From a48be33024451d99e55d07b12300b7816011f01d Mon Sep 17 00:00:00 2001 From: Humorhenker <36549980+Humorhenker@users.noreply.github.com> Date: Wed, 25 Sep 2019 22:01:48 +0200 Subject: [PATCH 1/8] rewrite --- private/config.ini | 3 +- public/admin.php | 22 ++-- public/bin/activatemail.php | 2 +- public/bin/addmaillist.php | 17 ++- public/bin/changemailpw.php | 27 ++--- public/bin/createmailuser.php | 199 +++++++++++++++++--------------- public/bin/deactivatemail.php | 3 +- public/bin/deletemail.php | 10 +- public/bin/dellist.php | 18 ++- public/bin/editlist.php | 38 +++++- public/bin/editlistpre.php | 50 +++++--- public/bin/maillistsettings.php | 94 ++++++++++----- public/bin/unsubmaillist.php | 65 +++++++++++ public/bin/unsubmaillistpre.php | 77 ++++++++++++ public/index.php | 2 +- public/login.php | 10 +- public/settings.php | 33 ++++-- public/unsub.php | 56 +++++++++ 18 files changed, 531 insertions(+), 195 deletions(-) create mode 100644 public/bin/unsubmaillist.php create mode 100644 public/bin/unsubmaillistpre.php create mode 100644 public/unsub.php diff --git a/private/config.ini b/private/config.ini index 24f8589..97aa4eb 100644 --- a/private/config.ini +++ b/private/config.ini @@ -8,4 +8,5 @@ dbname = mailfolderpath = maildirencryption = captcha = -allowregistration = \ No newline at end of file +allowregistration = +adminadress = diff --git a/public/admin.php b/public/admin.php index 34fa856..0436b26 100644 --- a/public/admin.php +++ b/public/admin.php @@ -25,7 +25,7 @@ session_start(); if ($_SESSION['log'] == 1 and $_SESSION['admin'] == 1) { echo ' -Roteserver - Mail Admin Settings +Mail Admin Settings

Mail Admin Settings:

'; @@ -39,10 +39,10 @@ if ($_SESSION['log'] == 1 and $_SESSION['admin'] == 1) { echo '

Mailadresse aktivieren:

'; @@ -51,17 +51,23 @@ if ($_SESSION['log'] == 1 and $_SESSION['admin'] == 1) {

Mailadresse deaktivieren:

Emailadresse hinzufügen:

- + @@ -69,10 +75,10 @@ if ($_SESSION['log'] == 1 and $_SESSION['admin'] == 1) {

Emailadresse entfernen:

diff --git a/public/bin/activatemail.php b/public/bin/activatemail.php index 018ce31..a43cf40 100644 --- a/public/bin/activatemail.php +++ b/public/bin/activatemail.php @@ -24,7 +24,7 @@ try { session_start(); if ($_SESSION['log'] == 1 && $_SESSION['admin']) { $mailuserID = $_POST['mailuserID']; - $eintrag = "UPDATE `mailserver`.`virtual_users` SET `active`='1' WHERE `id` LIKE :mailuserID"; + $eintrag = "UPDATE `accounts` SET `enabled`='1' WHERE `id` LIKE :mailuserID"; $sth = $dbh->prepare($eintrag); $sth->execute(array(':mailuserID' => $mailuserID)); header("Location: ../admin.php?success=1"); diff --git a/public/bin/addmaillist.php b/public/bin/addmaillist.php index d873648..05c332e 100644 --- a/public/bin/addmaillist.php +++ b/public/bin/addmaillist.php @@ -23,10 +23,23 @@ try { } session_start(); if ($_SESSION['log'] == 1 && $_SESSION['admin']) { - $eintrag = "INSERT INTO `virtual_aliases` (`domain_id`, `source`, `destination`, `owner`, `private`, `name`) VALUES (1, :source, :destination, :owner, :private, :name)"; // Aliasdaten in MailServer DB eintragen + $eintrag = "INSERT INTO `alias_details` (`name`, `owners`, `destinations`, `security`) VALUES (:newlistname, :owners, :destinations, :security)"; // Aliasdaten in MailServer DB eintragen $sth = $dbh->prepare($eintrag); - $sth->execute(array('source' => $_POST['maillistsource'], 'destination' => $_POST['maillistadresses'], 'owner' => $_POST['maillistownerid'], 'private' => $_POST['listprivate'], 'name' => $_POST['maillistname'])); + $sth->execute(array(':newlistname' => $_POST['newlistname'], ':owners' => $_POST['newlistowners'], ':destinations' => $_POST['newlistdestinations'], ':security' => $_POST['newlistsecurity'])); + $newlistid = $dbh->lastInsertID(); + foreach (explode(' ', $_POST['newlistowners']) as $maillistowner) { + $maillistownerex = explode('@', $maillistowner); + $eintrag = "INSERT INTO `alias_owner` (`alias_id`, `owner_username`, `owner_domain`) VALUES (:aliasid, :owner_username, :owner_domain)"; // Aliasdaten in MailServer DB eintragen + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':aliasid' => $newlistid, ':owner_username' => $maillistownerex[0], ':owner_domain' => $maillistownerex[1])); } + foreach (explode(' ', $_POST['newlistdestinations']) as $maillistdestination) { + $maillistdestinationex = explode('@', $maillistdestination); + $eintrag = "INSERT INTO `aliases` (`alias_id`, `source_username`, `source_domain`, `destination_username`, `destination_domain`) VALUES (:aliasid, :source_username, :source_domain, :destination_username, :destination_domain)"; // Aliasdaten in MailServer DB eintragen + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':aliasid' => $newlistid, ':source_username' => $_POST['newlistsourceadress'], ':source_domain' => $_POST['newlistsourcedomain'], ':destination_username' => $maillistdestinationex[0], ':destination_domain' => $maillistdestinationex[1])); + } +} header("Location: maillistsettings.php"); exit; ?> \ No newline at end of file diff --git a/public/bin/changemailpw.php b/public/bin/changemailpw.php index b37cc5c..ac10c2e 100644 --- a/public/bin/changemailpw.php +++ b/public/bin/changemailpw.php @@ -30,26 +30,27 @@ if ($_SESSION['log'] == 1) { header("Location: settings.php?wrongsymbols=1"); exit; } - $mailusername = $_SESSION['email']; - $abfrage = "SELECT `password` FROM `virtual_users` WHERE `email` = :newmailusernamefull"; + $mailusername = $_SESSION['username']; + $maildomain = $_SESSION['domain']; + $abfrage = "SELECT `password` FROM `accounts` WHERE `username` = :newmailusername AND `domain` = :newmaildomain"; $sth = $dbh->prepare($abfrage); - $sth->execute(array('newmailusernamefull' => $mailusername)); + $sth->execute(array(':newmailusername' => $mailusername, ':newmaildomain' => $maildomain)); $result= $sth->fetchAll(); $oldpwhashed = $result[0]['password']; if (password_verify($oldmailpw, $oldpwhashed)) { if (strlen($newmailpw) >= 8) { $newmailpwhashed = password_hash($newmailpw, PASSWORD_ARGON2I, ['memory_cost' => 32768, 'time_cost' => 4]); - $eintrag = "UPDATE `virtual_users` SET `password` = :newmailpwhashed WHERE `email` LIKE :mailusername"; + $eintrag = "UPDATE `accounts` SET `password` = :newmailpwhashed WHERE `username` LIKE :mailusername AND `domain` LIKE :maildomain"; $sth = $dbh->prepare($eintrag); - $sth->execute(array('newmailpwhashed' => $newmailpwhashed, 'mailusername' => $mailusername)); - if ($config['maildirencryption']) { - if ($_POST['forcekeyregen']) { - exec('sudo -u vmail /usr/bin/doveadm -o stats_writer_socket_path= -o plugin/mail_crypt_private_password=' . escapeshellarg($newmailpw) . ' mailbox cryptokey generate -U -f -u ' . escapeshellarg($mailusername)); - } - else { - exec('sudo -u vmail /usr/bin/doveadm mailbox cryptokey password -o stats_writer_socket_path= -u ' . escapeshellarg($mailusername) . ' -n ' . escapeshellarg($newmailpw) . ' -o' . escapeshellcmd($oldmailpw)); - } - } + $sth->execute(array(':newmailpwhashed' => $newmailpwhashed, ':mailusername' => $mailusername, ':maildomain' => $maildomain)); + //if ($config['maildirencryption']) { + // if ($_POST['forcekeyregen']) { + // exec('sudo -u vmail /usr/bin/doveadm -o stats_writer_socket_path= -o plugin/mail_crypt_private_password=' . escapeshellarg($newmailpw) . ' mailbox cryptokey generate -U -f -u ' . escapeshellarg($mailusername)); + // } + // else { + // exec('sudo -u vmail /usr/bin/doveadm mailbox cryptokey password -o stats_writer_socket_path= -u ' . escapeshellarg($mailusername) . ' -n ' . escapeshellarg($newmailpw) . ' -o' . escapeshellcmd($oldmailpw)); + // } + //} header("Location: ../settings.php?success=1"); exit; } diff --git a/public/bin/createmailuser.php b/public/bin/createmailuser.php index 4b1c1f7..72adfda 100644 --- a/public/bin/createmailuser.php +++ b/public/bin/createmailuser.php @@ -21,121 +21,130 @@ try { //echo 'Connection failled: '. $e->getMessage(); // Errormessage kann Sicherheitsrelevantes enthalen echo 'Connection failed'; } -if ($config['allowregistration']) { - - function createmailuser($newmailusername, $newmailpw, $newmailpwrep, $admin) { - global $dbh; - global $config; - $pattern = array(); - $pattern[0] = ' '; - $pattern[1] = '@'; - $pattern[2] = 'roteserver'; - $pattern[3] = 'roteserver.de'; - $pattern[4] = 'admin'; - $pattern[5] = 'noreply'; - $pattern[6] = 'info'; - $pattern[7] = 'webmaster'; - $newmailusername = str_replace($pattern, "", $newmailusername); - $newmailusernamefull = $newmailusername . '@roteserver.de'; - if (!filter_var($newmailuserfull, FILTER_VALIDATE_EMAIL)) { - // nicht ordentliche EmailAdresse +function createmailuser($newmailusername, $newmaildomainid, $newmailpw, $newmailpwrep, $admin) { + global $dbh; + global $config; + $abfrage = "SELECT domain FROM `domains` WHERE `id` LIKE :newmaildomainid"; + $sth = $dbh->prepare($abfrage); + $sth->execute(array(':newmaildomainid' => $newmaildomainid)); + $result = $sth->fetchAll(); + $newmaildomain = $result[0]['domain']; + $pattern = array(); + $pattern[0] = ' '; + $pattern[1] = '@'; + if ($config['prohibadminmailcreation']) { + $pattern[2] = 'admin'; + $pattern[3] = 'noreply'; + $pattern[4] = 'info'; + $pattern[5] = 'webmaster'; + } + $newmailusername = str_replace($pattern, "", $newmailusername); + $newmailusernamefull = $newmailusername . '@' . $newmaildomain; + if (!filter_var($newmailusernamefull, FILTER_VALIDATE_EMAIL)) { + // nicht ordentliche EmailAdresse + header("Location: createmailpre.php?wrongsymbols=1"); + exit; + } + if(strpos($newmailusername, "'") !== false) { + if ($admin == 1) { + header("Location: ../admin.php?fehler=Falsche Zeichen in Adresse"); + exit; + } else { + header("Location: createmailpre.php?wrongsymbols=1"); + exit; + } + } + if (strpos($newmailpw, "'") !== false) { + if ($admin == 1) { + header("Location: ../admin.php?fehler=Falsche Zeichen in Passwort"); + exit; + } else { header("Location: createmailpre.php?wrongsymbols=1"); exit; } - if(strpos($newmailusername, "'") !== false) { - if ($admin == 1) { - header("Location: ../admin.php?fehler=Falsche Zeichen in Adresse"); - exit; - } else { - header("Location: createmailpre.php?wrongsymbols=1"); - exit; - } - } - if (strpos($newmailpw, "'") !== false) { - if ($admin == 1) { - header("Location: ../admin.php?fehler=Falsche Zeichen in Passwort"); - exit; - } else { - header("Location: createmailpre.php?wrongsymbols=1"); - exit; - } - } - if (strlen($newmailpw) >= 8) { - if ($newmailpw == $newmailpwrep) { - $abfrage = "SELECT 1 FROM `virtual_users` WHERE `email` = :newmailusernamefull"; - $sth = $dbh->prepare($abfrage); - $sth->execute(array('newmailusernamefull' => $newmailusernamefull)); - $result = $sth->fetchAll(); - if ($result[0][1] !== 1) { - $newmailpwhashed = password_hash($newmailpw, PASSWORD_ARGON2I, ['memory_cost' => 32768, 'time_cost' => 4]); - $createdtimestamp = date("Y-m-d H:i:s"); - if ($config['maildirencryption']) { - $eintrag = "INSERT INTO `virtual_users` (`domain_id`, `password`, `email`, `username`, `active`, `created`, `pre-pw-key`, `pw-key`, `admin`) VALUES ('1', :newmailpwhashed, :newmailusernamefull, :newmailusername, '1', '$createdtimestamp', '0', '0', '0')"; // Maildaten in MailServer DB eintragen - $sth = $dbh->prepare($eintrag); // der Nutzer muss erst kurzzeitig aktive geschaltet werden, damit die cryptkeys erstellt werden können. Danach wird er direkt wieder deaktiviert. - $sth->execute(array('newmailpwhashed' => $newmailpwhashed, 'newmailusernamefull' => $newmailusernamefull, 'newmailusername' =>$newmailusername)); - $maildirpath = $config['mailfolderpath'] . $newmailusername; - umask(0); - mkdir($maildirpath, 0770); - exec('sudo -u vmail /usr/bin/doveadm -o stats_writer_socket_path= -o plugin/mail_crypt_private_password=' . escapeshellarg($newmailpw) . ' mailbox cryptokey generate -U -f -u ' . escapeshellarg($newmailusernamefull)); - $eintrag = "UPDATE `mailserver`.`virtual_users` SET `active`='0' WHERE `email` LIKE :newmailusernamefull"; - } - else { - $eintrag = "INSERT INTO `virtual_users` (`domain_id`, `password`, `email`, `username`, `active`, `created`) VALUES ('1', :newmailpwhashed, :newmailusernamefull, :newmailusername, '0', '$createdtimestamp')"; // Maildaten in MailServer DB eintragen - $sth = $dbh->prepare($eintrag); // der Nutzer muss erst kurzzeitig aktive geschaltet werden, damit die cryptkeys erstellt werden können. Danach wird er direkt wieder deaktiviert. - $sth->execute(array('newmailpwhashed' => $newmailpwhashed, 'newmailusernamefull' => $newmailusernamefull, 'newmailusername' => $newmailusername)); - $maildirpath = $config['mailfolderpath'] . $newmailusername; - umask(0); - mkdir($maildirpath, 0770); - } + } + if (strlen($newmailpw) >= 8) { + if ($newmailpw == $newmailpwrep) { + $abfrage = "SELECT 1 FROM `accounts` WHERE `username` = :newmailusername AND `domain` = :newmaildomain"; + $sth = $dbh->prepare($abfrage); + $sth->execute(array(':newmailusername' => $newmailusername, ':newmaildomain' => $newmaildomain)); + $result = $sth->fetchAll(); + print_r($result); + if ($result[0][1] !== 1) { + $newmailpwhashed = password_hash($newmailpw, PASSWORD_ARGON2I, ['memory_cost' => 32768, 'time_cost' => 4]); + //$createdtimestamp = date("Y-m-d H:i:s"); + // if ($config['maildirencryption']) { + // $eintrag = "INSERT INTO `virtual_users` (`domain_id`, `password`, `email`, `username`, `active`, `created`, `pre-pw-key`, `pw-key`, `admin`) VALUES ('1', :newmailpwhashed, :newmailusernamefull, :newmailusername, '1', '$createdtimestamp', '0', '0', '0')"; // Maildaten in MailServer DB eintragen + // $sth = $dbh->prepare($eintrag); // der Nutzer muss erst kurzzeitig aktive geschaltet werden, damit die cryptkeys erstellt werden können. Danach wird er direkt wieder deaktiviert. + // $sth->execute(array('newmailpwhashed' => $newmailpwhashed, 'newmailusernamefull' => $newmailusernamefull, 'newmailusername' =>$newmailusername)); + // $maildirpath = $config['mailfolderpath'] . $newmailusername; + // umask(0); + // mkdir($maildirpath, 0770); + // exec('sudo -u vmail /usr/bin/doveadm -o stats_writer_socket_path= -o plugin/mail_crypt_private_password=' . escapeshellarg($newmailpw) . ' mailbox cryptokey generate -U -f -u ' . escapeshellarg($newmailusernamefull)); + // $eintrag = "UPDATE `mailserver`.`virtual_users` SET `active`='0' WHERE `email` LIKE :newmailusernamefull"; + // } + //else { + $eintrag = "INSERT INTO `accounts` (`username`, `domain`, `password`, `quota`, `enabled`, `sendonly`, `admin`) VALUES (:newmailusername, :newmaildomain, :newmailpwhashed, '2048', '1', '0', '0')"; // Maildaten in MailServer DB eintragen $sth = $dbh->prepare($eintrag); - $sth->execute(array(':newmailusernamefull' => $newmailusernamefull)); - $adminmailadress = $config['adminadress']; - $adresse = $config['domain'] . '/admin.php'; - // eine Mail an den Admin verschicken, damit er die Mail freischalten kann + $sth->execute(array(':newmailusername' => $newmailusername, ':newmaildomain' => $newmaildomain, ':newmailpwhashed' => $newmailpwhashed)); + //$maildirpath = $config['mailfolderpath'] . $newmailusername; + // umask(0); + // mkdir($maildirpath, 0770); + //} + //$sth = $dbh->prepare($eintrag); + //$sth->execute(array(':newmailusernamefull' => $newmailusernamefull)); + $adminmailadress = $config['adminadress']; + $adresse = $config['domain'] . '/admin.php'; + // eine Mail an den Admin verschicken, damit er die Mail freischalten kann + if ($config['sendactivationinfo']) { mail($adminmailadress, "Neue Mailadresse erstellt", "Eine neue Mailadresse wurde erstellt und muss freigeschaltet werden. \n \n" . htmlspecialchars($newmailusernamefull) . "\n " . $adresse, "From: mailservice"); - if ($admin == 1) { - header("Location: ../admin.php?success=1"); - exit; - } else { - header("Location: ../index.php"); - exit; - } - exit; - } else { // Emailadresse ist bereits registriert - if ($admin == 1) { - header("Location: ../admin.php?fehler=Mail besteht schon"); - exit; - } else { - header("Location: createmailpre.php?mailalreadytaken=1"); - exit; - } } - } - else { if ($admin == 1) { - header("Location: ../admin.php?fehler=PW nicht gleich"); + header("Location: ../admin.php?success=1"); exit; } else { - header("Location: createmailpre.php?pwnotequal=1"); + header("Location: ../index.php"); + exit; + } + exit; + } else { // Emailadresse ist bereits registriert + if ($admin == 1) { + header("Location: ../admin.php?fehler=Mail besteht schon"); + exit; + } else { + header("Location: createmailpre.php?mailalreadytaken=1"); exit; } } - } else { // Passwort zu kurz + } + else { if ($admin == 1) { - header("Location: ../admin.php?fehler=PW zu kurz"); + header("Location: ../admin.php?fehler=PW nicht gleich"); exit; } else { - header("Location: createmailpre.php?pwtooshort=1"); + header("Location: createmailpre.php?pwnotequal=1"); exit; } } + } else { // Passwort zu kurz + if ($admin == 1) { + header("Location: ../admin.php?fehler=PW zu kurz"); + exit; + } else { + header("Location: createmailpre.php?pwtooshort=1"); + exit; + } } - session_start(); - if ($_SESSION['log'] == 1 AND $_SESSION['admin'] == 1) { - createmailuser($_POST['newmailusername'], $_POST['newmailpw'], $_POST['newmailpwrep'], 1); - } +} +session_start(); +if ($_SESSION['log'] == 1 AND $_SESSION['admin'] == 1) { + print_r($_POST); + createmailuser($_POST['newmailusername'], $_POST['newmaildomainid'], $_POST['newmailpw'], $_POST['newmailpwrep'], 1); + exit; +} +if ($config['allowregistration']) { if ($_POST['captchacode'] == $_SESSION['captchacode']) { - createmailuser($_POST['newmailusername'], $_POST['newmailpw'], $_POST['newmailpwrep'], 0); + createmailuser($_POST['newmailusername'], $_POST['newmaildomainid'], $_POST['newmailpw'], $_POST['newmailpwrep'], 0); } elseif ($_POST['captchacode'] != $_SESSION['captchacode']) { header("Location: createmailpre.php?wrongcaptchacode=1"); diff --git a/public/bin/deactivatemail.php b/public/bin/deactivatemail.php index f096646..b6b4013 100644 --- a/public/bin/deactivatemail.php +++ b/public/bin/deactivatemail.php @@ -24,10 +24,11 @@ try { session_start(); if ($_SESSION['log'] == 1 && $_SESSION['admin']) { $mailuserID = $_POST['mailuserID']; - $eintrag = "UPDATE `mailserver`.`virtual_users` SET `active`='0' WHERE `id` LIKE :mailuserID"; + $eintrag = "UPDATE `accounts` SET `enabled`='0' WHERE `id` LIKE :mailuserID"; $sth = $dbh->prepare($eintrag); $sth->execute(array(':mailuserID' => $mailuserID)); header("Location: ../admin.php?success=1"); exit; } header("Location: ../index.php"); +?> \ No newline at end of file diff --git a/public/bin/deletemail.php b/public/bin/deletemail.php index c2a3e64..e5debe1 100644 --- a/public/bin/deletemail.php +++ b/public/bin/deletemail.php @@ -47,15 +47,11 @@ if ($_SESSION['log'] == 1) { else { $mailuserID = $_SESSION['mailID']; } - $abfrage = "SELECT `username` FROM `virtual_users` WHERE `id` = :mailuserID"; - $sth = $dbh->prepare($abfrage); - $sth->execute(array('mailuserID' => $mailuserID)); - $result = $sth->fetchAll(); - $eintrag = "DELETE FROM `mailserver`.`virtual_users` WHERE `id` LIKE :mailuserID"; + $eintrag = "DELETE FROM `accounts` WHERE `id` LIKE :mailuserID"; $sth = $dbh->prepare($eintrag); $sth->execute(array(':mailuserID' => $mailuserID)); - $maildirpath = $config['mailfolderpath'] . $result[0]['username']; - delete_directory($maildirpath); + //$maildirpath = $config['mailfolderpath'] . $result[0]['username']; + //delete_directory($maildirpath); header("Location: ../admin.php?success=1"); exit; } diff --git a/public/bin/dellist.php b/public/bin/dellist.php index ea81218..82f5e1b 100644 --- a/public/bin/dellist.php +++ b/public/bin/dellist.php @@ -22,11 +22,23 @@ try { echo 'Connection failed'; } session_start(); -if ($_SESSION['log'] == 1 && $_SESSION['admin']) { - $eintrag = "DELETE FROM `mailserver`.`virtual_aliases` WHERE `id` LIKE :maillistid"; +if ($_SESSION['log'] == 1) { + if (!$_SESSION['admin']) { + $abfrage = "SELECT `alias_id` FROM `alias_owner` WHERE `owner_username` LIKE :owner_username AND `owner_domain` LIKE :owner_domain AND alias_id LIKE :editlistid"; + $result = $dbh->prepare($abfrage); + $result->execute(array(':owner_username' => $_SESSION['username'], ':owner_domain' => $_SESSION['domain'], ':editlistid' => $_GET['editlistid'])); + if ($result->rowCount() <= 0) { + header("Location: maillistsettings.php"); + exit; + } + } + $eintrag = "DELETE FROM `aliases` WHERE `alias_id` LIKE :aliasid; DELETE FROM `alias_owner` WHERE `alias_id` LIKE :aliasid; DELETE FROM `alias_details` WHERE `id` LIKE :aliasid"; $sth = $dbh->prepare($eintrag); - $sth->execute(array(':maillistid' => $_GET['dellistid'])); + $sth->execute(array(':aliasid' => $_GET['dellistid'])); header("Location: maillistsettings.php"); exit; +} else { + header("Location: ../index.php"); + exit; } ?> \ No newline at end of file diff --git a/public/bin/editlist.php b/public/bin/editlist.php index 879f15e..53e6eb1 100644 --- a/public/bin/editlist.php +++ b/public/bin/editlist.php @@ -22,11 +22,43 @@ try { echo 'Connection failed'; } session_start(); -if ($_SESSION['log'] == 1 && $_SESSION['admin']) { - $eintrag = "UPDATE `virtual_aliases` SET `source` = :newsource, `destination` = :newdestination, `owner` = :newowner, `private` = :newprivate, `name` = :newname WHERE `id` LIKE :editlistid"; +if ($_SESSION['log'] == 1) { + if (!$_SESSION['admin']) { + $abfrage = "SELECT `alias_id` FROM `alias_owner` WHERE `owner_username` LIKE :owner_username AND `owner_domain` LIKE :owner_domain AND alias_id LIKE :editlistid"; + $result = $dbh->prepare($abfrage); + $result->execute(array(':owner_username' => $_SESSION['username'], ':owner_domain' => $_SESSION['domain'], ':editlistid' => $_POST['editlistid'])); + if ($result->rowCount() <= 0) { + header("Location: maillistsettings.php"); + exit; + } + } + $newlistowner = explode('@', $_POST['newlistowner']); + $eintrag = "UPDATE `alias_details` SET `name` = :newlistname, `owners` = :owners, `destinations` = :destinations, `security` = :security WHERE `id` LIKE :editlistid"; // Aliasdaten in MailServer DB eintragen $sth = $dbh->prepare($eintrag); - $sth->execute(array('newsource' => $_POST['newlistsource'], 'newdestination' => $_POST['newlistdestination'], 'newowner' => $_POST['newlistownerid'], 'newprivate' => $_POST['newlistprivate'], 'newname' => $_POST['newlistname'], 'editlistid' => $_POST['editlistid'])); + $sth->execute(array(':newlistname' => $_POST['newlistname'], ':owners' => $_POST['newlistowners'], ':destinations' => $_POST['newlistdestinations'], ':security' => $_POST['newlistsecurity'], ':editlistid' => $_POST['editlistid'])); + $newlistsource = explode('@', $_POST['newlistsource']); + $eintrag = "DELETE FROM `alias_owner` WHERE `alias_id` LIKE :aliasid"; + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':aliasid' => $_POST['editlistid'])); + foreach (explode(' ', $_POST['newlistowners']) as $maillistowner) { + $maillistownerex = explode('@', $maillistowner); + $eintrag = "INSERT INTO `alias_owner` (`alias_id`, `owner_username`, `owner_domain`) VALUES (:aliasid, :owner_username, :owner_domain)"; // Aliasdaten in MailServer DB eintragen + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':aliasid' => $_POST['editlistid'], ':owner_username' => $maillistownerex[0], ':owner_domain' => $maillistownerex[1])); + } + $eintrag = "DELETE FROM `aliases` WHERE `alias_id` LIKE :aliasid"; + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':aliasid' => $_POST['editlistid'])); + foreach (explode(' ', $_POST['newlistdestinations']) as $maillistdestination) { + $maillistdestinationex = explode('@', $maillistdestination); + $eintrag = "INSERT INTO `aliases` (`alias_id`, `source_username`, `source_domain`, `destination_username`, `destination_domain`) VALUES (:aliasid, :source_username, :source_domain, :destination_username, :destination_domain)"; // Aliasdaten in MailServer DB eintragen + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':aliasid' => $_POST['editlistid'], ':source_username' => $newlistsource[0], ':source_domain' => $newlistsource[1], ':destination_username' => $maillistdestinationex[0], ':destination_domain' => $maillistdestinationex[1])); + } header("Location: maillistsettings.php"); exit; +} else { + header("Location: ../index.php"); + exit; } ?> \ No newline at end of file diff --git a/public/bin/editlistpre.php b/public/bin/editlistpre.php index 76bd5ca..decb411 100644 --- a/public/bin/editlistpre.php +++ b/public/bin/editlistpre.php @@ -22,40 +22,53 @@ try { echo 'Connection failed'; } session_start(); -if ($_SESSION['log'] == 1 && $_SESSION['admin']) { +if ($_SESSION['log']) { + if (!$_SESSION['admin']) { + $abfrage = "SELECT `alias_id` FROM `alias_owner` WHERE `owner_username` LIKE :owner_username AND `owner_domain` LIKE :owner_domain AND alias_id LIKE :editlistid"; + $result = $dbh->prepare($abfrage); + $result->execute(array(':owner_username' => $_SESSION['username'], ':owner_domain' => $_SESSION['domain'], ':editlistid' => $_GET['editlistid'])); + if ($result->rowCount() <= 0) { + header("Location: maillistsettings.php"); + exit; + } + } echo ' Mailliste editieren

Zurück zur Maillistoberfläche (Editieren abbrechen)


'; - $abfrage = "SELECT `source`, `destination`, `owner`, `private`, `name` FROM `virtual_aliases` WHERE `id` LIKE :editlistid"; + $abfrage = "SELECT `name`, `owners`, `security` FROM `alias_details` WHERE `id` LIKE :editlistid"; $result = $dbh->prepare($abfrage); - $result->execute(array('editlistid' => $_GET['editlistid'])); + $result->execute(array(':editlistid' => $_GET['editlistid'])); while ($lists = $result->fetch()) { + $abfrage2 = "SELECT `source_username`, `source_domain` FROM `aliases` WHERE `alias_id` LIKE :aliasid"; + $result2 = $dbh->prepare($abfrage2); + $result2->execute(array(':aliasid' => $_GET['editlistid'])); + $listdetails = $result2->fetch(); echo' - - +
+ -
@@ -63,5 +76,8 @@ if ($_SESSION['log'] == 1 && $_SESSION['admin']) { '; } +} else { + header("Location: ../index.php"); + exit; } ?> \ No newline at end of file diff --git a/public/bin/maillistsettings.php b/public/bin/maillistsettings.php index 55cafb0..2b43a65 100644 --- a/public/bin/maillistsettings.php +++ b/public/bin/maillistsettings.php @@ -22,46 +22,82 @@ try { echo 'Connection failed'; } session_start(); -if ($_SESSION['log'] == 1 && $_SESSION['admin']) { +if ($_SESSION['log'] == 1) { + if (!$_SESSION['admin']) { + $aliasids = ""; + $abfrage = "SELECT `alias_id` FROM `alias_owner` WHERE `owner_username` LIKE :owner_username AND `owner_domain` LIKE :owner_domain"; + $result = $dbh->prepare($abfrage); + $result->execute(array(':owner_username' => $_SESSION['username'], ':owner_domain' => $_SESSION['domain'])); + if ($result->rowCount() <= 0) { + header("Location: ../settings.php"); + exit; + } + while ($aliases = $result->fetch()) { + $aliasids = $aliasids . $aliases['alias_id'] . '|'; + } + } echo ' Maillist Einstellung -

Maillinglisten Einstellungen

-

Zurück zur Adminoberfläche


- - - - + +
+ +
+ +

Bestehende Listen:

'; + } + else { + echo '

Zurück


Meine bestehenden Listen:

'; + } + if ($_SESSION['admin']) { + $abfrage = "SELECT `id`, `name`, `owners`, `destinations`, `security` FROM `alias_details`"; + $result = $dbh->query($abfrage); + } + else { + $abfrage = "SELECT `id`, `name`, `owners`, `destinations`, `security` FROM `alias_details` WHERE `id` REGEXP :aliasid"; + $result = $dbh->prepare($abfrage); + $result->execute(array(':aliasid' => substr($aliasids, 0, -1))); } - echo '
- -
- -
-

Bestehende Listen:

- '; - $abfrage = "SELECT `id`, `source`, `destination`, `owner`, `private`, `name` FROM `virtual_aliases`"; - $result = $dbh->query($abfrage); echo ''; while ($lists = $result->fetch()) { - $abfrage2 = "SELECT `email` FROM `virtual_users` WHERE `id` LIKE :ownerid"; - $sth = $dbh->prepare($abfrage2); - $sth->execute(array('ownerid' => $lists['owner'])); - $result2 = $sth->fetchAll(); - echo ''; + $abfrage2 = "SELECT `source_username`, `source_domain` FROM `aliases` WHERE `alias_id` LIKE :aliasid"; + $result2 = $dbh->prepare($abfrage2); + $result2->execute(array(':aliasid' => $lists['id'])); + $listdetails = $result2->fetch(); + echo ''; } echo '
ListennameListenadresseListenempfängerListenbesitzerListensicherheitOptionen
' . $lists['name'] . '' . $lists['source'] . '' . $lists['destination'] . '' . $result2[0]['email'] . '' . $lists['private'] . 'Löschen
Editieren
' . $lists['name'] . '' . $listdetails['source_username'] . '@' . $listdetails['source_domain'] . ''; + foreach (explode(' ', $lists['destinations']) as $destination) { + echo $destination . '
'; + } + echo '		'; + foreach (explode(' ', $lists['owners']) as $owner) { + echo $owner . '
'; + } + echo '		' . $lists['security'] . 'Löschen
Editieren
'; echo ' '; } +else { + header("Location: ../index.php"); + exit; +} ?> \ No newline at end of file diff --git a/public/bin/unsubmaillist.php b/public/bin/unsubmaillist.php new file mode 100644 index 0000000..5efd6b8 --- /dev/null +++ b/public/bin/unsubmaillist.php @@ -0,0 +1,65 @@ +. */ +$config = parse_ini_file('../../private/config.ini'); +try { + $dbh = new PDO('mysql:host=' . $config['dbservername'] . ';dbname=' . $config['dbname'], $config['dbusername'], $config['dbpassword'], array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION)); +} catch (PDOException $e) { + //echo 'Connection failled: '. $e->getMessage(); // Errormessage kann Sicherheitsrelevantes enthalen + echo 'Connection failed'; +} +$eintrag = "DELETE FROM `alias_del_requests` WHERE DATEDIFF(NOW(), `created`) > :datediff"; +$sth = $dbh->prepare($eintrag); +$sth->execute(array(':datediff' => $config['deletedelrequestdaydiff'])); +if (isset($_GET['token'])) { + $abfrage = "SELECT `alias_id`, `destination_username`, `destination_domain` FROM `alias_del_requests` WHERE `token` LIKE :token"; + $result = $dbh->prepare($abfrage); + $result->execute(array(':token' => $_GET['token'])); + if ($result->rowCount() > 0) { + $daten = $result->fetch(); + $aliasid = $daten['alias_id']; + $destination_username = $daten['destination_username']; + $destination_domain = $daten['destination_domain']; + $eintrag = "DELETE FROM `aliases` WHERE `alias_id` LIKE :aliasid AND `destination_username` LIKE :destination_username AND `destination_domain` LIKE :destination_domain"; + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':aliasid' => $aliasid, ':destination_username' => $destination_username, ':destination_domain' => $destination_domain)); + + // Destinationszeile neu generieren (würde bestimmt einfacher gehen) + $abfrage2 = "SELECT `destination_username`, `destination_domain` FROM `aliases` WHERE `alias_id` LIKE :aliasid"; + $result2 = $dbh->prepare($abfrage2); + $result2->execute(array(':aliasid' => $aliasid)); + $listdestinations = ""; + while ($listdestination = $result2->fetch()) { + $listdestinations = $listdestinations . $listdestination['destination_username'] . '@' . $listdestination['destination_domain'] . ' '; + } + $eintrag = "UPDATE `alias_details` SET `destinations` = :destinations WHERE `id` LIKE :aliasid"; + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':destinations' => substr($listdestinations, 0, -1), ':aliasid' => $aliasid)); + $eintrag = "DELETE FROM `alias_del_requests` WHERE `token` LIKE :token"; + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':token' => $_GET['token'])); + print_r($_GET['token']); + header("Location: ../unsub.php?success=1"); + exit; + } else { + header("Location: ../unsub.php?unknowntoken=1"); + exit; + } +} else { + header("Location: ../index.php"); + exit; +} +?> \ No newline at end of file diff --git a/public/bin/unsubmaillistpre.php b/public/bin/unsubmaillistpre.php new file mode 100644 index 0000000..f58a6ee --- /dev/null +++ b/public/bin/unsubmaillistpre.php @@ -0,0 +1,77 @@ +. */ +use PHPMailer\PHPMailer\PHPMailer; +use PHPMailer\PHPMailer\Exception; +require '../vendor/autoload.php'; +$config = parse_ini_file('../../private/config.ini'); +try { + $dbh = new PDO('mysql:host=' . $config['dbservername'] . ';dbname=' . $config['dbname'], $config['dbusername'], $config['dbpassword'], array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION)); +} catch (PDOException $e) { + //echo 'Connection failled: '. $e->getMessage(); // Errormessage kann Sicherheitsrelevantes enthalen + echo 'Connection failed'; +} +$destination = explode('@', $_POST['destination_adress']); +$source = explode('@', $_POST['source_adress']); +$abfrage = "SELECT `alias_id` FROM `aliases` WHERE `source_username` LIKE :source_username AND `source_domain` LIKE :source_domain AND `destination_username` LIKE :destination_username AND `destination_domain` LIKE :destination_domain"; +$result = $dbh->prepare($abfrage); +$result->execute(array(':source_username' => $source[0], ':source_domain' => $source[1], ':destination_username' => $destination[0], ':destination_domain' => $destination[1])); +if ($result->rowCount() > 0) { + $aliasid = $result->fetch()['alias_id']; + $eintrag = "DELETE FROM `alias_del_requests` WHERE `alias_id` LIKE :aliasid AND `destination_username` LIKE :destination_username AND `destination_domain` LIKE :destination_domain"; + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':aliasid' => $aliasid, ':destination_username' => $destination[0], ':destination_domain' => $destination[1])); // eventuell bestehenden Token löschen + $token = bin2hex(openssl_random_pseudo_bytes(16)); // Token zur abmeldung erstellen + $date = date("Y-m-d H:i:s"); // Datum der Tokenerstellung für automatische löschung speichern + $eintrag = "INSERT INTO `alias_del_requests` (`alias_id`, `destination_username`, `destination_domain`, `token`, `created`) VALUES (:aliasid, :destination_username, :destination_domain, :token, :created)"; + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':aliasid' => $aliasid, ':destination_username' => $destination[0], ':destination_domain' => $destination[1], ':token' => $token, ':created' => $date)); + $mail = new PHPMailer(true); + try { + $mail->CharSet = 'UTF-8'; + $mail->Encoding = 'base64'; + //Server settings + $mail->SMTPDebug = 0; + $mail->isSMTP(); // Set mailer to use SMTP + $mail->Host = $config['mailsmtpserver']; // Specify main and backup SMTP servers + $mail->SMTPAuth = true; // Enable SMTP authentication + $mail->Username = $config['mailadress']; // SMTP username + $mail->Password = $config['mailpw']; // SMTP password + $mail->SMTPSecure = 'tls'; + $mail->Port = 587; // TCP port to connect to + + //Recipients + $mail->setFrom($config['mailadress']); + $mail->addAddress($_POST['destination_adress']); + + // Content + $mail->isHTML(true); + $mail->Subject = 'Aus Liste ' . htmlspecialchars($_POST['source_adress']) . ' abmelden'; + $mail->Body = 'Eine Anfrage zur Abmeldung dieser Adresse aus ' . htmlspecialchars($_POST['source_adress']) . ' wurde erstellt.
Abmeldung abschließen' . '
Der Link ist 2 Tage gültig
Schade, dass du gehst. Bis dahin.'; + $mail->AltBody = 'Eine Anfrage zur Abmeldung dieser Adresse aus ' . htmlspecialchars($_POST['source_adress']) . ' wurde erstellt. Hier kannst du die Abmeldung abschließen: https://mail.cloud.sdaj.org/bin/unsubmaillist.php?token=' . $token . 'Der Link ist 2 Tage gültig Schade, dass du gehst. Bis dahin.'; + + $mail->send(); + } catch (Exception $e) { + echo "Message could not be sent."; + } + header("Location: ../unsub.php?mailsent=1"); + exit; +} +else { + header("Location: ../unsub.php?unknown=1"); + exit; +} +?> \ No newline at end of file diff --git a/public/index.php b/public/index.php index 645215b..23a2b9c 100644 --- a/public/index.php +++ b/public/index.php @@ -35,7 +35,7 @@ if (!isset($_SESSION['log']) OR $_SESSION['log'] != 1) { echo '

Neues Konto erstellen:

'; } - echo ' + echo 'Von einer Maillingliste abmelden '; diff --git a/public/login.php b/public/login.php index bdd2d80..d1a172a 100644 --- a/public/login.php +++ b/public/login.php @@ -22,18 +22,18 @@ try { //echo 'Connection failled: '. $e->getMessage(); // Errormessage kann Sicherheitsrelevantes enthalen echo 'Connection failed'; } -$user = $_POST['username']; +$user = explode('@', $_POST['username']); $pw = $_POST['password']; -$abfrage = "SELECT `id`, `password`, `email`, `username`, `admin` FROM `virtual_users` WHERE `email` = :username AND `active`='1'"; +$abfrage = "SELECT `id`, `password`, `admin` FROM `accounts` WHERE `username` = :username AND `domain` = :domain AND `enabled`='1'"; $sth = $dbh->prepare($abfrage); -$sth->execute(array(':username' => $user)); +$sth->execute(array(':username' => $user[0], ':domain' => $user[1])); $userdata = $sth->fetchAll(); if ($sth->rowCount() > 0) { if (password_verify($pw, $userdata[0]['password'])) { $_SESSION['log'] = 1; - $_SESSION['username'] = $userdata[0]['username']; - $_SESSION['email'] = $userdata[0]['email']; + $_SESSION['username'] = $user[0]; + $_SESSION['domain'] = $user[1]; $_SESSION['admin'] = $userdata[0]['admin']; $_SESSION['mailID'] = $userdata[0]['id']; header("Location: settings.php"); diff --git a/public/settings.php b/public/settings.php index 09bc910..cdc757c 100644 --- a/public/settings.php +++ b/public/settings.php @@ -25,10 +25,15 @@ session_start(); if ($_SESSION['log'] == 1) { echo ' - Roteserver - Mail Settings + Mail Settings -

Mail Settings:

'; +

Mail Settings:

Guten Tag, ' . $_SESSION['username'] . '@' . $_SESSION['domain'] . '

'; + $randval = rand(0, 99); + echo ''; + if (rand(0,99) == 42) { + echo '
'; + } if (isset($_GET['success'])) { echo '

Erfolgreich geändert.

'; } @@ -36,17 +41,27 @@ if ($_SESSION['log'] == 1) { echo '

Passwörter nicht gleich!

'; } if ($_SESSION['admin'] == 1) { - echo '

Admin-Settings

'; + echo '

Admin-Settings (inklusive Maillisten)

'; + } + else { + $abfrage = "SELECT `alias_id` FROM `alias_owner` WHERE `owner_username` LIKE :owner_username AND `owner_domain` LIKE :owner_domain"; + $result = $dbh->prepare($abfrage); + $result->execute(array(':owner_username' => $_SESSION['username'], ':owner_domain' => $_SESSION['domain'])); + if ($result->rowCount() > 0) { + echo '

Meine Maillisten verwalten

'; + } } echo ''; echo '

Passwort ändern:

- - - - - -

Mailadresse löschen:

+ + + '; + if ($config['maildirencryption']) { + echo ''; + } + echo ' +

Diese Mailadresse löschen:

'; diff --git a/public/unsub.php b/public/unsub.php new file mode 100644 index 0000000..65b2a67 --- /dev/null +++ b/public/unsub.php @@ -0,0 +1,56 @@ +. */ +$config = parse_ini_file('../private/config.ini'); +try { + $dbh = new PDO('mysql:host=' . $config['dbservername'] . ';dbname=' . $config['dbname'], $config['dbusername'], $config['dbpassword'], array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION)); +} catch (PDOException $e) { + //echo 'Connection failled: '. $e->getMessage(); // Errormessage kann Sicherheitsrelevantes enthalen + echo 'Connection failed'; +} +$eintrag = "DELETE FROM `alias_del_requests` WHERE DATEDIFF(NOW(), `created`) > :datediff"; +$sth = $dbh->prepare($eintrag); +$sth->execute(array(':datediff' => $config['deletedelrequestdaydiff'])); +echo ' + + Abmelden + + '; +if (isset($_GET['unknown'])) { + echo '

Diese Adresse ist dieser Liste nicht zugeordnet

'; +} +if (isset($_GET['unknowntoken'])) { + echo '

Unbekannter Abmeldetoken. Erneut veruschen?

'; +} +if (isset($_GET['mailsent'])) { + echo '

Wir haben dir eine Email mit einem Link zur Bestätigung deiner Abmeldung geschickt. Der Link in der Mail ist 2 Tage gültig

'; +} +if (isset($_GET['success'])) { + echo '

Erfolgreich abgemeldet

'; +} +echo '

Mailliste Abmeldung:

+
+ + + +
'; +echo ' +'; +?> \ No newline at end of file From 632d9ccfeb062bfbff7b70108850ebf6201194c2 Mon Sep 17 00:00:00 2001 From: Humorhenker <36549980+Humorhenker@users.noreply.github.com> Date: Fri, 27 Sep 2019 14:41:48 +0200 Subject: [PATCH 2/8] Use htmlentities to mitigate potential XSS vulnerabilities --- public/admin.php | 10 +++++----- public/settings.php | 2 +- public/unsub.php | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/public/admin.php b/public/admin.php index 0436b26..e8a4d1c 100644 --- a/public/admin.php +++ b/public/admin.php @@ -33,7 +33,7 @@ if ($_SESSION['log'] == 1 and $_SESSION['admin'] == 1) { echo 'Erfolgreich geändert.'; } if (isset($_GET['fehler'])) { - echo '

Fehler: ' . $_GET['fehler'] . '

'; + echo '

Fehler: ' . htmlentities($_GET['fehler']) . '

'; } echo '

Normale Einstellungen

'; echo '

Mailadresse aktivieren:

@@ -42,7 +42,7 @@ if ($_SESSION['log'] == 1 and $_SESSION['admin'] == 1) { $abfrage = "SELECT `id`, `username`, `domain` FROM `accounts` WHERE `enabled` LIKE 0"; $result = $dbh->query($abfrage); while ($emails = $result->fetch()) { - echo ''; + echo ''; } echo ' '; @@ -54,7 +54,7 @@ if ($_SESSION['log'] == 1 and $_SESSION['admin'] == 1) { $abfrage = "SELECT `id`, `username`, `domain` FROM `accounts` WHERE `enabled` LIKE 1"; $result = $dbh->query($abfrage); while ($emails = $result->fetch()) { - echo ''; + echo ''; } echo ' @@ -65,7 +65,7 @@ if ($_SESSION['log'] == 1 and $_SESSION['admin'] == 1) { $abfrage = "SELECT `id`, `domain` FROM `domains`"; $result = $dbh->query($abfrage); while ($domains = $result->fetch()) { - echo ''; + echo ''; } echo ' (benutze nicht ' . "'" . ') @@ -78,7 +78,7 @@ echo ' (benutze nicht ' . "'" . ') $abfrage = "SELECT `id`, `username`, `domain` FROM `accounts`"; $result = $dbh->query($abfrage); while ($emails = $result->fetch()) { - echo ''; + echo ''; } echo ' diff --git a/public/settings.php b/public/settings.php index cdc757c..5a38737 100644 --- a/public/settings.php +++ b/public/settings.php @@ -28,7 +28,7 @@ if ($_SESSION['log'] == 1) { Mail Settings -

Mail Settings:

Guten Tag, ' . $_SESSION['username'] . '@' . $_SESSION['domain'] . '

'; +

Mail Settings:

Guten Tag, ' . htmlentities($_SESSION['username']) . '@' . htmlentities($_SESSION['domain']) . '

'; $randval = rand(0, 99); echo ''; if (rand(0,99) == 42) { diff --git a/public/unsub.php b/public/unsub.php index 65b2a67..d127483 100644 --- a/public/unsub.php +++ b/public/unsub.php @@ -45,7 +45,7 @@ echo '

Mailliste Abmeldung:

From c37c9a052506bfcea531c1ba55f58ee09f50cc7d Mon Sep 17 00:00:00 2001 From: Humorhenker <36549980+Humorhenker@users.noreply.github.com> Date: Fri, 27 Sep 2019 14:52:41 +0200 Subject: [PATCH 3/8] Fix potential user enumeration issue in list unsubscribe feature --- public/bin/unsubmaillistpre.php | 2 +- public/unsub.php | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/public/bin/unsubmaillistpre.php b/public/bin/unsubmaillistpre.php index f58a6ee..7cd9e14 100644 --- a/public/bin/unsubmaillistpre.php +++ b/public/bin/unsubmaillistpre.php @@ -71,7 +71,7 @@ if ($result->rowCount() > 0) { exit; } else { - header("Location: ../unsub.php?unknown=1"); + header("Location: ../unsub.php?mailsent=1"); exit; } ?> \ No newline at end of file diff --git a/public/unsub.php b/public/unsub.php index d127483..53d9151 100644 --- a/public/unsub.php +++ b/public/unsub.php @@ -29,14 +29,11 @@ echo ' Abmelden '; -if (isset($_GET['unknown'])) { - echo '

Diese Adresse ist dieser Liste nicht zugeordnet

'; -} if (isset($_GET['unknowntoken'])) { echo '

Unbekannter Abmeldetoken. Erneut veruschen?

'; } if (isset($_GET['mailsent'])) { - echo '

Wir haben dir eine Email mit einem Link zur Bestätigung deiner Abmeldung geschickt. Der Link in der Mail ist 2 Tage gültig

'; + echo '

Falls die angegebene E-Mail-Adresse auf der Mailingliste steht, haben wir dir eine Email mit einem Link zur Bestätigung deiner Abmeldung geschickt. Der Link in der Mail ist 2 Tage gültig

'; } if (isset($_GET['success'])) { echo '

Erfolgreich abgemeldet

'; From 24e4cb92bed235fc933f257aab4e6545916ac67d Mon Sep 17 00:00:00 2001 From: Humorhenker Date: Fri, 22 Nov 2019 14:30:22 +0100 Subject: [PATCH 4/8] =?UTF-8?q?Admin=20kann=20Passw=C3=B6rter=20=C3=A4nder?= =?UTF-8?q?n.=20Kleinere=20Fixes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- public/admin.php | 12 ++++++++ public/bin/changemailpw.php | 2 +- public/bin/changemailpwadm.php | 50 ++++++++++++++++++++++++++++++++++ public/bin/createmailuser.php | 7 +++-- public/bin/deletemail.php | 7 ++++- public/settings.php | 3 +- 6 files changed, 74 insertions(+), 7 deletions(-) create mode 100644 public/bin/changemailpwadm.php diff --git a/public/admin.php b/public/admin.php index e8a4d1c..3d0b427 100644 --- a/public/admin.php +++ b/public/admin.php @@ -72,6 +72,18 @@ echo ' (benutze nicht ' . "'" . ') +

Passwort einer Email-Adresse ändern:

+
+'; + echo ' + +

Emailadresse entfernen:

'; } - echo ' + echo '

Diese Mailadresse löschen:

'; - echo ' '; exit; From 1487e8b38cb860937d0b8c7f1f3c53e956442bd7 Mon Sep 17 00:00:00 2001 From: Humorhenker Date: Sun, 24 Nov 2019 20:06:38 +0100 Subject: [PATCH 5/8] Maillisteneinstellungen visuell angepasst --- public/bin/maillistsettings.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/public/bin/maillistsettings.php b/public/bin/maillistsettings.php index 2b43a65..36f000b 100644 --- a/public/bin/maillistsettings.php +++ b/public/bin/maillistsettings.php @@ -61,7 +61,7 @@ if ($_SESSION['log'] == 1) {
- +

Bestehende Listen:

'; } else { @@ -76,7 +76,7 @@ if ($_SESSION['log'] == 1) { $result = $dbh->prepare($abfrage); $result->execute(array(':aliasid' => substr($aliasids, 0, -1))); } - echo ''; + echo '
ListennameListenadresseListenempfängerListenbesitzerListensicherheitOptionen
'; while ($lists = $result->fetch()) { $abfrage2 = "SELECT `source_username`, `source_domain` FROM `aliases` WHERE `alias_id` LIKE :aliasid"; $result2 = $dbh->prepare($abfrage2); From 1566aeaf2f19f2f9f775ef9e90b1c454b0753692 Mon Sep 17 00:00:00 2001 From: Humorhenker <36549980+Humorhenker@users.noreply.github.com> Date: Mon, 25 Nov 2019 23:27:36 +0100 Subject: [PATCH 6/8] =?UTF-8?q?Erzwingung=20der=20Passwort=C3=A4nderung=20?= =?UTF-8?q?bei=20erstem=20Login=20erm=C3=B6glicht=20(forcepwreset)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- public/bin/changemailpw.php | 28 +++++++++++++++++++------- public/bin/forcedpwreset.php | 39 ++++++++++++++++++++++++++++++++++++ public/index.php | 20 ++++++++++++++++-- public/login.php | 11 ++++++++-- 4 files changed, 87 insertions(+), 11 deletions(-) create mode 100644 public/bin/forcedpwreset.php diff --git a/public/bin/changemailpw.php b/public/bin/changemailpw.php index 4e1bb8f..ec95093 100644 --- a/public/bin/changemailpw.php +++ b/public/bin/changemailpw.php @@ -22,12 +22,13 @@ try { echo 'Connection failed'; } session_start(); -if ($_SESSION['log'] == 1) { +if ($_SESSION['log'] == 1 or $_SESSION['forcepwreset']) { if ($_POST['newmailpw'] == $_POST['newmailpwrep']) { $newmailpw = $_POST['newmailpw']; $oldmailpw = $_POST['oldmailpw']; if (strpos($newmailpw, "'") !== false) { - header("Location: ../settings.php?wrongsymbols=1"); + if ($_SESSION['forcepwreset']) header("Location: ../index.php?wrongsymbols=1"); + else header("Location: settings.php?wrongsymbols=1"); exit; } $mailusername = $_SESSION['username']; @@ -37,6 +38,10 @@ if ($_SESSION['log'] == 1) { $sth->execute(array(':newmailusername' => $mailusername, ':newmaildomain' => $maildomain)); $result= $sth->fetchAll(); $oldpwhashed = $result[0]['password']; + if ($_SESSION['forcepwreset'] and password_verify($newmailpw, $oldpwhashed)) { + header("Location: ../index.php?newpwequal=1"); + exit; + } if (password_verify($oldmailpw, $oldpwhashed)) { if (strlen($newmailpw) >= 8) { $newmailpwhashed = password_hash($newmailpw, PASSWORD_ARGON2I, ['memory_cost' => 32768, 'time_cost' => 4]); @@ -51,23 +56,32 @@ if ($_SESSION['log'] == 1) { // exec('sudo -u vmail /usr/bin/doveadm mailbox cryptokey password -o stats_writer_socket_path= -u ' . escapeshellarg($mailusername) . ' -n ' . escapeshellarg($newmailpw) . ' -o' . escapeshellcmd($oldmailpw)); // } //} + if ($_SESSION['forcepwreset']) { + $_SESSION['forcepwreset'] = 0; + $_SESSION['log'] = 1; + $eintrag = "UPDATE `accounts` SET `forcepwreset` = '0', `enabled` = '1' WHERE `username` LIKE :mailusername AND `domain` LIKE :maildomain"; + $sth = $dbh->prepare($eintrag); + $sth->execute(array(':mailusername' => $mailusername, ':maildomain' => $maildomain)); + } header("Location: ../settings.php?success=1"); exit; } else { - header("Location: ../settings.php?pwtoshort=1"); + if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwtoshort=1"); + else header("Location: ../settings.php?pwtoshort=1"); exit; } } else { - header( "Location: ../settings.php?pwmissmatch=1"); + if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwmissmatch=1"); + else header( "Location: ../settings.php?pwmissmatch=1"); exit; } } else { - header("Location: ../settings.php?pwnotequal=1"); + if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwnotequal=1"); + else header("Location: ../settings.php?pwnotequal=1"); exit; } } -header("Location: index.php"); -?> \ No newline at end of file +header("Location: ../index.php"); diff --git a/public/bin/forcedpwreset.php b/public/bin/forcedpwreset.php new file mode 100644 index 0000000..892d7f1 --- /dev/null +++ b/public/bin/forcedpwreset.php @@ -0,0 +1,39 @@ +. */ +$config = parse_ini_file('../../private/config.ini'); +try { + $dbh = new PDO('mysql:host=' . $config['dbservername'] . ';dbname=' . $config['dbname'], $config['dbusername'], $config['dbpassword'], array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION)); +} catch (PDOException $e) { + //echo 'Connection failled: '. $e->getMessage(); // Errormessage kann Sicherheitsrelevantes enthalen + echo 'Connection failed'; +} +session_start(); +if ($_SESSION['log']) { + header("Location: ../settings.php"); + exit; +} +if ($_SESSION['forcepwreset']) { + echo '

Du musst erstmal dein Passwort ändern:

+ + + + + '; + echo '
'; +} +else header("Location: ../index.php"); +?> \ No newline at end of file diff --git a/public/index.php b/public/index.php index 23a2b9c..a8b6ba4 100644 --- a/public/index.php +++ b/public/index.php @@ -19,16 +19,32 @@ $config = parse_ini_file('../private/config.ini'); if (!isset($_SESSION['log']) OR $_SESSION['log'] != 1) { echo ' + Login'; if (isset($_GET['badlogin'])) { echo '

falsche Logindaten

'; } + if (isset($_GET['pwnotequal'])) { + echo '

Passwörter nicht gleich!

Nochmal'; + } + if (isset($_GET['pwtoshort'])) { + echo '

eingegebe Passwörter sind zu kurz!

Nochmal'; + } + if (isset($_GET['pwmissmatch'])) { + echo '

Das eingegebene aktulle Passwort stimmt nicht!

Nochmal'; + } + if (isset($_GET['wrongsymbols'])) { + echo '

eingegebe Passwörter enthalten unerlaubte Symbole!

Nochmal'; + } + if (isset($_GET['newpwequal'])) { + echo '

Das neue Passwort entspricht dem alten!

Nochmal'; + } echo '

Webmail

Config-Login:

- - + + '; if ($config['allowregistration']) { diff --git a/public/login.php b/public/login.php index d1a172a..ff1ca55 100644 --- a/public/login.php +++ b/public/login.php @@ -25,17 +25,24 @@ try { $user = explode('@', $_POST['username']); $pw = $_POST['password']; -$abfrage = "SELECT `id`, `password`, `admin` FROM `accounts` WHERE `username` = :username AND `domain` = :domain AND `enabled`='1'"; +$abfrage = "SELECT `id`, `password`, `forcepwreset`, `admin` FROM `accounts` WHERE `username` = :username AND `domain` = :domain AND `enabled`='1' OR (`enabled`='0' AND `forcepwreset`='1')"; $sth = $dbh->prepare($abfrage); $sth->execute(array(':username' => $user[0], ':domain' => $user[1])); $userdata = $sth->fetchAll(); if ($sth->rowCount() > 0) { if (password_verify($pw, $userdata[0]['password'])) { - $_SESSION['log'] = 1; $_SESSION['username'] = $user[0]; $_SESSION['domain'] = $user[1]; $_SESSION['admin'] = $userdata[0]['admin']; $_SESSION['mailID'] = $userdata[0]['id']; + if ($userdata[0]['forcepwreset']) { + $_SESSION['forcepwreset'] = 1; + $_SESSION['log'] = 0; + header("Location: bin/forcedpwreset.php"); + exit; + } + $_SESSION['forcepwreset'] = 0; + $_SESSION['log'] = 1; header("Location: settings.php"); exit; } From 212c76429a7bebb36ef10b44521283e01be4aba1 Mon Sep 17 00:00:00 2001 From: Humorhenker <36549980+Humorhenker@users.noreply.github.com> Date: Mon, 25 Nov 2019 23:45:57 +0100 Subject: [PATCH 7/8] Verschiedene Fixes --- private/config.ini | 8 ++++++++ public/admin.php | 1 + public/bin/changemailpw.php | 2 +- public/bin/createmailuser.php | 10 +++++----- 4 files changed, 15 insertions(+), 6 deletions(-) diff --git a/private/config.ini b/private/config.ini index 97aa4eb..4db2db5 100644 --- a/private/config.ini +++ b/private/config.ini @@ -10,3 +10,11 @@ maildirencryption = captcha = allowregistration = adminadress = +deletedelrequestdaydiff = +sendactivationinfo = +prohibadminmailcreation = + +[mailserver] +mailsmtpserver="" +mailadress="" +mailpw='' diff --git a/public/admin.php b/public/admin.php index 3d0b427..8ca2bce 100644 --- a/public/admin.php +++ b/public/admin.php @@ -70,6 +70,7 @@ if ($_SESSION['log'] == 1 and $_SESSION['admin'] == 1) { echo ' (benutze nicht ' . "'" . ') +

Passwort einer Email-Adresse ändern:

diff --git a/public/bin/changemailpw.php b/public/bin/changemailpw.php index ec95093..f0d5fa8 100644 --- a/public/bin/changemailpw.php +++ b/public/bin/changemailpw.php @@ -28,7 +28,7 @@ if ($_SESSION['log'] == 1 or $_SESSION['forcepwreset']) { $oldmailpw = $_POST['oldmailpw']; if (strpos($newmailpw, "'") !== false) { if ($_SESSION['forcepwreset']) header("Location: ../index.php?wrongsymbols=1"); - else header("Location: settings.php?wrongsymbols=1"); + else header("Location: ../settings.php?wrongsymbols=1"); exit; } $mailusername = $_SESSION['username']; diff --git a/public/bin/createmailuser.php b/public/bin/createmailuser.php index 0adb0ae..7342c10 100644 --- a/public/bin/createmailuser.php +++ b/public/bin/createmailuser.php @@ -21,7 +21,7 @@ try { //echo 'Connection failled: '. $e->getMessage(); // Errormessage kann Sicherheitsrelevantes enthalen echo 'Connection failed'; } -function createmailuser($newmailusername, $newmaildomainid, $newmailpw, $newmailpwrep, $admin) { +function createmailuser($newmailusername, $newmaildomainid, $newmailpw, $newmailpwrep, $newmailforcepwreset, $admin) { global $dbh; global $config; $abfrage = "SELECT domain FROM `domains` WHERE `id` LIKE :newmaildomainid"; @@ -84,9 +84,9 @@ function createmailuser($newmailusername, $newmaildomainid, $newmailpw, $newmail // $eintrag = "UPDATE `mailserver`.`virtual_users` SET `active`='0' WHERE `email` LIKE :newmailusernamefull"; // } //else { - $eintrag = "INSERT INTO `accounts` (`username`, `domain`, `password`, `quota`, `enabled`, `forcepwreset`, `sendonly`, `admin`) VALUES (:newmailusername, :newmaildomain, :newmailpwhashed, '2048', '1', '0', '0', '0')"; // Maildaten in MailServer DB eintragen + $eintrag = "INSERT INTO `accounts` (`username`, `domain`, `password`, `quota`, `enabled`, `forcepwreset`, `sendonly`, `admin`) VALUES (:newmailusername, :newmaildomain, :newmailpwhashed, '2048', '1', :forcepwreset, '0', '0')"; // Maildaten in MailServer DB eintragen $sth = $dbh->prepare($eintrag); - $sth->execute(array(':newmailusername' => $newmailusername, ':newmaildomain' => $newmaildomain, ':newmailpwhashed' => $newmailpwhashed)); + $sth->execute(array(':newmailusername' => $newmailusername, ':newmaildomain' => $newmaildomain, ':newmailpwhashed' => $newmailpwhashed, ':forcepwreset' => $newmailforcepwreset)); //$maildirpath = $config['mailfolderpath'] . $newmailusername; // umask(0); // mkdir($maildirpath, 0770); @@ -139,13 +139,13 @@ function createmailuser($newmailusername, $newmaildomainid, $newmailpw, $newmail session_start(); if ($_SESSION['log'] == 1 AND $_SESSION['admin'] == 1) { //print_r($_POST); - createmailuser($_POST['newmailusername'], $_POST['newmaildomainid'], $_POST['newmailpw'], $_POST['newmailpwrep'], 1); + createmailuser($_POST['newmailusername'], $_POST['newmaildomainid'], $_POST['newmailpw'], $_POST['newmailpwrep'], $_POST['forcepwreset'], 1); header("Location: ../admin.php"); exit; } if ($config['allowregistration']) { if ($_POST['captchacode'] == $_SESSION['captchacode']) { - createmailuser($_POST['newmailusername'], $_POST['newmaildomainid'], $_POST['newmailpw'], $_POST['newmailpwrep'], 0); + createmailuser($_POST['newmailusername'], $_POST['newmaildomainid'], $_POST['newmailpw'], $_POST['newmailpwrep'], $_POST['forcepwreset'], 0); } elseif ($_POST['captchacode'] != $_SESSION['captchacode']) { header("Location: createmailpre.php?wrongcaptchacode=1"); From df0493007b4f3afd4189b28629a7f92c81257955 Mon Sep 17 00:00:00 2001 From: Humorhenker <36549980+Humorhenker@users.noreply.github.com> Date: Tue, 26 Nov 2019 00:08:56 +0100 Subject: [PATCH 8/8] =?UTF-8?q?Sch=C3=B6hnheits=C3=A4nderungen=20am=20Admi?= =?UTF-8?q?ninterface?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- public/admin.php | 20 +++++++++++++------- public/bin/createmailuser.php | 8 ++++---- 2 files changed, 17 insertions(+), 11 deletions(-) diff --git a/public/admin.php b/public/admin.php index 8ca2bce..3063347 100644 --- a/public/admin.php +++ b/public/admin.php @@ -39,7 +39,7 @@ if ($_SESSION['log'] == 1 and $_SESSION['admin'] == 1) { echo '

Mailadresse aktivieren:

ListennameListenadresseListenempfängerListenbesitzerListensicherheitOptionen
'; +$abfrage = "SELECT `id`, `username`, `domain`, `quota`, `enabled`, `sendonly`, `forcepwreset`, `admin` FROM `accounts` ORDER by `domain`, `username` ASC"; +$result = $dbh->query($abfrage); +while ($emails = $result->fetch()) { + echo ''; +} +echo '
Emailadressen:
Email-Adressequotaenabledsendonlyforcepwresetadmin
' . htmlentities($emails['username']) . '@' . htmlentities($emails['domain']) . '' . htmlentities($emails['quota']) . '' . htmlentities($emails['enabled']) . '' . htmlentities($emails['sendonly']) . '' . htmlentities($emails['forcepwreset']) . '' . htmlentities($emails['admin']) . '
'; exit; } diff --git a/public/bin/createmailuser.php b/public/bin/createmailuser.php index 7342c10..8964826 100644 --- a/public/bin/createmailuser.php +++ b/public/bin/createmailuser.php @@ -87,16 +87,16 @@ function createmailuser($newmailusername, $newmaildomainid, $newmailpw, $newmail $eintrag = "INSERT INTO `accounts` (`username`, `domain`, `password`, `quota`, `enabled`, `forcepwreset`, `sendonly`, `admin`) VALUES (:newmailusername, :newmaildomain, :newmailpwhashed, '2048', '1', :forcepwreset, '0', '0')"; // Maildaten in MailServer DB eintragen $sth = $dbh->prepare($eintrag); $sth->execute(array(':newmailusername' => $newmailusername, ':newmaildomain' => $newmaildomain, ':newmailpwhashed' => $newmailpwhashed, ':forcepwreset' => $newmailforcepwreset)); - //$maildirpath = $config['mailfolderpath'] . $newmailusername; + //$maildirpath = $config['mailfolderpath'] . $newmailusername; // umask(0); // mkdir($maildirpath, 0770); //} //$sth = $dbh->prepare($eintrag); //$sth->execute(array(':newmailusernamefull' => $newmailusernamefull)); - $adminmailadress = $config['adminadress']; - $adresse = $config['domain'] . '/admin.php'; - // eine Mail an den Admin verschicken, damit er die Mail freischalten kann if ($config['sendactivationinfo']) { + $adminmailadress = $config['adminadress']; + $adresse = $config['domain'] . '/admin.php'; + // eine Mail an den Admin verschicken, damit er die Mail freischalten kann mail($adminmailadress, "Neue Mailadresse erstellt", "Eine neue Mailadresse wurde erstellt und muss freigeschaltet werden. \n \n" . htmlspecialchars($newmailusernamefull) . "\n " . $adresse, "From: mailservice"); } if ($admin == 1) {