Skip to content

O
OpnSense
Commit 64d6246a authored by Franco Fichtner's avatar Franco Fichtner
Browse files
Options

users: prompt for old password to avoid account hijacking

parent 1c93f058
Show whitespace changes
Inline Side-by-side
Showing with 14 additions and 10 deletions
src/www/system_usermanager_passwordmg.php
View file @ 64d6246a
...@@ -32,22 +32,24 @@ require_once("guiconfig.inc"); ...@@ -32,22 +32,24 @@ require_once("guiconfig.inc");
$pgtitle = array(gettext("System"),gettext("User Password")); $pgtitle = array(gettext("System"),gettext("User Password"));
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
if (isset($_POST['save'])) { if (isset($_POST['save'])) {
unset($input_errors); unset($input_errors);
/* input validation */ /* input validation */
$reqdfields = explode(" ", "passwordfld1"); $reqdfields = explode(" ", "passwordfld0 passwordfld1 passwordfld2");
$reqdfieldsn = array(gettext("Password")); $reqdfieldsn = array(gettext("Password"));
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if ($_POST['passwordfld1'] != $_POST['passwordfld2']) { if ($_POST['passwordfld1'] != $_POST['passwordfld2'] ||
$config['system']['user'][$userindex[$_SESSION['Username']]]['password'] != crypt($_POST['passwordfld0'], '$6$')) {
$input_errors[] = gettext("The passwords do not match."); $input_errors[] = gettext("The passwords do not match.");
} }
if (!$input_errors) { if (!$input_errors) {
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
// all values are okay --> saving changes // all values are okay --> saving changes
$config['system']['user'][$userindex[$_SESSION['Username']]]['password'] = crypt($_POST['passwordfld1'], '$6$'); $config['system']['user'][$userindex[$_SESSION['Username']]]['password'] = crypt($_POST['passwordfld1'], '$6$');
local_user_set($config['system']['user'][$userindex[$_SESSION['Username']]]); local_user_set($config['system']['user'][$userindex[$_SESSION['Username']]]);
...@@ -59,10 +61,6 @@ if (isset($_POST['save'])) { ...@@ -59,10 +61,6 @@ if (isset($_POST['save'])) {
} }
} }
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
/* determine if user is not local to system */ /* determine if user is not local to system */
$islocal = false; $islocal = false;
foreach ($config['system']['user'] as $user) { foreach ($config['system']['user'] as $user) {
...@@ -118,7 +116,13 @@ include("head.inc"); ...@@ -118,7 +116,13 @@ include("head.inc");
<?php session_write_close(); ?> <?php session_write_close(); ?>
</tr> </tr>
<tr> <tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Password"); ?></td> <td width="22%" valign="top" class="vncell"><?=gettext("Old password"); ?></td>
<td width="78%" class="vtable">
<input name="passwordfld0" type="password" class="formfld pwd" id="passwordfld0" size="20" />
</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("New password"); ?></td>
<td width="78%" class="vtable"> <td width="78%" class="vtable">
<input name="passwordfld1" type="password" class="formfld pwd" id="passwordfld1" size="20" /> <input name="passwordfld1" type="password" class="formfld pwd" id="passwordfld1" size="20" />
</td> </td>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

Technounit-GROUP 2023