2015-01-14 18:37:48 -05:00
< ? php
2016-11-16 21:16:25 -05:00
/**
*
* This file is part of HESK - PHP Help Desk Software .
*
* ( c ) Copyright Klemen Stirn . All rights reserved .
2016-11-18 12:57:17 -05:00
* https :// www . hesk . com
2016-11-16 21:16:25 -05:00
*
* For the full copyright and license agreement information visit
2016-11-18 12:57:17 -05:00
* https :// www . hesk . com / eula . php
2016-11-16 21:16:25 -05:00
*
*/
2015-09-12 00:46:46 -04:00
define ( 'IN_SCRIPT' , 1 );
define ( 'HESK_PATH' , '../' );
2016-09-29 22:00:31 -04:00
define ( 'PAGE_TITLE' , 'LOGIN' );
2015-01-14 18:37:48 -05:00
/* Get all the required files and functions */
require ( HESK_PATH . 'hesk_settings.inc.php' );
require ( HESK_PATH . 'inc/common.inc.php' );
2015-09-03 21:58:05 -04:00
// Connect to database and check for brute force attempts
hesk_load_database_functions ();
hesk_dbConnect ();
$modsForHesk_settings = mfh_getSettings ();
2015-01-14 18:37:48 -05:00
// Is the password reset function enabled?
2015-09-12 00:46:46 -04:00
if ( ! $hesk_settings [ 'reset_pass' ]) {
die ( $hesklang [ 'attempt' ]);
2015-01-14 18:37:48 -05:00
}
// Allow additional 5 attempts in case the user is already blocked
$hesk_settings [ 'attempt_limit' ] += 5 ;
// Start session
hesk_session_start ();
2015-09-12 00:46:46 -04:00
if ( ! isset ( $_SESSION [ 'a_iserror' ])) {
$_SESSION [ 'a_iserror' ] = array ();
2015-01-14 18:37:48 -05:00
}
$hesk_error_buffer = array ();
// If this is a POST method, check input
2015-09-12 00:46:46 -04:00
if ( $_SERVER [ 'REQUEST_METHOD' ] == 'POST' ) {
// Verify security image
if ( $hesk_settings [ 'secimg_use' ]) {
// Using ReCaptcha?
if ( $hesk_settings [ 'recaptcha_use' ] == 1 ) {
require_once ( HESK_PATH . 'inc/recaptcha/recaptchalib.php' );
$resp = recaptcha_check_answer ( $hesk_settings [ 'recaptcha_private_key' ],
2017-04-10 13:04:11 -04:00
hesk_getClientIP (),
2015-09-12 00:46:46 -04:00
hesk_POST ( 'recaptcha_challenge_field' , '' ),
hesk_POST ( 'recaptcha_response_field' , '' )
2015-01-14 18:37:48 -05:00
);
2015-09-12 00:46:46 -04:00
if ( $resp -> is_valid ) {
//$_SESSION['img_a_verified']=true;
} else {
$hesk_error_buffer [ 'mysecnum' ] = $hesklang [ 'recaptcha_error' ];
}
} // Using ReCaptcha API v2?
elseif ( $hesk_settings [ 'recaptcha_use' ] == 2 ) {
require ( HESK_PATH . 'inc/recaptcha/recaptchalib_v2.php' );
$resp = null ;
$reCaptcha = new ReCaptcha ( $hesk_settings [ 'recaptcha_private_key' ]);
// Was there a reCAPTCHA response?
if ( isset ( $_POST [ " g-recaptcha-response " ])) {
2017-04-10 13:04:11 -04:00
$resp = $reCaptcha -> verifyResponse ( hesk_getClientIP (), hesk_POST ( " g-recaptcha-response " ));
2015-09-12 00:46:46 -04:00
}
if ( $resp != null && $resp -> success ) {
//$_SESSION['img_a_verified']=true;
} else {
$hesk_error_buffer [ 'mysecnum' ] = $hesklang [ 'recaptcha_error' ];
}
} // Using PHP generated image
else {
$mysecnum = intval ( hesk_POST ( 'mysecnum' , 0 ));
if ( empty ( $mysecnum )) {
$hesk_error_buffer [ 'mysecnum' ] = $hesklang [ 'sec_miss' ];
} else {
require ( HESK_PATH . 'inc/secimg.inc.php' );
$sc = new PJ_SecurityImage ( $hesk_settings [ 'secimg_sum' ]);
if ( isset ( $_SESSION [ 'checksum' ]) && $sc -> checkCode ( $mysecnum , $_SESSION [ 'checksum' ])) {
//$_SESSION['img_a_verified'] = true;
} else {
$hesk_error_buffer [ 'mysecnum' ] = $hesklang [ 'sec_wrng' ];
}
}
}
}
2016-09-30 21:28:26 -04:00
hesk_limitBfAttempts ();
2015-09-12 00:46:46 -04:00
// Get email
$email = hesk_validateEmail ( hesk_POST ( 'email' ), 'ERR' , 0 ) or $hesk_error_buffer [ 'email' ] = $hesklang [ 'enter_valid_email' ];
// Any errors?
if ( count ( $hesk_error_buffer ) != 0 ) {
$_SESSION [ 'a_iserror' ] = array_keys ( $hesk_error_buffer );
$tmp = '' ;
foreach ( $hesk_error_buffer as $error ) {
$tmp .= " <li> $error </li> \n " ;
}
$hesk_error_buffer = $tmp ;
$hesk_error_buffer = $hesklang [ 'pcer' ] . '<br /><br /><ul>' . $hesk_error_buffer . '</ul>' ;
hesk_process_messages ( $hesk_error_buffer , 'NOREDIRECT' );
} elseif ( defined ( 'HESK_DEMO' )) {
hesk_process_messages ( $hesklang [ 'ddemo' ], 'NOREDIRECT' );
} else {
// Get user data from the database
$res = hesk_dbQuery ( " SELECT `id`, `name`, `pass` FROM ` " . hesk_dbEscape ( $hesk_settings [ 'db_pfix' ]) . " users` WHERE `email` LIKE ' " . hesk_dbEscape ( $email ) . " ' LIMIT 1 " );
if ( hesk_dbNumRows ( $res ) != 1 ) {
hesk_process_messages ( $hesklang [ 'noace' ], 'NOREDIRECT' );
} else {
$row = hesk_dbFetchAssoc ( $res );
2017-04-10 13:04:11 -04:00
$hash = sha1 ( microtime () . hesk_getClientIP () . mt_rand () . $row [ 'id' ] . $row [ 'name' ] . $row [ 'pass' ]);
2015-09-12 00:46:46 -04:00
// Insert the verification hash into the database
hesk_dbQuery ( " INSERT INTO ` " . hesk_dbEscape ( $hesk_settings [ 'db_pfix' ]) . " reset_password` (`user`, `hash`, `ip`) VALUES ( " . intval ( $row [ 'id' ]) . " , ' { $hash } ', ' " . hesk_dbEscape ( $_SERVER [ 'REMOTE_ADDR' ]) . " ') " );
// Prepare and send email
require ( HESK_PATH . 'inc/email_functions.inc.php' );
// Get the email message
$msg = hesk_getEmailMessage ( 'reset_password' , array (), $modsForHesk_settings , 1 , 0 , 1 );
$htmlMsg = hesk_getHtmlMessage ( 'reset_password' , array (), $modsForHesk_settings , 1 , 0 , 1 );
// Replace message special tags
$msg = str_replace ( '%%NAME%%' , hesk_msgToPlain ( $row [ 'name' ], 1 , 1 ), $msg );
$msg = str_replace ( '%%SITE_URL%%' , $hesk_settings [ 'site_url' ], $msg );
$msg = str_replace ( '%%SITE_TITLE%%' , $hesk_settings [ 'site_title' ], $msg );
$msg = str_replace ( '%%PASSWORD_RESET%%' , $hesk_settings [ 'hesk_url' ] . '/' . $hesk_settings [ 'admin_dir' ] . '/password.php?h=' . $hash , $msg );
$htmlMsg = str_replace ( '%%NAME%%' , hesk_msgToPlain ( $row [ 'name' ], 1 , 1 ), $htmlMsg );
$htmlMsg = str_replace ( '%%SITE_URL%%' , $hesk_settings [ 'site_url' ], $htmlMsg );
$htmlMsg = str_replace ( '%%SITE_TITLE%%' , $hesk_settings [ 'site_title' ], $htmlMsg );
$htmlMsg = str_replace ( '%%PASSWORD_RESET%%' , $hesk_settings [ 'hesk_url' ] . '/' . $hesk_settings [ 'admin_dir' ] . '/password.php?h=' . $hash , $htmlMsg );
// Send email
hesk_mail ( $email , $hesklang [ 'reset_password' ], $msg , $htmlMsg , $modsForHesk_settings );
// Show success
hesk_process_messages ( $hesklang [ 'pemls' ], 'NOREDIRECT' , 'SUCCESS' );
}
}
} // If the "h" parameter is set verify it and reset the password
elseif ( isset ( $_GET [ 'h' ])) {
// Get the hash
$hash = preg_replace ( '/[^a-zA-Z0-9]/' , '' , $_GET [ 'h' ]);
// Connect to database
hesk_dbConnect ();
// Expire verification hashes older than 2 hours
hesk_dbQuery ( " DELETE FROM ` " . hesk_dbEscape ( $hesk_settings [ 'db_pfix' ]) . " reset_password` WHERE `dt` < (NOW() - INTERVAL 2 HOUR) " );
// Verify the hash exists
$res = hesk_dbQuery ( " SELECT `user`, `ip` FROM ` " . hesk_dbEscape ( $hesk_settings [ 'db_pfix' ]) . " reset_password` WHERE `hash` = ' { $hash } ' LIMIT 1 " );
if ( hesk_dbNumRows ( $res ) != 1 ) {
// Not a valid hash
hesk_limitBfAttempts ();
hesk_process_messages ( $hesklang [ 'ehash' ], 'NOREDIRECT' );
} else {
// Get info from database
$row = hesk_dbFetchAssoc ( $res );
// Only allow resetting password from the same IP address that submitted password reset request
if ( $row [ 'ip' ] != $_SERVER [ 'REMOTE_ADDR' ]) {
hesk_limitBfAttempts ();
hesk_process_messages ( $hesklang [ 'ehaip' ], 'NOREDIRECT' );
} else {
// Expire all verification hashes for this user
hesk_dbQuery ( " DELETE FROM ` " . hesk_dbEscape ( $hesk_settings [ 'db_pfix' ]) . " reset_password` WHERE `user`= " . intval ( $row [ 'user' ]));
// Load additional required functions
require ( HESK_PATH . 'inc/admin_functions.inc.php' );
// Get user details
$res = hesk_dbQuery ( 'SELECT * FROM `' . $hesk_settings [ 'db_pfix' ] . " users` WHERE `id`= " . intval ( $row [ 'user' ]) . " LIMIT 1 " );
$row = hesk_dbFetchAssoc ( $res );
foreach ( $row as $k => $v ) {
$_SESSION [ $k ] = $v ;
}
// Set a tag that will be used to expire sessions after username or password change
$_SESSION [ 'session_verify' ] = hesk_activeSessionCreateTag ( $_SESSION [ 'user' ], $_SESSION [ 'pass' ]);
// We don't need the password hash anymore
unset ( $_SESSION [ 'pass' ]);
// Clean brute force attempts
hesk_cleanBfAttempts ();
// Regenerate session ID (security)
hesk_session_regenerate_id ();
// Get allowed categories
if ( empty ( $_SESSION [ 'isadmin' ])) {
$_SESSION [ 'categories' ] = explode ( ',' , $_SESSION [ 'categories' ]);
}
// Redirect to the profile page
hesk_process_messages ( $hesklang [ 'resim' ], 'profile.php' , 'NOTICE' );
exit ();
} // End IP matches
2015-02-22 11:40:56 -05:00
}
2015-01-14 18:37:48 -05:00
}
// Tell header to load reCaptcha API if needed
2015-09-12 00:46:46 -04:00
if ( $hesk_settings [ 'recaptcha_use' ] == 2 ) {
define ( 'RECAPTCHA' , 1 );
2015-01-14 18:37:48 -05:00
}
2015-09-12 00:46:46 -04:00
$hesk_settings [ 'tmp_title' ] = $hesk_settings [ 'hesk_title' ] . ' - ' . $hesklang [ 'passr' ];
2016-09-29 22:00:31 -04:00
require_once ( HESK_PATH . 'inc/headerAdmin.inc.php' );
2015-01-14 18:37:48 -05:00
?>
2016-09-29 22:00:31 -04:00
< div class = " login-box " >
< div class = " login-logo " >
2016-09-30 21:28:26 -04:00
< ? php echo $hesk_settings [ 'hesk_title' ]; ?>
2016-09-29 22:00:31 -04:00
</ div >
< div class = " login-box-body " >
2016-09-30 21:28:26 -04:00
< h4 class = " login-box-msg " >
< ? php echo $hesklang [ 'passr' ]; ?>
</ h4 >
2016-09-29 22:00:31 -04:00
< form action = " password.php " method = " post " name = " form1 " class = " form-horizontal " role = " form " >
2015-01-14 18:37:48 -05:00
< ? php
/* This will handle error, success and notice messages */
hesk_handle_messages ();
2015-09-12 00:46:46 -04:00
2016-09-29 22:00:31 -04:00
$has_error = '' ;
if ( in_array ( 'email' , $_SESSION [ 'a_iserror' ])) {
$has_error = 'has-error' ;
}
2015-09-12 00:46:46 -04:00
2016-09-29 22:00:31 -04:00
$form_email = '' ;
if ( isset ( $email )) {
$form_email = stripslashes ( hesk_input ( $email ));
}
?>
< div class = " form-group <?php echo $has_error ; ?> " >
< label for = " email " class = " col-sm-3 control-label " >
< ? php echo $hesklang [ 'email' ]; ?>
</ label >
2015-01-14 18:37:48 -05:00
< div class = " col-sm-9 " >
2016-09-29 22:00:31 -04:00
< input type = " text " name = " email " size = " 35 " value = " <?php echo $form_email ; ?> "
class = " form-control " placeholder = " <?php echo htmlspecialchars( $hesklang['email'] ); ?> " >
2015-01-14 18:37:48 -05:00
</ div >
</ div >
< ? php
2015-09-12 00:46:46 -04:00
if ( $hesk_settings [ 'secimg_use' ]) {
2015-01-14 18:37:48 -05:00
?>
< div class = " form-group " >
< div class = " col-sm-11 col-sm-offset-1 " >
< ? php
// Should we use Recaptcha?
2015-09-12 00:46:46 -04:00
if ( $hesk_settings [ 'recaptcha_use' ] == 1 ) {
2015-01-14 18:37:48 -05:00
?>
< script type = " text/javascript " >
var RecaptchaOptions = {
2015-09-12 00:46:46 -04:00
theme : '<?php echo ( isset($_SESSION[' a_iserror ']) && in_array(' mysecnum ',$_SESSION[' a_iserror ']) ) ? ' red ' : ' white '; ?>' ,
custom_translations : {
visual_challenge : " <?php echo hesk_slashJS( $hesklang['visual_challenge'] ); ?> " ,
audio_challenge : " <?php echo hesk_slashJS( $hesklang['audio_challenge'] ); ?> " ,
refresh_btn : " <?php echo hesk_slashJS( $hesklang['refresh_btn'] ); ?> " ,
instructions_visual : " <?php echo hesk_slashJS( $hesklang['instructions_visual'] ); ?> " ,
instructions_context : " <?php echo hesk_slashJS( $hesklang['instructions_context'] ); ?> " ,
instructions_audio : " <?php echo hesk_slashJS( $hesklang['instructions_audio'] ); ?> " ,
help_btn : " <?php echo hesk_slashJS( $hesklang['help_btn'] ); ?> " ,
play_again : " <?php echo hesk_slashJS( $hesklang['play_again'] ); ?> " ,
cant_hear_this : " <?php echo hesk_slashJS( $hesklang['cant_hear_this'] ); ?> " ,
incorrect_try_again : " <?php echo hesk_slashJS( $hesklang['incorrect_try_again'] ); ?> " ,
2016-09-30 21:28:26 -04:00
image_alt_text : " <?php echo hesk_slashJS( $hesklang['image_alt_text'] ); ?> "
}
2015-01-14 18:37:48 -05:00
};
</ script >
2015-09-12 00:46:46 -04:00
< ? php
require_once ( HESK_PATH . 'inc/recaptcha/recaptchalib.php' );
echo recaptcha_get_html ( $hesk_settings [ 'recaptcha_public_key' ], null , true );
2015-01-14 18:37:48 -05:00
}
// Use reCaptcha API v2?
elseif ( $hesk_settings [ 'recaptcha_use' ] == 2 )
{
2015-09-12 00:46:46 -04:00
?>
< div class = " g-recaptcha "
data - sitekey = " <?php echo $hesk_settings['recaptcha_public_key'] ; ?> " ></ div >
< ? php
2015-01-14 18:37:48 -05:00
}
// At least use some basic PHP generated image (better than nothing)
2015-09-12 00:46:46 -04:00
else {
$cls = in_array ( 'mysecnum' , $_SESSION [ 'a_iserror' ]) ? ' class="isError" ' : '' ;
2015-01-14 18:37:48 -05:00
2015-09-12 00:46:46 -04:00
echo $hesklang [ 'sec_enter' ] . '<br /> <br /><img src="' . HESK_PATH . 'print_sec_img.php?' . rand ( 10000 , 99999 ) . '" width="150" height="40" alt="' . $hesklang [ 'sec_img' ] . '" title="' . $hesklang [ 'sec_img' ] . '" border="1" name="secimg" style="vertical-align:text-bottom" /> ' .
'<a href="javascript:void(0)" onclick="javascript:document.form1.secimg.src=\'' . HESK_PATH . 'print_sec_img.php?\'+ ( Math.floor((90000)*Math.random()) + 10000);"><img src="' . HESK_PATH . 'img/reload.png" height="24" width="24" alt="' . $hesklang [ 'reload' ] . '" title="' . $hesklang [ 'reload' ] . '" border="0" style="vertical-align:text-bottom" /></a>' .
'<br /> <br /><input type="text" name="mysecnum" size="20" maxlength="5" ' . $cls . ' />' ;
2015-01-14 18:37:48 -05:00
}
?>
</ div >
</ div >
2015-09-12 00:46:46 -04:00
< ? php
2015-01-14 18:37:48 -05:00
}
?>
< div class = " form-group " >
2016-09-29 22:00:31 -04:00
< div class = " col-sm-9 col-sm-offset-3 " >
2015-01-14 18:37:48 -05:00
< input type = " submit " value = " <?php echo $hesklang['passs'] ; ?> " class = " btn btn-default " >
</ div >
</ div >
</ form >
</ div >
</ div >
< ? php
// Clean session errors
hesk_cleanSessionVars ( 'a_iserror' );
hesk_cleanSessionVars ( 'img_a_verified' );
?>
