Fix bug on logout page

Ue HESTIA_CMD every where instead Remove rand()
hestiacp · Sep 10, 2021 · 2d4295c · 2d4295c
1 parent 3fec435
commit 2d4295c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 10 deletions.
diff --git a/web/logout/index.php b/web/logout/index.php
@@ -5,7 +5,7 @@
 // Main include
 include($_SERVER['DOCUMENT_ROOT'] . '/inc/main.php');
 // Check token
-verify_csrf($_POST);
+verify_csrf($_GET);
 
 if (!empty($_SESSION['look'])) {
     $v_user = escapeshellarg($_SESSION['look']);

diff --git a/web/reset/index.php b/web/reset/index.php
@@ -22,14 +22,13 @@
     if ($return_var == 0) {
         $data = json_decode(implode('', $output), true);
         if ($email == $data[$user]['CONTACT']) {
-            //genrate new rkey
-            $rkey = substr(password_hash(rand(0, 10), PASSWORD_DEFAULT), 5, 12);
+            $rkey = substr(password_hash("", PASSWORD_DEFAULT), 8, 12);
             $hash = password_hash($rkey, PASSWORD_DEFAULT);
             $v_rkey = tempnam("/tmp", "vst");
             $fp = fopen($v_rkey, "w");
             fwrite($fp, $hash."\n");
             fclose($fp);
-            exec("/usr/bin/sudo /usr/local/hestia/bin/v-change-user-rkey ".$v_user." ".$v_rkey."", $output, $return_var);
+            exec(HESTIA_CMD . "v-change-user-rkey ".$v_user." ".$v_rkey."", $output, $return_var);
             unset($output);
             unlink($v_rkey);
             $name = $data[$user]['NAME'];
@@ -65,21 +64,19 @@
     if ($_POST['password'] == $_POST['password_confirm']) {
         $v_user = escapeshellarg($_POST['user']);
         $user = $_POST['user'];
-        $cmd="/usr/bin/sudo /usr/local/hestia/bin/v-list-user";
-        exec($cmd." ".$v_user." json", $output, $return_var);
+        exec(HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var);
         if ($return_var == 0) {
             $data = json_decode(implode('', $output), true);
             $rkey = $data[$user]['RKEY'];
             if (password_verify($_POST['code'], $rkey)) {
                 unset($output);
-                exec("/usr/bin/sudo /usr/local/hestia/bin/v-get-user-value ".$v_user." RKEYEXP", $output, $return_var);
+                exec(HESTIA_CMD . "v-get-user-value ".$v_user." RKEYEXP", $output, $return_var);
                 if ($output[0] > time() - 900) {
                     $v_password = tempnam("/tmp", "vst");
                     $fp = fopen($v_password, "w");
                     fwrite($fp, $_POST['password']."\n");
                     fclose($fp);
-                    $cmd="/usr/bin/sudo /usr/local/hestia/bin/v-change-user-password";
-                    exec($cmd." ".$v_user." ".$v_password, $output, $return_var);
+                    exec(HESTIA_CMD . "v-change-user-password ".$v_user." ".$v_password, $output, $return_var);
                     unlink($v_password);
                     if ($return_var > 0) {
                         sleep(5);
@@ -102,7 +99,6 @@
         } else {
             sleep(5);
             $ERROR = "<a class=\"error\">"._('Invalid username or code')."</a>";
-            exec(HESTIA_CMD . 'v-log-user-login ' . $v_user . ' ' . $v_ip . ' failed ' . $v_session_id . ' ' . $v_user_agent .' yes "Invalid Username or Code"', $output, $return_var);
         }
     } else {
         $ERROR = "<a class=\"error\">"._('Passwords not match')."</a>";