From 1566aeaf2f19f2f9f775ef9e90b1c454b0753692 Mon Sep 17 00:00:00 2001
From: Humorhenker <36549980+Humorhenker@users.noreply.github.com>
Date: Mon, 25 Nov 2019 23:27:36 +0100
Subject: [PATCH] =?UTF-8?q?Erzwingung=20der=20Passwort=C3=A4nderung=20bei?=
 =?UTF-8?q?=20erstem=20Login=20erm=C3=B6glicht=20(forcepwreset)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 public/bin/changemailpw.php  | 28 +++++++++++++++++++-------
 public/bin/forcedpwreset.php | 39 ++++++++++++++++++++++++++++++++++++
 public/index.php             | 20 ++++++++++++++++--
 public/login.php             | 11 ++++++++--
 4 files changed, 87 insertions(+), 11 deletions(-)
 create mode 100644 public/bin/forcedpwreset.php

diff --git a/public/bin/changemailpw.php b/public/bin/changemailpw.php
index 4e1bb8f..ec95093 100644
--- a/public/bin/changemailpw.php
+++ b/public/bin/changemailpw.php
@@ -22,12 +22,13 @@ try {
     echo 'Connection failed';
 }
 session_start();
-if ($_SESSION['log'] == 1) {
+if ($_SESSION['log'] == 1 or $_SESSION['forcepwreset']) {
     if ($_POST['newmailpw'] == $_POST['newmailpwrep']) {
         $newmailpw = $_POST['newmailpw'];
         $oldmailpw = $_POST['oldmailpw'];
         if (strpos($newmailpw, "'") !== false) {
-            header("Location: ../settings.php?wrongsymbols=1");
+            if ($_SESSION['forcepwreset']) header("Location: ../index.php?wrongsymbols=1");
+            else header("Location: settings.php?wrongsymbols=1");
             exit;
         }
         $mailusername = $_SESSION['username'];
@@ -37,6 +38,10 @@ if ($_SESSION['log'] == 1) {
         $sth->execute(array(':newmailusername' => $mailusername, ':newmaildomain' => $maildomain));
         $result= $sth->fetchAll();
         $oldpwhashed = $result[0]['password'];
+        if ($_SESSION['forcepwreset'] and password_verify($newmailpw, $oldpwhashed)) {
+            header("Location: ../index.php?newpwequal=1");
+            exit;
+        }
         if (password_verify($oldmailpw, $oldpwhashed)) {
             if (strlen($newmailpw) >= 8) {
                 $newmailpwhashed = password_hash($newmailpw, PASSWORD_ARGON2I, ['memory_cost' => 32768, 'time_cost' => 4]);
@@ -51,23 +56,32 @@ if ($_SESSION['log'] == 1) {
                 //        exec('sudo -u vmail /usr/bin/doveadm mailbox cryptokey password -o stats_writer_socket_path= -u ' . escapeshellarg($mailusername) . ' -n ' . escapeshellarg($newmailpw) . ' -o' . escapeshellcmd($oldmailpw));
                 //    }
                 //}
+                if ($_SESSION['forcepwreset']) {
+                    $_SESSION['forcepwreset'] = 0;
+                    $_SESSION['log'] = 1;
+                    $eintrag = "UPDATE `accounts` SET `forcepwreset` = '0', `enabled` = '1' WHERE `username` LIKE :mailusername AND `domain` LIKE :maildomain";
+                    $sth = $dbh->prepare($eintrag);
+                    $sth->execute(array(':mailusername' => $mailusername, ':maildomain' => $maildomain));
+                }
                 header("Location: ../settings.php?success=1");
                 exit;
             }
             else {
-                header("Location: ../settings.php?pwtoshort=1");
+                if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwtoshort=1");
+                else header("Location: ../settings.php?pwtoshort=1");
                 exit;
             }
         }
         else {
-            header( "Location: ../settings.php?pwmissmatch=1");
+            if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwmissmatch=1");
+            else header( "Location: ../settings.php?pwmissmatch=1");
             exit;
         }
     }
     else {
-        header("Location: ../settings.php?pwnotequal=1");
+        if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwnotequal=1");
+        else header("Location: ../settings.php?pwnotequal=1");
         exit;
     }
 }
-header("Location: index.php");
-?>
\ No newline at end of file
+header("Location: ../index.php");
diff --git a/public/bin/forcedpwreset.php b/public/bin/forcedpwreset.php
new file mode 100644
index 0000000..892d7f1
--- /dev/null
+++ b/public/bin/forcedpwreset.php
@@ -0,0 +1,39 @@
+<?php
+/*  Mailadminscript
+    Copyright (C) 2019  Paul Schürholz contact AT roteserver . de
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>. */
+$config = parse_ini_file('../../private/config.ini');
+try {
+    $dbh = new PDO('mysql:host=' . $config['dbservername'] . ';dbname=' . $config['dbname'], $config['dbusername'], $config['dbpassword'], array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
+} catch (PDOException $e) {
+    //echo 'Connection failled: '. $e->getMessage(); // Errormessage kann Sicherheitsrelevantes enthalen
+    echo 'Connection failed';
+}
+session_start();
+if ($_SESSION['log']) {
+    header("Location: ../settings.php");
+    exit;
+}
+if ($_SESSION['forcepwreset']) {
+    echo '<h3>Du musst erstmal dein Passwort ändern:</h3>
+    <form name="changemailpw" method=POST action="changemailpw.php">
+    <label>Altes Passwort: <input type="password" name="oldmailpw"/></label>
+    <label>Neues Passwort: <input type="password" name="newmailpw"/>(min. 8 Zeichen, benutze nicht ' .  "'" . ')</label>
+    <label>Neue Passwort wiederholen: <input type="password" name="newmailpwrep"/></label>
+    <input type="submit" value="Abschicken"/></form>';
+    echo '<br><a href="../logout.php"><button>Logout</button></a>'; 
+}
+else header("Location: ../index.php");
+?>
\ No newline at end of file
diff --git a/public/index.php b/public/index.php
index 23a2b9c..a8b6ba4 100644
--- a/public/index.php
+++ b/public/index.php
@@ -19,16 +19,32 @@ $config = parse_ini_file('../private/config.ini');
 if (!isset($_SESSION['log']) OR $_SESSION['log'] != 1) {
     echo '<html>
     <head>
+    <title>Login</title>
     </head>
     <body>';
     if (isset($_GET['badlogin'])) {
         echo '<p>falsche Logindaten</p>';
     }
+    if (isset($_GET['pwnotequal'])) {
+        echo '<h3>Passwörter nicht gleich!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
+    }
+    if (isset($_GET['pwtoshort'])) {
+        echo '<h3>eingegebe Passwörter sind zu kurz!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
+    }
+    if (isset($_GET['pwmissmatch'])) {
+        echo '<h3>Das eingegebene aktulle Passwort stimmt nicht!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
+    }
+    if (isset($_GET['wrongsymbols'])) {
+        echo '<h3>eingegebe Passwörter enthalten unerlaubte Symbole!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
+    }
+    if (isset($_GET['newpwequal'])) {
+        echo '<h3>Das neue Passwort entspricht dem alten!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
+    }
     echo '<a href="webmail"><h2>Webmail</h2></a>
     <h2>Config-Login:</h2>
     <form method="POST" action="login.php">
-    <label>Nutzername<input name="username" type="text"/></label>
-    <label>Passwort<input name="password" type="password"/></label>
+    <label>Nutzername:<input name="username" type="text"/></label>
+    <label>Passwort:<input name="password" type="password"/></label>
     <input name="Submit" type="submit" value="Einloggen"/>
     </form>';
     if ($config['allowregistration']) {
diff --git a/public/login.php b/public/login.php
index d1a172a..ff1ca55 100644
--- a/public/login.php
+++ b/public/login.php
@@ -25,17 +25,24 @@ try {
 $user = explode('@', $_POST['username']);
 $pw = $_POST['password'];
 
-$abfrage = "SELECT `id`, `password`, `admin` FROM `accounts` WHERE `username` = :username AND `domain` = :domain AND `enabled`='1'";
+$abfrage = "SELECT `id`, `password`, `forcepwreset`, `admin` FROM `accounts` WHERE `username` = :username AND `domain` = :domain AND `enabled`='1' OR (`enabled`='0' AND `forcepwreset`='1')";
 $sth = $dbh->prepare($abfrage);
 $sth->execute(array(':username' => $user[0], ':domain' => $user[1]));
 $userdata = $sth->fetchAll();
 if ($sth->rowCount() > 0) {
     if (password_verify($pw, $userdata[0]['password'])) {
-        $_SESSION['log'] = 1;
         $_SESSION['username'] = $user[0];
         $_SESSION['domain'] = $user[1];
         $_SESSION['admin'] = $userdata[0]['admin'];
         $_SESSION['mailID'] = $userdata[0]['id'];
+        if ($userdata[0]['forcepwreset']) {
+            $_SESSION['forcepwreset'] = 1;
+            $_SESSION['log'] = 0;
+            header("Location: bin/forcedpwreset.php");
+            exit;
+        }
+        $_SESSION['forcepwreset'] = 0;
+        $_SESSION['log'] = 1;
         header("Location: settings.php");
         exit;
     }