwords do not match!'), 'warning'); } else { if (!chk_password($_POST['pass'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } } else { if (!EasyPass::check_udata($_SESSION['user_id'], $_POST['curr_pass'])) { set_page_message(tr('The current password is wrong!'), 'warning'); } else { $upass = crypt_user_pass($_POST['pass']); $_SESSION['user_pass'] = $upass; $user_id = $_SESSION['user_id']; $query = "\n\t\t\tUPDATE\n\t\t\t\t`admin`\n\t\t\tSET\n\t\t\t\t`admin_pass` = ?\n\t\t\tWHERE\n\t\t\t\t`admin_id` = ?\n\t\t"; $rs = exec_query($sql, $query, array($upass, $user_id)); write_log($_SESSION['user_logged'] . ": update password!");
function check_user_data() { $cfg = EasySCP_Registry::get('Config'); $sql = EasySCP_Registry::get('Db'); if (!validates_username($_POST['username'])) { set_page_message(tr("Incorrect username length or syntax!"), 'warning'); return false; } if (!chk_password($_POST['pass'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } return false; } if ($_POST['pass'] != $_POST['pass_rep']) { set_page_message(tr('Entered passwords do not match!'), 'warning'); return false; } if (!chk_email($_POST['email'])) { set_page_message(tr('Incorrect email length or syntax!'), 'warning'); return false; } $query = "\n\t\tSELECT\n\t\t\t`admin_id`\n\t\tFROM\n\t\t\t`admin`\n\t\tWHERE\n\t\t\t`admin_name` = ?\n"; $username = clean_input($_POST['username']); $rs = exec_query($sql, $query, $username); if ($rs->recordCount() != 0) { set_page_message(tr('This user name already exist!'), 'error'); return false; } return true; }
function update_ftp_account($sql, $ftp_acc, $dmn_name) { global $other_dir; $cfg = EasySCP_Registry::get('Config'); // Create a virtual filesystem (it's important to use =&!) $vfs = new EasySCP_VirtualFileSystem($dmn_name, $sql); if (isset($_POST['uaction']) && $_POST['uaction'] === 'edit_user') { if (!empty($_POST['pass']) || !empty($_POST['pass_rep'])) { if ($_POST['pass'] !== $_POST['pass_rep']) { set_page_message(tr('Entered passwords do not match!'), 'warning'); return; } if (!chk_password($_POST['pass'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } return; } $pass = crypt_user_pass_with_salt($_POST['pass']); $loginpass = encrypt_db_password($_POST['pass']); if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on') { $other_dir = clean_input($_POST['other_dir']); $rs = $vfs->exists($other_dir); if (!$rs) { set_page_message(tr('%s does not exist', clean_input($_POST['other_dir'])), 'warning'); return; } // domain_id // append the full path (vfs is always checking per ftp so it's logged // in in the root of the user (no absolute paths are allowed here!) $other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged'] . clean_input($_POST['other_dir']); $query = "\n\t\t\t\t\tUPDATE\n\t\t\t\t\t\t`ftp_users`\n\t\t\t\t\tSET\n\t\t\t\t\t\t`passwd` = ?,\n\t\t\t\t\t\t`net2ftppasswd` = ?,\n\t\t\t\t\t\t`homedir` = ?\n\t\t\t\t\tWHERE\n\t\t\t\t\t\t`userid` = ?\n\t\t\t\t"; $param = array($pass, $loginpass, $other_dir, $ftp_acc); } else { $query = "\n\t\t\t\t\tUPDATE\n\t\t\t\t\t\t`ftp_users`\n\t\t\t\t\tSET\n\t\t\t\t\t\t`passwd` = ?,\n\t\t\t\t\t\t`net2ftppasswd` = ?\n\t\t\t\t\tWHERE\n\t\t\t\t\t\t`userid` = ?\n\t\t\t\t"; $param = array($pass, $loginpass, $ftp_acc); } exec_query($sql, $query, $param); write_log($_SESSION['user_logged'] . ": updated FTP " . $ftp_acc . " account data"); set_page_message(tr('FTP account data updated!'), 'success'); user_goto('ftp_accounts.php'); } else { if (isset($_POST['use_other_dir']) && $_POST['use_other_dir'] === 'on') { $other_dir = clean_input($_POST['other_dir']); // Strip possible double-slashes $other_dir = str_replace('//', '/', $other_dir); // Check for updirs ".." $res = preg_match("/\\.\\./", $other_dir); if ($res !== 0) { set_page_message(tr('Incorrect mount point length or syntax'), 'warning'); return; } // Check for $other_dir existence // Create a virtual filesystem (it's important to use =&!) $vfs = new EasySCP_VirtualFileSystem($dmn_name, $sql); // Check for directory existence $res = $vfs->exists($other_dir); if (!$res) { set_page_message(tr('%s does not exist', $other_dir), 'error'); return; } $other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged'] . $other_dir; } else { // End of user-specified mount-point $other_dir = $cfg->FTP_HOMEDIR . "/" . $_SESSION['user_logged']; } $query = "\n\t\t\t\tUPDATE\n\t\t\t\t\t`ftp_users`\n\t\t\t\tSET\n\t\t\t\t\t`homedir` = ?\n\t\t\t\tWHERE\n\t\t\t\t\t`userid` = ?\n\t\t\t"; exec_query($sql, $query, array($other_dir, $ftp_acc)); set_page_message(tr('FTP account data updated!'), 'success'); user_goto('ftp_accounts.php'); } } }
/** * Check validity of input data * * @todo check if we can remove out commented code block */ function check_ruser_data($tpl, $noPass) { global $dmn_name, $hpid, $dmn_user_name; global $user_email, $customer_id, $first_name; global $last_name, $firm, $zip, $gender; global $city, $state, $country, $street_one; global $street_two, $phone; global $fax, $inpass, $domain_ip; $cfg = EasySCP_Registry::get('Config'); $user_add_error = '_off_'; $inpass_re = ''; // Get data for fields from previous page if (isset($_POST['userpassword'])) { $inpass = $_POST['userpassword']; } if (isset($_POST['userpassword_repeat'])) { $inpass_re = $_POST['userpassword_repeat']; } if (isset($_POST['domain_ip'])) { $domain_ip = $_POST['domain_ip']; } if (isset($_POST['useremail'])) { $user_email = $_POST['useremail']; } if (isset($_POST['useruid'])) { $customer_id = $_POST['useruid']; } if (isset($_POST['userfname'])) { $first_name = $_POST['userfname']; } if (isset($_POST['userlname'])) { $last_name = $_POST['userlname']; } if (isset($_POST['userfirm'])) { $firm = $_POST['userfirm']; } if (isset($_POST['userzip'])) { $zip = $_POST['userzip']; } if (isset($_POST['usercity'])) { $city = $_POST['usercity']; } if (isset($_POST['userstate'])) { $state = $_POST['userstate']; } if (isset($_POST['usercountry'])) { $country = $_POST['usercountry']; } if (isset($_POST['userstreet1'])) { $street_one = $_POST['userstreet1']; } if (isset($_POST['userstreet2'])) { $street_two = $_POST['userstreet2']; } if (isset($_POST['userphone'])) { $phone = $_POST['userphone']; } if (isset($_POST['userfax'])) { $fax = $_POST['userfax']; } if (isset($_POST['gender']) && !is_null(get_gender_by_code($_POST['gender'], true))) { $gender = $_POST['gender']; } else { $gender = ''; } //if (isset($_SESSION['local_data'])) // list($dmn_name, $hpid, $dmn_user_name) = explode(";", $_SESSION['local_data']); // Begin checking... if ('_no_' == $noPass) { if ('' === $inpass_re || '' === $inpass) { $user_add_error = tr('Please fill up both data fields for password!'); } else { if ($inpass_re !== $inpass) { $user_add_error = tr("Passwords don't match!"); } else { if (!chk_password($inpass)) { if ($cfg->PASSWD_STRONG) { $user_add_error = sprintf(tr('The password must be at least %s long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS); } else { $user_add_error = sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS); } } } } } if (is_null($user_email)) { $user_add_error = tr('Incorrect email length or syntax!'); } if ($user_add_error == '_off_') { // send data through session $_SESSION['Message'] = NULL; return true; } else { $_SESSION['Message'] = $user_add_error; return false; } }
function update_data($sql) { global $edit_id; $cfg = EasySCP_Registry::get('Config'); if (isset($_POST['Submit']) && isset($_POST['uaction']) && $_POST['uaction'] === 'edit_user') { if (check_user_data()) { $user_id = $_SESSION['user_id']; $fname = clean_input($_POST['fname']); $lname = clean_input($_POST['lname']); $firm = clean_input($_POST['firm']); $gender = clean_input($_POST['gender']); $zip = clean_input($_POST['zip']); $city = clean_input($_POST['city']); $state = clean_input($_POST['state']); $country = clean_input($_POST['country']); $email = clean_input($_POST['email']); $phone = clean_input($_POST['phone']); $fax = clean_input($_POST['fax']); $street1 = clean_input($_POST['street1']); $street2 = clean_input($_POST['street2']); if (empty($_POST['pass'])) { $query = "\n\t\t\t\t\tUPDATE\n\t\t\t\t\t\t`admin`\n\t\t\t\t\tSET\n\t\t\t\t\t\t`fname` = ?,\n\t\t\t\t\t\t`lname` = ?,\n\t\t\t\t\t\t`firm` = ?,\n\t\t\t\t\t\t`zip` = ?,\n\t\t\t\t\t\t`city` = ?,\n\t\t\t\t\t\t`state` = ?,\n\t\t\t\t\t\t`country` = ?,\n\t\t\t\t\t\t`email` = ?,\n\t\t\t\t\t\t`phone` = ?,\n\t\t\t\t\t\t`fax` = ?,\n\t\t\t\t\t\t`street1` = ?,\n\t\t\t\t\t\t`street2` = ?,\n\t\t\t\t\t\t`gender` = ?\n\t\t\t\t\tWHERE\n\t\t\t\t\t\t`admin_id` = ?\n\t\t\t\t"; exec_query($sql, $query, array($fname, $lname, $firm, $zip, $city, $state, $country, $email, $phone, $fax, $street1, $street2, $gender, $edit_id)); } else { $edit_id = $_POST['edit_id']; if ($_POST['pass'] != $_POST['pass_rep']) { set_page_message(tr("Entered passwords do not match!"), 'warning'); user_goto('admin_edit.php?edit_id=' . $edit_id); } if (!chk_password($_POST['pass'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } user_goto('admin_edit.php?edit_id=' . $edit_id); } $upass = crypt_user_pass($_POST['pass']); $query = "\n\t\t\t\t\tUPDATE\n\t\t\t\t\t\t`admin`\n\t\t\t\t\tSET\n\t\t\t\t\t\t`admin_pass` = ?,\n\t\t\t\t\t\t`fname` = ?,\n\t\t\t\t\t\t`lname` = ?,\n\t\t\t\t\t\t`firm` = ?,\n\t\t\t\t\t\t`zip` = ?,\n\t\t\t\t\t\t`city` = ?,\n\t\t\t\t\t\t`state` = ?,\n\t\t\t\t\t\t`country` = ?,\n\t\t\t\t\t\t`email` = ?,\n\t\t\t\t\t\t`phone` = ?,\n\t\t\t\t\t\t`fax` = ?,\n\t\t\t\t\t\t`street1` = ?,\n\t\t\t\t\t\t`street2` = ?,\n\t\t\t\t\t\t`gender` = ?\n\t\t\t\t\tWHERE\n\t\t\t\t\t\t`admin_id` = ?\n\t\t\t\t"; exec_query($sql, $query, array($upass, $fname, $lname, $firm, $zip, $city, $state, $country, $email, $phone, $fax, $street1, $street2, $gender, $edit_id)); // Kill any existing session of the edited user $admin_name = get_user_name($edit_id); $query = "\n\t\t\t\t\tDELETE FROM\n\t\t\t\t\t\t`login`\n\t\t\t\t\tWHERE\n\t\t\t\t\t\t`user_name` = ?\n\t\t\t\t"; $rs = exec_query($sql, $query, $admin_name); if ($rs->recordCount() != 0) { set_page_message(tr('User session was killed!'), 'info'); write_log($_SESSION['user_logged'] . " killed " . $admin_name . "'s session because of password change"); } } $edit_username = clean_input($_POST['edit_username']); $user_logged = $_SESSION['user_logged']; write_log("{$user_logged}: changes data/password for {$edit_username}!"); if (isset($_POST['send_data']) && !empty($_POST['pass'])) { $query = "SELECT admin_type FROM admin WHERE admin_id='" . addslashes(htmlspecialchars($edit_id)) . "'"; $res = exec_query($sql, $query); if ($res->fields['admin_type'] == 'admin') { $admin_type = tr('Administrator'); } else { if ($res->fields['admin_type'] == 'reseller') { $admin_type = tr('Reseller'); } else { $admin_type = tr('Domain account'); } } send_add_user_auto_msg($user_id, $edit_username, clean_input($_POST['pass']), clean_input($_POST['email']), clean_input($_POST['fname']), clean_input($_POST['lname']), tr($admin_type), $gender); } $_SESSION['user_updated'] = 1; user_goto('manage_users.php'); } } }
} $da_crc = md5(CRC_SALT_0013 . $user_id . $_POST["from_mail"] . $_POST["ct"] . $_POST["complaint_text"] . cl_ip()); $da_users_id = $user_id; switch ($_POST["ct"]) { case 1: if (!preg_match(NON_BOGUS, trim($_POST["login"]))) { echo $back_lnk; echo "<big>bogus username</big>."; die("</td></tr></table></body></html>"); } if (!ip_check(trim($_POST["login"]), 1)) { echo $back_lnk; echo "<big>too many failed attempts for username / password pair, try again later.</big>"; die("</td></tr></table></body></html>"); } $da_users_id = chk_password($_POST["login"], $_POST["passwd"]); if ($da_users_id == 0) { echo $back_lnk; echo "<big>username or password is invalid</big>."; die("</td></tr></table></body></html>"); } $rf = pg_safe_exec("SELECT flags FROM users WHERE id='" . (int) $da_users_id . "'"); $of = pg_fetch_object($rf); if (!((int) $of->flags & 1)) { // not suspended echo $back_lnk; echo "<big>your username is NOT suspended currently</big>."; die("</td></tr></table></body></html>"); } $da_channel1_id = 0; $da_channel1_name = "";
/** * Function to update changes into db */ function update_data_in_db($hpid) { global $dmn_user_name, $user_email, $customer_id, $first_name, $last_name, $firm, $zip, $gender, $city, $state, $country, $street_one, $street_two, $phone, $fax, $inpass, $admin_login; $sql = EasySCP_Registry::get('Db'); $cfg = EasySCP_Registry::get('Config'); $reseller_id = $_SESSION['user_id']; $first_name = clean_input($first_name); $last_name = clean_input($last_name); $firm = clean_input($firm); $gender = clean_input($gender); $zip = clean_input($zip); $city = clean_input($city); $state = clean_input($state); $country = clean_input($country); $phone = clean_input($phone); $fax = clean_input($fax); $street_one = clean_input($street_one); $street_two = clean_input($street_two); if (empty($inpass)) { // Save without password $query = "\n\t\t\tUPDATE\n\t\t\t\t`admin`\n\t\t\tSET\n\t\t\t\t`fname` = ?,\n\t\t\t\t`lname` = ?,\n\t\t\t\t`firm` = ?,\n\t\t\t\t`zip` = ?,\n\t\t\t\t`city` = ?,\n\t\t\t\t`state` = ?,\n\t\t\t\t`country` = ?,\n\t\t\t\t`email` = ?,\n\t\t\t\t`phone` = ?,\n\t\t\t\t`fax` = ?,\n\t\t\t\t`street1` = ?,\n\t\t\t\t`street2` = ?,\n\t\t\t\t`gender` = ?,\n\t\t\t\t`customer_id` = ?\n\t\t\tWHERE\n\t\t\t\t`admin_id` = ?\n\t\t\tAND\n\t\t\t\t`created_by` = ?\n\t\t"; exec_query($sql, $query, array($first_name, $last_name, $firm, $zip, $city, $state, $country, $user_email, $phone, $fax, $street_one, $street_two, $gender, $customer_id, $hpid, $reseller_id)); } else { // Change password if (!chk_password($_POST['userpassword'])) { if (isset($cfg->PASSWD_STRONG)) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } user_goto('user_edit.php?edit_id=' . $hpid); } if ($_POST['userpassword'] != $_POST['userpassword_repeat']) { set_page_message(tr('Entered passwords do not match!'), 'warning'); user_goto('user_edit.php?edit_id=' . $hpid); } $pure_user_pass = $inpass; $inpass = crypt_user_pass($inpass); $query = "\n\t\t\tUPDATE\n\t\t\t\t`admin`\n\t\t\tSET\n\t\t\t\t`admin_pass` = ?,\n\t\t\t\t`fname` = ?,\n\t\t\t\t`lname` = ?,\n\t\t\t\t`firm` = ?,\n\t\t\t\t`zip` = ?,\n\t\t\t\t`city` = ?,\n\t\t\t\t`state` = ?,\n\t\t\t\t`country` = ?,\n\t\t\t\t`email` = ?,\n\t\t\t\t`phone` = ?,\n\t\t\t\t`fax` = ?,\n\t\t\t\t`street1` = ?,\n\t\t\t\t`street2` = ?,\n\t\t\t\t`gender` = ?,\n\t\t\t\t`customer_id` = ?\n\t\t\tWHERE\n\t\t\t\t`admin_id` = ?\n\t\t\tAND\n\t\t\t\t`created_by` = ?\n\t\t"; exec_query($sql, $query, array($inpass, $first_name, $last_name, $firm, $zip, $city, $state, $country, $user_email, $phone, $fax, $street_one, $street_two, $gender, $customer_id, $hpid, $reseller_id)); // Kill any existing session of the edited user $admin_name = get_user_name($hpid); $query = "\n\t\t\tDELETE FROM\n\t\t\t\t`login`\n\t\t\tWHERE\n\t\t\t\t`user_name` = ?\n\t\t"; $rs = exec_query($sql, $query, $admin_name); if ($rs->recordCount() != 0) { set_page_message(tr('User session was killed!'), 'info'); write_log($_SESSION['user_logged'] . " killed " . $admin_name . "'s session because of password change"); } } $admin_login = $_SESSION['user_logged']; write_log("{$admin_login} changes data/password for {$dmn_user_name}!"); if (isset($_POST['send_data']) && !empty($inpass)) { send_add_user_auto_msg($reseller_id, $dmn_user_name, $pure_user_pass, $user_email, $first_name, $last_name, tr('Domain account')); } unset($_SESSION['edit_ID']); unset($_SESSION['user_name']); $_SESSION['edit'] = "_yes_"; user_goto('users.php?psi=last'); }
/** * Check reseller data * * @param array &$errFields rerefence to the error indicators of input fields * @return boolean TRUE if all data are valid, FALSE otherwise */ function check_data(&$errFields) { $cfg = EasySCP_Registry::get('Config'); // Get needed data $rdata =& get_data(); /** * Check for new password */ if (!empty($_POST['pass0']) || !empty($_POST['pass1'])) { if (!chk_password($_POST['pass0'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } $errFields[] = 'PWD_ERR'; } if ($_POST['pass0'] != $_POST['pass1']) { set_page_message(tr('Entered passwords do not match!'), 'warning'); $errFields[] = 'PWD_ERR'; $errFields[] = 'PWDR_ERR'; } } /** * Check for mail address */ if (!chk_email($rdata['email'])) { set_page_message(tr('Incorrect email syntax!'), 'warning'); $errFields[] = 'EMAIL_ERR'; } list($udmn_current, , $udmn_uf, $usub_current, , $usub_uf, $uals_current, , $uals_uf, $umail_current, , $umail_uf, $uftp_current, , $uftp_uf, $usql_db_current, , $usql_db_uf, $usql_user_current, , $usql_user_uf, $utraff_current, , $utraff_uf, $udisk_current, , $udisk_uf) = generate_reseller_users_props($rdata['edit_id']); list($rdmn_current, , $rsub_current, , $rals_current, , $rmail_current, , $rftp_current, , $rsql_db_current, , $rsql_user_current, , $rtraff_current, , $rdisk_current, ) = generate_reseller_props($rdata['edit_id']); /** * Check for new domains limit */ if (easyscp_limit_check($rdata['max_dmn_cnt'], null)) { $rs = _check_new_limit($rdata['max_dmn_cnt'], $rdmn_current, $udmn_current, $udmn_uf, tr('Domains')); } else { set_page_message(tr('Incorrect domains limit!'), 'warning'); $rs = false; } if (!$rs) { $errFields[] = 'DMN_ERR'; } /** * Check for new subdomains limit */ if (easyscp_limit_check($rdata['max_sub_cnt'])) { $rs = _check_new_limit($rdata['max_sub_cnt'], $rsub_current, $usub_current, $usub_uf, tr('Subdomains')); } else { set_page_message(tr('Incorrect subdomains limit!'), 'warning'); $rs = false; } if (!$rs) { $errFields[] = 'SUB_ERR'; } /** * Check for new domain alias limit */ if (easyscp_limit_check($rdata['max_als_cnt'])) { $rs = _check_new_limit($rdata['max_als_cnt'], $rals_current, $uals_current, $uals_uf, tr('Aliases')); } else { set_page_message(tr('Incorrect aliases limit!'), 'warning'); $rs = false; } if (!$rs) { $errFields[] = 'ALS_ERR'; } /** * Check for new mail accounts limit */ if (easyscp_limit_check($rdata['max_mail_cnt'])) { $rs = _check_new_limit($rdata['max_mail_cnt'], $rmail_current, $umail_current, $umail_uf, tr('Mail')); } else { set_page_message(tr('Incorrect mail accounts limit!'), 'warning'); $rs = false; } if (!$rs) { $errFields[] = 'MAIL_ERR'; } /** * Check for new Ftp accounts limit */ if (easyscp_limit_check($rdata['max_ftp_cnt'])) { $rs = _check_new_limit($rdata['max_ftp_cnt'], $rftp_current, $uftp_current, $uftp_uf, tr('FTP')); } else { set_page_message(tr('Incorrect FTP accounts limit!'), 'warning'); $rs = false; } if (!$rs) { $errFields[] = 'FTP_ERR'; } /** * Check for new Sql databases limit */ if (!($rs = easyscp_limit_check($rdata['max_sql_db_cnt']))) { set_page_message(tr('Incorrect SQL databases limit!'), 'warning'); } else { if ($rdata['max_sql_db_cnt'] == -1 && $rdata['max_sql_user_cnt'] != -1) { set_page_message(tr('SQL databases limit is <em>disabled</em> but SQL users limit not!'), 'warning'); $rs = false; } else { $rs = _check_new_limit($rdata['max_sql_db_cnt'], $rsql_db_current, $usql_db_current, $usql_db_uf, tr('SQL Databases')); } } if (!$rs) { $errFields[] = 'SQLD_ERR'; } /** * Check for new Sql users limit */ if (!($rs = easyscp_limit_check($rdata['max_sql_user_cnt']))) { set_page_message(tr('Incorrect SQL users limit!'), 'warning'); } else { if ($rdata['max_sql_db_cnt'] != -1 && $rdata['max_sql_user_cnt'] == -1) { set_page_message(tr('SQL users limit is <em>disabled</em> but SQL databases limit not!'), 'warning'); $rs = false; } else { $rs = _check_new_limit($rdata['max_sql_user_cnt'], $rsql_user_current, $usql_user_current, $usql_user_uf, tr('SQL Users')); } } if (!$rs) { $errFields[] = 'SQLU_ERR'; } /** * Check for new traffic limit */ if (easyscp_limit_check($rdata['max_traff_amnt'], null)) { $rs = _check_new_limit($rdata['max_traff_amnt'], $rtraff_current, $utraff_current / 1024 / 1024, $utraff_uf, tr('Web Traffic')); } else { set_page_message(tr('Incorrect traffic limit!'), 'warning'); $rs = false; } if (!$rs) { $errFields[] = 'TRF_ERR'; } /** * Check for new diskspace limit */ if (easyscp_limit_check($rdata['max_disk_amnt'], null)) { $rs = _check_new_limit($rdata['max_disk_amnt'], $rdisk_current, $udisk_current / 1024 / 1024, $udisk_uf, tr('Disk storage')); } else { set_page_message(tr('Incorrect disk quota limit!'), 'warning'); $rs = false; } if (!$rs) { $errFields[] = 'DISK_ERR'; } /** * Check for IP adresses */ if ($rdata['reseller_ips'] == '') { set_page_message(tr('You must assign at least one IP number for a reseller!'), 'warning'); } check_user_ip_data($rdata['edit_id'], $rdata['rip_lst'], $rdata['reseller_ips']); }
echo "</html>\n\n"; die; } std_connect(); if ($username != "" && !preg_match(NON_BOGUS, $username)) { echo "<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">\n"; echo "<html><head><title>ERROR</title>"; std_theme_styles(); echo "</head>"; std_theme_body(); echo "<center>\n"; echo "<h2>"; echo "Bogus username</h2><br><a href=\"login.php\">Try again</a></center></body></html>\n\n"; die; } $user_id = chk_password($username, $password, -1); if ($user_id > 0) { $res = pg_safe_exec("select users.id,users.flags,levels.access from users,levels where users.id=" . (int) $user_id . " and users.id=levels.user_id and levels.channel_id=1 and levels.access>0"); if (pg_numrows($res) == 0) { if (ADMINONLY_MIRROR) { echo "<META HTTP-EQUIV=\"Pragma\" CONTENT=\"no-cache\">\n"; echo "<html><head><title>This mirror is reserved for CService officials</title>"; std_theme_styles(); echo "</head>"; std_theme_body(); echo "<center>\n"; echo "<h2>"; echo "Sorry, You can't login on that website."; echo "</h2>"; echo "<h3>It's currently reserved for CService officials only,<br>"; echo "You can access a client mirror at : <a href=\"" . CLIENT_MIRROR_URL . "\" target=_top>" . CLIENT_MIRROR_URL . "</a>, thanks.</h3>\n";
if ($mode == "write" && $crc == md5($SECURE_ID . CRC_SALT_0011)) { $da_error = -1; if ($pass1 == $pass2 && ($pass1 != "" && $pass2 != "")) { if ($admin > 0 && BOFH_PASS_ADMIN && !pw_check($pass1) || BOFH_PASS_USER && !pw_check($pass1) || strlen($pass1) < PW_MIN_CHARS) { $da_error = 2; } else { if (strtolower($dauser->user_name) == strtolower($pass1)) { $da_error = 3; } else { if (strtolower($dauser->verificationdata) == strtolower($pass1)) { $da_error = 4; } else { if (strtolower($dauser->email) == strtolower($pass1)) { $da_error = 5; } else { if (chk_password($dauser->user_name, $pass0, -1) <= 0) { $da_error = 6; // possible bruteforce attack (but rare, user must be already logged in), will add security later... } else { // change password $valid = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; $password = ""; srand((double) microtime() * 1000000); for ($i = 0; $i < 8; $i++) { $salt = $salt . $valid[rand(0, strlen($valid) - 1)]; } $crypt = $salt . md5($salt . $pass1); $query = "UPDATE users SET last_updated=now()::abstime::int4,last_updated_by='** Password Change **',password='******' WHERE id=" . ($user_id + 0); pg_safe_exec($query); // send email $mailm = "";
/** * Generates random password matching the chk_password criteria * * @see _passgen() * @return String password */ function passgen() { $pw = null; while (is_null($pw) || !chk_password($pw, 50, "/[<>]/")) { $pw = _passgen(); } return $pw; }
function check_user_data() { global $reseller_ips, $sql; if ($_POST['pass'] != '' || $_POST['pass_rep'] != '') { if (chk_password($_POST['pass'])) { set_page_message(tr("Incorrect password range or syntax!")); return false; } if ($_POST['pass'] != $_POST['pass_rep']) { set_page_message(tr("Entered passwords does not match!")); return false; } } if (chk_email($_POST['email'])) { set_page_message(tr("Incorrect email range or syntax!")); return false; } if (!vhcs_limit_check($_POST['nreseller_max_domain_cnt'], 999) || $_POST['nreseller_max_domain_cnt'] == -1) { set_page_message(tr("Incorrect max domain count or syntax!")); return false; } if (!vhcs_limit_check($_POST['nreseller_max_subdomain_cnt'], 999) || $_POST['nreseller_max_subdomain_cnt'] == -1) { set_page_message(tr("Incorrect max subdomain count or syntax!")); return false; } if (!vhcs_limit_check($_POST['nreseller_max_alias_cnt'], 999) || $_POST['nreseller_max_alias_cnt'] == -1) { set_page_message(tr('Incorrect max alias count or syntax!')); return false; } if (!vhcs_limit_check($_POST['nreseller_max_ftp_cnt'], 999) || $_POST['nreseller_max_ftp_cnt'] == -1) { set_page_message(tr('Incorrect max FTP count or syntax!')); return false; } if (!vhcs_limit_check($_POST['nreseller_max_mail_cnt'], 999) || $_POST['nreseller_max_mail_cnt'] == -1) { set_page_message(tr('Incorrect max mail count or syntax!')); return false; } else { if (!vhcs_limit_check($_POST['nreseller_max_sql_db_cnt'], 999) || $_POST['nreseller_max_sql_db_cnt'] == -1) { set_page_message(tr('Incorrect max SQL databases count or syntax!')); return false; } else { if (!vhcs_limit_check($_POST['nreseller_max_sql_user_cnt'], 999) || $_POST['nreseller_max_sql_user_cnt'] == -1) { set_page_message(tr('Incorrect max SQL users count or syntax!')); return false; } else { if (!vhcs_limit_check($_POST['nreseller_max_traffic'], 999999) || $_POST['nreseller_max_traffic'] == -1) { set_page_message(tr('Incorrect max traffic amount or syntax!')); return false; } else { if (!vhcs_limit_check($_POST['nreseller_max_disk'], 999999) || $_POST['nreseller_max_disk'] == -1) { set_page_message(tr('Incorrect max disk amount or syntax!')); return false; } else { if ($reseller_ips == '') { set_page_message(tr('You must assign at least one IP number for a reseller!')); return false; } } } } } } global $edit_id, $rip_lst; return check_reseller_data($edit_id, $rip_lst, $reseller_ips); }
$tpl = new pTemplate(); $tpl->define_dynamic('page', $cfg['RESELLER_TEMPLATE_PATH'] . '/chpsswd.tpl'); $tpl->define_dynamic('page_message', 'page'); $tpl->define_dynamic('logged_from', 'page'); $tpl->define_dynamic('custom_buttons', 'page'); global $cfg; $theme_color = $cfg['USER_INITIAL_THEME']; $tpl->assign(array('TR_CLIENT_CHANGE_PASSWORD_PAGE_TITLE' => tr('VHCS - Reseller/Change Password'), 'THEME_COLOR_PATH' => "../themes/{$theme_color}", 'THEME_CHARSET' => tr('encoding'), 'VHCS_LICENSE' => $cfg['VHCS_LICENSE'], 'ISP_LOGO' => get_logo($_SESSION['user_id']))); if (isset($_POST['uaction']) && $_POST['uaction'] === 'updt_pass') { if ($_POST['pass'] === '' || $_POST['pass_rep'] === '') { set_page_message(tr('Please fill up both data fields!')); } else { if ($_POST['pass'] !== $_POST['pass_rep']) { set_page_message(tr('Passwords does not match!')); } else { if (chk_password($_POST['pass']) > 0) { set_page_message(tr('Incorrect password range or syntax!')); } else { // Correct input password $upass = crypt_user_pass($_POST['pass']); $user_id = $_SESSION['user_id']; // Begin update admin-db $query = <<<SQL_QUERY update \tadmin set \tadmin_pass = ? where \tadmin_id = ? SQL_QUERY; $rs = exec_query($sql, $query, array($upass, $user_id));
/** * @todo * * Database user with same name can be added several times * * If creation of database user fails in MySQL-Table, database user is already * in loclal EasySCP table -> Error handling */ function add_sql_user($sql, $user_id, $db_id) { $cfg = EasySCP_Registry::get('Config'); if (!isset($_POST['uaction'])) { return; } // let's check user input if (empty($_POST['user_name']) && !isset($_POST['Add_Exist'])) { set_page_message(tr('Please type user name!'), 'warning'); return; } if (empty($_POST['pass']) && empty($_POST['pass_rep']) && !isset($_POST['Add_Exist'])) { set_page_message(tr('Please type user password!'), 'warning'); return; } if (isset($_POST['pass']) && isset($_POST['pass_rep']) && $_POST['pass'] !== $_POST['pass_rep'] && !isset($_POST['Add_Exist'])) { set_page_message(tr('Entered passwords do not match!'), 'warning'); return; } if (isset($_POST['pass']) && strlen($_POST['pass']) > $cfg->MAX_SQL_PASS_LENGTH && !isset($_POST['Add_Exist'])) { set_page_message(tr('Too long user password!'), 'warning'); return; } if (isset($_POST['pass']) && !preg_match('/^[[:alnum:]:!*+#_.-]+$/', $_POST['pass']) && !isset($_POST['Add_Exist'])) { set_page_message(tr('Don\'t use special chars like "@, $, %..." in the password!'), 'warning'); return; } if (isset($_POST['pass']) && !chk_password($_POST['pass']) && !isset($_POST['Add_Exist'])) { if ($cfg->PASSWD_STRONG) { set_page_message(sprintf(tr('The password must be at least %s chars long and contain letters and numbers to be valid.'), $cfg->PASSWD_CHARS), 'warning'); } else { set_page_message(sprintf(tr('Password data is shorter than %s signs or includes not permitted signs!'), $cfg->PASSWD_CHARS), 'warning'); } return; } if (isset($_POST['Add_Exist'])) { $query = "SELECT `sqlu_pass` FROM `sql_user` WHERE `sqlu_id` = ?"; $rs = exec_query($sql, $query, $_POST['sqluser_id']); if ($rs->recordCount() == 0) { set_page_message(tr('SQL-user not found! It might has been deleted by another user.'), 'warning'); return; } $user_pass = decrypt_db_password($rs->fields['sqlu_pass']); } else { $user_pass = $_POST['pass']; } $dmn_id = get_user_domain_id($user_id); if (!isset($_POST['Add_Exist'])) { // we'll use domain_id in the name of the database; if (isset($_POST['use_dmn_id']) && $_POST['use_dmn_id'] === 'on' && isset($_POST['id_pos']) && $_POST['id_pos'] === 'start') { $db_user = $dmn_id . "_" . clean_input($_POST['user_name']); } else { if (isset($_POST['use_dmn_id']) && $_POST['use_dmn_id'] === 'on' && isset($_POST['id_pos']) && $_POST['id_pos'] === 'end') { $db_user = clean_input($_POST['user_name']) . "_" . $dmn_id; } else { $db_user = clean_input($_POST['user_name']); } } } else { $query = "SELECT `sqlu_name` FROM `sql_user` WHERE `sqlu_id` = ?"; $rs = exec_query($sql, $query, $_POST['sqluser_id']); $db_user = $rs->fields['sqlu_name']; } if (strlen($db_user) > $cfg->MAX_SQL_USER_LENGTH) { set_page_message(tr('User name too long!'), 'warning'); return; } // are wildcards used? if (preg_match("/[%|\\?]+/", $db_user)) { set_page_message(tr('Wildcards such as %% and ? are not allowed!'), 'warning'); return; } // have we such sql user in the system?! if (check_db_user($sql, $db_user) && !isset($_POST['Add_Exist'])) { set_page_message(tr('Specified SQL username name already exists!'), 'warning'); return; } // add user in the EasySCP table; $query = "\n\t\tINSERT INTO `sql_user`\n\t\t\t(`sqld_id`, `sqlu_name`, `sqlu_pass`)\n\t\tVALUES\n\t\t\t(?, ?, ?)\n\t"; exec_query($sql, $query, array($db_id, $db_user, encrypt_db_password($user_pass))); update_reseller_c_props(get_reseller_id($dmn_id)); $query = "\n\t\tSELECT\n\t\t\t`sqld_name` AS `db_name`\n\t\tFROM\n\t\t\t`sql_database`\n\t\tWHERE\n\t\t\t`sqld_id` = ?\n\t\tAND\n\t\t\t`domain_id` = ?\n\t"; $rs = exec_query($sql, $query, array($db_id, $dmn_id)); $db_name = $rs->fields['db_name']; $db_name = preg_replace("/([_%\\?\\*])/", '\\\\$1', $db_name); // add user in the mysql system tables $query = "GRANT ALL PRIVILEGES ON " . quoteIdentifier($db_name) . ".* TO ?@? IDENTIFIED BY ?"; exec_query($sql, $query, array($db_user, "localhost", $user_pass)); exec_query($sql, $query, array($db_user, "%", $user_pass)); write_log($_SESSION['user_logged'] . ": add SQL user: " . tohtml($db_user)); set_page_message(tr('SQL user successfully added!'), 'info'); user_goto('sql_manage.php'); }