Erzwingung der Passwortänderung bei erstem Login ermöglicht (forcepwreset)
This commit is contained in:
Humorhenker
parent
1487e8b38c
commit
1566aeaf2f
|
|
@ -22,12 +22,13 @@ try {
|
|||
echo 'Connection failed';
|
||||
}
|
||||
session_start();
|
||||
if ($_SESSION['log'] == 1) {
|
||||
if ($_SESSION['log'] == 1 or $_SESSION['forcepwreset']) {
|
||||
if ($_POST['newmailpw'] == $_POST['newmailpwrep']) {
|
||||
$newmailpw = $_POST['newmailpw'];
|
||||
$oldmailpw = $_POST['oldmailpw'];
|
||||
if (strpos($newmailpw, "'") !== false) {
|
||||
header("Location: ../settings.php?wrongsymbols=1");
|
||||
if ($_SESSION['forcepwreset']) header("Location: ../index.php?wrongsymbols=1");
|
||||
else header("Location: settings.php?wrongsymbols=1");
|
||||
exit;
|
||||
}
|
||||
$mailusername = $_SESSION['username'];
|
||||
|
|
@ -37,6 +38,10 @@ if ($_SESSION['log'] == 1) {
|
|||
$sth->execute(array(':newmailusername' => $mailusername, ':newmaildomain' => $maildomain));
|
||||
$result= $sth->fetchAll();
|
||||
$oldpwhashed = $result[0]['password'];
|
||||
if ($_SESSION['forcepwreset'] and password_verify($newmailpw, $oldpwhashed)) {
|
||||
header("Location: ../index.php?newpwequal=1");
|
||||
exit;
|
||||
}
|
||||
if (password_verify($oldmailpw, $oldpwhashed)) {
|
||||
if (strlen($newmailpw) >= 8) {
|
||||
$newmailpwhashed = password_hash($newmailpw, PASSWORD_ARGON2I, ['memory_cost' => 32768, 'time_cost' => 4]);
|
||||
|
|
@ -51,23 +56,32 @@ if ($_SESSION['log'] == 1) {
|
|||
// exec('sudo -u vmail /usr/bin/doveadm mailbox cryptokey password -o stats_writer_socket_path= -u ' . escapeshellarg($mailusername) . ' -n ' . escapeshellarg($newmailpw) . ' -o' . escapeshellcmd($oldmailpw));
|
||||
// }
|
||||
//}
|
||||
if ($_SESSION['forcepwreset']) {
|
||||
$_SESSION['forcepwreset'] = 0;
|
||||
$_SESSION['log'] = 1;
|
||||
$eintrag = "UPDATE `accounts` SET `forcepwreset` = '0', `enabled` = '1' WHERE `username` LIKE :mailusername AND `domain` LIKE :maildomain";
|
||||
$sth = $dbh->prepare($eintrag);
|
||||
$sth->execute(array(':mailusername' => $mailusername, ':maildomain' => $maildomain));
|
||||
}
|
||||
header("Location: ../settings.php?success=1");
|
||||
exit;
|
||||
}
|
||||
else {
|
||||
header("Location: ../settings.php?pwtoshort=1");
|
||||
if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwtoshort=1");
|
||||
else header("Location: ../settings.php?pwtoshort=1");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
else {
|
||||
header( "Location: ../settings.php?pwmissmatch=1");
|
||||
if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwmissmatch=1");
|
||||
else header( "Location: ../settings.php?pwmissmatch=1");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
else {
|
||||
header("Location: ../settings.php?pwnotequal=1");
|
||||
if ($_SESSION['forcepwreset']) header("Location: ../index.php?pwnotequal=1");
|
||||
else header("Location: ../settings.php?pwnotequal=1");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
header("Location: index.php");
|
||||
?>
|
||||
header("Location: ../index.php");
|
||||
|
|
|
|||
|
|
@ -0,0 +1,39 @@
|
|||
<?php
|
||||
/* Mailadminscript
|
||||
Copyright (C) 2019 Paul Schürholz contact AT roteserver . de
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>. */
|
||||
$config = parse_ini_file('../../private/config.ini');
|
||||
try {
|
||||
$dbh = new PDO('mysql:host=' . $config['dbservername'] . ';dbname=' . $config['dbname'], $config['dbusername'], $config['dbpassword'], array(PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION));
|
||||
} catch (PDOException $e) {
|
||||
//echo 'Connection failled: '. $e->getMessage(); // Errormessage kann Sicherheitsrelevantes enthalen
|
||||
echo 'Connection failed';
|
||||
}
|
||||
session_start();
|
||||
if ($_SESSION['log']) {
|
||||
header("Location: ../settings.php");
|
||||
exit;
|
||||
}
|
||||
if ($_SESSION['forcepwreset']) {
|
||||
echo '<h3>Du musst erstmal dein Passwort ändern:</h3>
|
||||
<form name="changemailpw" method=POST action="changemailpw.php">
|
||||
<label>Altes Passwort: <input type="password" name="oldmailpw"/></label>
|
||||
<label>Neues Passwort: <input type="password" name="newmailpw"/>(min. 8 Zeichen, benutze nicht ' . "'" . ')</label>
|
||||
<label>Neue Passwort wiederholen: <input type="password" name="newmailpwrep"/></label>
|
||||
<input type="submit" value="Abschicken"/></form>';
|
||||
echo '<br><a href="../logout.php"><button>Logout</button></a>';
|
||||
}
|
||||
else header("Location: ../index.php");
|
||||
?>
|
||||
|
|
@ -19,16 +19,32 @@ $config = parse_ini_file('../private/config.ini');
|
|||
if (!isset($_SESSION['log']) OR $_SESSION['log'] != 1) {
|
||||
echo '<html>
|
||||
<head>
|
||||
<title>Login</title>
|
||||
</head>
|
||||
<body>';
|
||||
if (isset($_GET['badlogin'])) {
|
||||
echo '<p>falsche Logindaten</p>';
|
||||
}
|
||||
if (isset($_GET['pwnotequal'])) {
|
||||
echo '<h3>Passwörter nicht gleich!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
|
||||
}
|
||||
if (isset($_GET['pwtoshort'])) {
|
||||
echo '<h3>eingegebe Passwörter sind zu kurz!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
|
||||
}
|
||||
if (isset($_GET['pwmissmatch'])) {
|
||||
echo '<h3>Das eingegebene aktulle Passwort stimmt nicht!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
|
||||
}
|
||||
if (isset($_GET['wrongsymbols'])) {
|
||||
echo '<h3>eingegebe Passwörter enthalten unerlaubte Symbole!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
|
||||
}
|
||||
if (isset($_GET['newpwequal'])) {
|
||||
echo '<h3>Das neue Passwort entspricht dem alten!</h3><a href="bin/forcedpwreset.php">Nochmal</a>';
|
||||
}
|
||||
echo '<a href="webmail"><h2>Webmail</h2></a>
|
||||
<h2>Config-Login:</h2>
|
||||
<form method="POST" action="login.php">
|
||||
<label>Nutzername<input name="username" type="text"/></label>
|
||||
<label>Passwort<input name="password" type="password"/></label>
|
||||
<label>Nutzername:<input name="username" type="text"/></label>
|
||||
<label>Passwort:<input name="password" type="password"/></label>
|
||||
<input name="Submit" type="submit" value="Einloggen"/>
|
||||
</form>';
|
||||
if ($config['allowregistration']) {
|
||||
|
|
|
|||
|
|
@ -25,17 +25,24 @@ try {
|
|||
$user = explode('@', $_POST['username']);
|
||||
$pw = $_POST['password'];
|
||||
|
||||
$abfrage = "SELECT `id`, `password`, `admin` FROM `accounts` WHERE `username` = :username AND `domain` = :domain AND `enabled`='1'";
|
||||
$abfrage = "SELECT `id`, `password`, `forcepwreset`, `admin` FROM `accounts` WHERE `username` = :username AND `domain` = :domain AND `enabled`='1' OR (`enabled`='0' AND `forcepwreset`='1')";
|
||||
$sth = $dbh->prepare($abfrage);
|
||||
$sth->execute(array(':username' => $user[0], ':domain' => $user[1]));
|
||||
$userdata = $sth->fetchAll();
|
||||
if ($sth->rowCount() > 0) {
|
||||
if (password_verify($pw, $userdata[0]['password'])) {
|
||||
$_SESSION['log'] = 1;
|
||||
$_SESSION['username'] = $user[0];
|
||||
$_SESSION['domain'] = $user[1];
|
||||
$_SESSION['admin'] = $userdata[0]['admin'];
|
||||
$_SESSION['mailID'] = $userdata[0]['id'];
|
||||
if ($userdata[0]['forcepwreset']) {
|
||||
$_SESSION['forcepwreset'] = 1;
|
||||
$_SESSION['log'] = 0;
|
||||
header("Location: bin/forcedpwreset.php");
|
||||
exit;
|
||||
}
|
||||
$_SESSION['forcepwreset'] = 0;
|
||||
$_SESSION['log'] = 1;
|
||||
header("Location: settings.php");
|
||||
exit;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue