Release 1.1.1

CHANGELOG.md

@@ -1,9 +1,19 @@
 # Changelog
 All notable changes to this project will be documented in this file.
 
-## [CURRENT] - Development
+## [1.1.1] - 2020-03-24 - Hotfix
 ### Features
+- No new features introduced with v1.1.1, this is strictly a security/bug fix release.
+
 ### Bugfixes
+- Fixed phpMyAdmin blowfish and tmp directory issues.
+- Added additional verification of host domain in password reset. Thanks to @FalzoMAD and @mmetince!
+- Fixed issue with rc.local not executing properly.
+- Rework of Let's Encrypt routine to use progressive delay between validation retries.
+- Fixed syntax issue in v-list-sys-db-status which prevented main functions from loading.
+- Removed /home size reporting when running v-list-sys-info due to performance issues.
+- Updated installer to use Ubuntu key server for Hestia APT repository.
+- Fixed duplicate demo mode check in v-change-user-password.
 
 ## [1.1.0] - 2020-03-11 - Major Release (Feature / Quality Update)
 ### Features

README.md

@@ -1,7 +1,9 @@
 [Hestia Control Panel](https://www.hestiacp.com/)
 ==================================================
-**Current stable release:** Version 1.1.0, released on March 11th, 2020.<br><br>
-Due to a change of the repository infrastructure, please install the new key before you upgrade your existing installations:
+**Current stable release:** Version 1.1.1, released on March 26th, 2020.<br>
+**Current development release:** Version 1.1.2.
+<br><br>
+**Due to a change of the repository infrastructure, please install the new key before you upgrade your existing installations:**
 ```bash
 wget -qO - https://gpg.hestiacp.com/deb_signing.key | sudo apt-key add -
 ```
@@ -32,7 +34,7 @@ What does Hestia Control Panel support?
 ----------------------------
 * Standard Web Server (Apache/NGINX) with PHP
 * PHP Web Application Server (NGINX + PHP-FPM)
-* Multiple PHP versions (5.6 - 7.3)
+* Multiple PHP versions (5.6 - 7.4, with 7.3 currently as default for optimal compatibility)
 * DNS Server (Bind) with clustering capabilities
 * Mail Server (Exim/Dovecot) with Anti-Virus and Anti-Spam (ClamAV and SpamAssassin)
 * Database functionality (MariaDB/PostgreSQL)

SECURITY.md

@@ -0,0 +1,7 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you have discovered a vulnerability in Hestia Control Panel,
+let our development team know via e-mail at info@hestiacp.com and
+we will respond as soon as possible.

bin/v-add-letsencrypt-domain

@@ -134,7 +134,7 @@ fi
 # Check if dns records exist for requested domain/aliases
 if [ "$proto" = "http-01" ]; then
     for identifier in $(echo $domain,$aliases |tr ',' '\n' |sort -u); do
-        if ! nslookup "${identifier}" >/dev/null 2>&1 ; then
+        if ! nslookup "${identifier}" > /dev/null 2>&1 ; then
             check_result $E_NOTEXIST "DNS record for $identifier doesn't exist"
         fi
     done
@@ -327,7 +327,7 @@ for auth in $authz; do
             fi
             check_result $E_CONNECT "Let's Encrypt domain validation timeout"
         fi
-        sleep 2
+        sleep $((i*2))
     done
     if [ "$validation" = 'invalid' ]; then
         # Delete DNS CAA record
@@ -340,7 +340,7 @@ for auth in $authz; do
                     $BIN/v-delete-dns-record $user $domain $caa_record
                 fi
             fi
-        fi    
+        fi
         check_result $E_CONNECT "Let's Encrypt domain verification failed"
     fi
 done
@@ -400,7 +400,7 @@ if [ -z "$mail" ]; then
     [[ "$ssl_force" = "yes" ]] && $BIN/v-add-web-domain-ssl-force $user $domain > /dev/null 2>&1
 else
     ssl_enabled="$(get_object_value 'mail' 'DOMAIN' "$root_domain" '$SSL')"
-    [[ "$ssl_enabled" = "yes" ]] && $BIN/v-delete-mail-domain-ssl $user $root_domain >/dev/null 2>&1
+    [[ "$ssl_enabled" = "yes" ]] && $BIN/v-delete-mail-domain-ssl $user $root_domain > /dev/null 2>&1
     $BIN/v-add-mail-domain-ssl $user $root_domain $ssl_dir
 fi
 

bin/v-change-user-password

@@ -42,9 +42,6 @@ if [ "$user" = 'admin' ] && [ -e "$HESTIA/web/reset.admin" ]; then
     rm -f $HESTIA/web/reset.admin
 fi
 
-# Perform verification if read-only mode is enabled
-check_hestia_demo_mode
-
 
 #----------------------------------------------------------#
 #                       Hestia                             #

bin/v-copy-user-package

@@ -16,6 +16,10 @@ new_package=$2
 source $HESTIA/func/main.sh
 source $HESTIA/conf/hestia.conf
 
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
 #----------------------------------------------------------#
 #                       Action                             #
 #----------------------------------------------------------#

bin/v-list-sys-db-status

@@ -13,7 +13,7 @@
 #format=${1-shell}
 
 # Includes
-#source $HESTIA/func/main.sh
+source $HESTIA/func/main.sh
 source $HESTIA/conf/hestia.conf
 
 #----------------------------------------------------------#

bin/v-list-sys-info

@@ -30,28 +30,27 @@ json_list() {
         "HESTIA": "'$HESTIA_VERSION'",
         "RELEASE": "'$HESTIA_RELEASE'",
         "UPTIME": "'$UPTIME'",
-        "LOADAVERAGE": "'$LOADAVERAGE'",
-        "HOME_USAGE": "'$HOME_USAGE'"
+        "LOADAVERAGE": "'$LOADAVERAGE'"
         }'
     echo '}'
 }
 
 # SHELL list function
 shell_list() {
-    echo "HOSTNAME   OS   VER   ARCH  HESTIA  RELEASE  UPTIME   LA   HOME"
-    echo "--------   --   ---   ----  ------  -------  ------   --   ----"
-    echo "$HOSTNAME $OS $VERSION $ARCH $HESTIA_VERSION $HESTIA_RELEASE $UPTIME $LOADAVERAGE $HOME_USAGE"
+    echo "HOSTNAME   OS   VER   ARCH  HESTIA  RELEASE  UPTIME   LA"
+    echo "--------   --   ---   ----  ------  -------  ------   --"
+    echo "$HOSTNAME $OS $VERSION $ARCH $HESTIA_VERSION $HESTIA_RELEASE $UPTIME $LOADAVERAGE"
 }
 
 # PLAIN list function
 plain_list() {
-    echo -e "$HOSTNAME\t$OS\t$VERSION\t$ARCH\t$HESTIA_VERSION\t$HESTIA_RELEASE\t$UPTIME\t$LOADAVERAGE\t$HOME_USAGE"
+    echo -e "$HOSTNAME\t$OS\t$VERSION\t$ARCH\t$HESTIA_VERSION\t$HESTIA_RELEASE\t$UPTIME\t$LOADAVERAGE"
 }
 
 # CSV list function
 csv_list() {
-    echo "HOSTNAME,OS,VERSION,ARCH,HESTIA,RELEASE,UPTIME,LOADAVERAGE,HOMEUSAGE"
-    echo "$HOSTNAME,$OS,$VERSION,$ARCH,$HESTIA_VERSION,$HESTIA_RELEASE,$UPTIME,$LOADAVERAGE,$HOME_USAGE"
+    echo "HOSTNAME,OS,VERSION,ARCH,HESTIA,RELEASE,UPTIME,LOADAVERAGE"
+    echo "$HOSTNAME,$OS,$VERSION,$ARCH,$HESTIA_VERSION,$HESTIA_RELEASE,$UPTIME,$LOADAVERAGE"
 }
 
 

func/upgrade.sh

@@ -147,6 +147,13 @@ upgrade_start_routine() {
 
     # Upgrade to Version 1.1.0
     if [ $VERSION = "1.0.6" ]; then
+        source $HESTIA/install/upgrade/versions/latest.sh
+        VERSION="1.1.0"
+        upgrade_refresh_config
+    fi
+
+    # Upgrade to Version 1.1.1
+    if [ $VERSION = "1.1.0" ]; then
         source $HESTIA/install/upgrade/versions/latest.sh
         VERSION="$new_version"
         upgrade_refresh_config
@@ -173,7 +180,7 @@ upgrade_phpmyadmin() {
 
             # Download latest phpMyAdmin release
             wget --quiet https://files.phpmyadmin.net/phpMyAdmin/$pma_v/phpMyAdmin-$pma_v-all-languages.tar.gz
-        
+
             # Unpack files
             tar xzf phpMyAdmin-$pma_v-all-languages.tar.gz
 
@@ -184,8 +191,8 @@ upgrade_phpmyadmin() {
             cp -rf phpMyAdmin-$pma_v-all-languages/* /usr/share/phpmyadmin
 
             # Set config and log directory
-            sed -i "s|define('CONFIG_DIR', '');|define('CONFIG_DIR', '/etc/phpmyadmin/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
-            sed -i "s|define('TEMP_DIR', './tmp/');|define('TEMP_DIR', '/var/lib/phpmyadmin/tmp/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
+            sed -i "s|define('CONFIG_DIR', ROOT_PATH);|define('CONFIG_DIR', '/etc/phpmyadmin/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
+            sed -i "s|define('TEMP_DIR', ROOT_PATH . 'tmp/');|define('TEMP_DIR', '/var/lib/phpmyadmin/tmp/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
 
             # Create temporary folder and change permissions
             if [ ! -d /usr/share/phpmyadmin/tmp ]; then

install/deb/exim/exim4.conf.template

@@ -64,7 +64,7 @@ tls_on_connect_ports = 465
 never_users = root
 host_lookup = *
 rfc1413_hosts = *
-rfc1413_query_timeout = 5s
+rfc1413_query_timeout = 0s
 ignore_bounce_errors_after = 2d
 timeout_frozen_after = 7d
 

install/deb/nginx/phpmyadmin.inc

@@ -2,6 +2,7 @@ location /phpmyadmin {
     alias /usr/share/phpmyadmin/;
 
     location ~ /(libraries|setup) {
+        deny all;
         return 404;
     }
 

install/deb/themes/flat.css

@@ -20,6 +20,14 @@ b, strong {
     background: #fafafa !important;
 }
 
+.to-top, .to-shortcuts, 
+.to-top:hover, .to-shortcuts:hover,
+.to-top:active, .to-shortcuts:active {
+    box-shadow: none !important;
+    background: none !important;
+    background-color: #eee !important;
+} 
+
 .l-header {
     box-shadow: none;
     background: #5070a6;

install/hst-install-debian.sh

@@ -437,7 +437,7 @@ echo ' |  _  |  __/\__ \ |_| | (_| | |___|  __/ '
 echo ' |_| |_|\___||___/\__|_|\__,_|\____|_|    '
 echo
 echo '                      Hestia Control Panel'
-echo '                                    v1.1.0'
+echo '                                    v1.1.1'
 echo -e "\n"
 echo "===================================================================="
 echo -e "\n"
@@ -623,9 +623,7 @@ fi
 # Installing hestia repo
 echo "(*) Hestia Control Panel"
 echo "deb https://$RHOST/ $codename main" > $apt/hestia.list
-wget --quiet https://gpg.hestiacp.com/deb_signing.key -O /tmp/deb_signing.key
-APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/deb_signing.key > /dev/null 2>&1
-rm /tmp/deb_signing.key
+APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A189E93654F0B0E5 > /dev/null 2>&1
 
 # Installing postgresql repo
 if [ "$postgresql" = 'yes' ]; then
@@ -1077,7 +1075,7 @@ echo "BACKUP_SYSTEM='local'" >> $HESTIA/conf/hestia.conf
 echo "LANGUAGE='$lang'" >> $HESTIA/conf/hestia.conf
 
 # Version & Release Branch
-echo "VERSION='1.1.0'" >> $HESTIA/conf/hestia.conf
+echo "VERSION='1.1.1'" >> $HESTIA/conf/hestia.conf
 echo "RELEASE_BRANCH='release'" >> $HESTIA/conf/hestia.conf
 
 # Installing hosting packages
@@ -1345,8 +1343,8 @@ if [ "$mysql" = 'yes' ]; then
     cp -rf phpMyAdmin-$pma_v-all-languages/* /usr/share/phpmyadmin
 
     # Set config and log directory
-    sed -i "s|define('CONFIG_DIR', '');|define('CONFIG_DIR', '/etc/phpmyadmin/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
-    sed -i "s|define('TEMP_DIR', './tmp/');|define('TEMP_DIR', '/var/lib/phpmyadmin/tmp/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
+    sed -i "s|define('CONFIG_DIR', ROOT_PATH);|define('CONFIG_DIR', '/etc/phpmyadmin/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
+    sed -i "s|define('TEMP_DIR', ROOT_PATH . 'tmp/');|define('TEMP_DIR', '/var/lib/phpmyadmin/tmp/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
 
     # Create temporary folder and change permission
     mkdir /usr/share/phpmyadmin/tmp

install/hst-install-ubuntu.sh

@@ -399,7 +399,7 @@ echo ' |  _  |  __/\__ \ |_| | (_| | |___|  __/ '
 echo ' |_| |_|\___||___/\__|_|\__,_|\____|_|    '
 echo
 echo '                      Hestia Control Panel'
-echo '                                    v1.1.0'
+echo '                                    v1.1.1'
 echo -e "\n"
 echo "===================================================================="
 echo -e "\n"
@@ -579,9 +579,7 @@ APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key adv --recv-keys --keyserver keyse
 # Installing hestia repo
 echo "(*) Hestia Control Panel"
 echo "deb https://$RHOST/ $codename main" > $apt/hestia.list
-wget --quiet https://gpg.hestiacp.com/deb_signing.key -O /tmp/deb_signing.key
-APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/deb_signing.key > /dev/null 2>&1
-rm /tmp/deb_signing.key
+APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A189E93654F0B0E5 > /dev/null 2>&1
 
 # Installing postgresql repo
 if [ "$postgresql" = 'yes' ]; then
@@ -1046,7 +1044,7 @@ echo "BACKUP_SYSTEM='local'" >> $HESTIA/conf/hestia.conf
 echo "LANGUAGE='$lang'" >> $HESTIA/conf/hestia.conf
 
 # Version & Release Branch
-echo "VERSION='1.1.0'" >> $HESTIA/conf/hestia.conf
+echo "VERSION='1.1.1'" >> $HESTIA/conf/hestia.conf
 echo "RELEASE_BRANCH='release'" >> $HESTIA/conf/hestia.conf
 
 # Installing hosting packages
@@ -1315,8 +1313,8 @@ if [ "$mysql" = 'yes' ]; then
     cp -rf phpMyAdmin-$pma_v-all-languages/* /usr/share/phpmyadmin
 
     # Set config and log directory
-    sed -i "s|define('CONFIG_DIR', '');|define('CONFIG_DIR', '/etc/phpmyadmin/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
-    sed -i "s|define('TEMP_DIR', './tmp/');|define('TEMP_DIR', '/var/lib/phpmyadmin/tmp/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
+    sed -i "s|define('CONFIG_DIR', ROOT_PATH);|define('CONFIG_DIR', '/etc/phpmyadmin/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
+    sed -i "s|define('TEMP_DIR', ROOT_PATH . 'tmp/');|define('TEMP_DIR', '/var/lib/phpmyadmin/tmp/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
 
     # Create temporary folder and change permission
     mkdir /usr/share/phpmyadmin/tmp

install/upgrade/versions/latest.sh

@@ -1,224 +1,20 @@
 #!/bin/sh
 
-# Hestia Control Panel upgrade script for target version 1.1.0
+# Hestia Control Panel upgrade script for target version 1.1.1
 
 #######################################################################################
 #######                      Place additional commands below.                   #######
 #######################################################################################
 
-# Set default theme
-if [ -z $THEME ]; then
-    echo "(*) Enabling support for themes..."
-    $BIN/v-change-sys-theme 'default'
+# Remove 5s delay when sending mail through exim4
+if [ -e "/etc/exim4/exim4.conf.template" ]; then
+    echo "(*) Updating exim4 configuration..."
+    sed -i "s|rfc1413_query_timeout = 5s|rfc1413_query_timeout = 0s|g" /etc/exim4/exim4.conf.template
 fi
 
-# Reduce SSH login grace time
-if [ -e /etc/ssh/sshd_config ]; then
-    echo "(*) Hardening SSH daemon configuration..."
-    sed -i "s/LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
-    sed -i "s/#LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
-fi
-
-# Implement recidive jail for fail2ban
-if [ ! -z "$FIREWALL_EXTENSION" ]; then
-    if ! cat /etc/fail2ban/jail.local | grep -q "\[recidive\]"; then
-        echo -e "\n\n[recidive]\nenabled  = true\nfilter   = recidive\naction   = hestia[name=HESTIA]\nlogpath  = /var/log/fail2ban.log\nmaxretry = 3\nfindtime = 86400\nbantime  = 864000" >> /etc/fail2ban/jail.local
-    fi
-fi
-
-# Enable OCSP SSL stapling and harden nginx configuration for roundcube
-if [ ! -z "$IMAP_SYSTEM" ]; then
-    echo "(*) Hardening security of Roundcube webmail..."
-    $BIN/v-update-mail-templates > /dev/null 2>&1
-    if [ -e /etc/nginx/conf.d/webmail.inc ]; then
-        cp -f /etc/nginx/conf.d/webmail.inc $HESTIA_BACKUP/conf/
-        sed -i "s/config|temp|logs/README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING/g" /etc/nginx/conf.d/webmail.inc
-    fi
-fi
-
-# Fix restart queue
-if [ -z "$($BIN/v-list-cron-jobs admin | grep 'v-update-sys-queue restart')" ]; then
-    command="sudo $BIN/v-update-sys-queue restart"
-    $BIN/v-add-cron-job 'admin' '*/2' '*' '*' '*' '*' "$command"
-fi
-
-# Remove deprecated line from ClamAV configuration file
-if [ -e "/etc/clamav/clamd.conf" ]; then
-    clamd_conf_update_check=$(grep DetectBrokenExecutables /etc/clamav/clamd.conf)
-    if [ ! -z "$clamd_conf_update_check" ]; then
-        echo "(*) Updating ClamAV configuration..."
-        sed -i '/DetectBrokenExecutables/d' /etc/clamav/clamd.conf
-    fi
-fi
-
-# Remove errornous history.log file created by certain builds due to bug in v-restart-system
-if [ -e $HESTIA/data/users/history.log ]; then
-    rm -f $HESTIA/data/users/history.log
-fi
-
-# Use exim4 server hostname instead of mail domain and remove hardcoded mail prefix
-if [ ! -z "$MAIL_SYSTEM" ]; then
-    echo "(*) Updating exim configuration..."
-    if cat /etc/exim4/exim4.conf.template | grep -q 'helo_data = mail.${sender_address_domain}'; then
-        sed -i 's/helo_data = mail.${sender_address_domain}/helo_data = ${primary_hostname}/g' /etc/exim4/exim4.conf.template
-    fi
-    if ! grep -q '^OUTGOING_IP = /' /etc/exim4/exim4.conf.template; then
-        sed -i '/^OUTGOING_IP/d' /etc/exim4/exim4.conf.template
-        sed -i 's|^begin acl|OUTGOING_IP = /etc/exim4/domains/$sender_address_domain/ip\nbegin acl|' /etc/exim4/exim4.conf.template
-    fi
-    if ! grep -q 'interface =' /etc/exim4/exim4.conf.template; then
-        sed -i '/interface =/d' /etc/exim4/exim4.conf.template
-        sed -i 's|dkim_strict = 0|dkim_strict = 0\n  interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}|' /etc/exim4/exim4.conf.template
-    fi
-fi
-
-# Members of admin group should be permitted to enter admin folder
-if [ -d /home/admin ]; then
-    setfacl -m "g:admin:r-x" /home/admin
-fi
-
-# Fix sftp jail cronjob
-if [ -e "/etc/cron.d/hestia-sftp" ]; then
-    if ! cat /etc/cron.d/hestia-sftp | grep -q 'root'; then
-        echo "@reboot root /usr/local/hestia/bin/v-add-sys-sftp-jail" > /etc/cron.d/hestia-sftp
-    fi
-fi
-
-# Create default writeable folders for all users
-echo "(*) Updating default writable folders for all users..."
-for user in $($HESTIA/bin/v-list-sys-users plain); do
-    mkdir -p \
-        $HOMEDIR/$user/.cache \
-        $HOMEDIR/$user/.config \
-        $HOMEDIR/$user/.local \
-        $HOMEDIR/$user/.composer \
-        $HOMEDIR/$user/.ssh
-
-    chown $user:$user \
-        $HOMEDIR/$user/.cache \
-        $HOMEDIR/$user/.config \
-        $HOMEDIR/$user/.local \
-        $HOMEDIR/$user/.composer \
-        $HOMEDIR/$user/.ssh
-done
-
-# Remove redundant fail2ban jail
-if fail2ban-client status sshd > /dev/null 2>&1 ; then
-    fail2ban-client stop sshd >/dev/null 2>&1
-    if [ -f /etc/fail2ban/jail.d/defaults-debian.conf ]; then
-        mkdir -p $HESTIA_BACKUP/conf/fail2ban/jail.d
-        mv /etc/fail2ban/jail.d/defaults-debian.conf $HESTIA_BACKUP/conf/fail2ban/jail.d/
-    fi
-fi
-
-# Update Office 365/Microsoft 365 DNS template
-if [ -e "$HESTIA/data/templates/dns/office365.tpl" ]; then
-    echo "(*) Updating DNS template for Office 365..."
-    cp -f $HESTIA/install/deb/templates/dns/office365.tpl $HESTIA/data/templates/dns/office365.tpl
-fi
-
-# Ensure that backup compression level is correctly set
-GZIP_LVL_CHECK=$(cat $HESTIA/conf/hestia.conf | grep BACKUP_GZIP)
-if [ -z "$GZIP_LVL_CHECK" ]; then
-    echo "(*) Updating backup compression level variable..."
-    $BIN/v-change-sys-config-value "BACKUP_GZIP" '9'
-fi
-
-# Randomize Roundcube des_key for better security
-if [ -f "/etc/roundcube/config.inc.php" ]; then
-    rcDesKey="$(openssl rand -base64 30 | tr -d "/" | cut -c1-24)"
-    sed -i "s/vtIOjLZo9kffJoqzpSbm5r1r/$rcDesKey/g" /etc/roundcube/config.inc.php
-fi
-
-# Place robots.txt to prevent webmail crawling by search engine bots.
-if [ -e "/var/lib/roundcube/" ]; then
-    if [ ! -f "/var/lib/roundcube/robots.txt" ]; then
-        echo "User-agent: *" > /var/lib/roundcube/robots.txt
-        echo "Disallow: /" >> /var/lib/roundcube/robots.txt
-    fi
-fi
-
-# Installing postgresql repo
-if [ -e "/etc/postgresql" ]; then
-    echo "(*) Enabling native PostgreSQL APT repository..."
-    osname="$(cat /etc/os-release | grep "^ID\=" | sed "s/ID\=//g")"
-    if [ "$osname" = "ubuntu" ]; then
-        codename="$(lsb_release -s -c)"
-    else
-        codename="$(cat /etc/os-release |grep VERSION= |cut -f 2 -d \(|cut -f 1 -d \))"
-    fi
-    echo "deb http://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > /etc/apt/sources.list.d/postgresql.list
-    wget --quiet https://www.postgresql.org/media/keys/ACCC4CF8.asc -O /tmp/psql_signing.key
-    APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/psql_signing.key > /dev/null 2>&1
-    rm /tmp/psql_signing.key
-fi
-
-# Hardening MySQL configuration, prevent local infile.
-if [ -e "/etc/mysql/my.cnf" ]; then
-    mysql_local_infile_check=$(grep local-infile /etc/mysql/my.cnf)
-    if [ -z "$mysql_local_infile_check" ]; then
-        echo "(*) Hardening MySQL configuration..."
-        sed -i '/symbolic-links\=0/a\local-infile=0' /etc/mysql/my.cnf
-    fi
-fi
-
-# Hardening nginx configuration, drop TLSv1.1 support.
-if [ -e "/etc/nginx/nginx.conf" ]; then
-    nginx_tls_check=$(grep TLSv1.1 /etc/nginx/nginx.conf)
-    if [ ! -z "$nginx_tls_check" ]; then
-        echo "(*) Updating nginx security settings - disabling TLS v1.1..."
-        sed -i 's/TLSv1.1 //g' /etc/nginx/nginx.conf
-    fi
-fi
-
-# Fix logrotate permission bug for nginx
-if [ -e "/etc/logrotate/nginx" ]; then
-    sed -i "s/create 640 nginx adm/create 640/g" /etc/logrotate.d/nginx
-fi
-
-# Fix logrotate permission bug for apache
-if [ -e "/etc/logrotate/apache2" ]; then
-    sed -i "s/create 640 root adm/create 640/g" /etc/logrotate.d/apache2
-fi
-
-# Repair messed up user log permissions from the logrotate bug. Ignoring errors
-for user in $($HESTIA/bin/v-list-users plain | cut -f1); do
-    for domain in $($HESTIA/bin/v-list-web-domains $user plain | cut -f1); do
-        chown root:$user /var/log/$WEB_SYSTEM/domains/$domain.* > /dev/null 2>&1
-        for sub_domain in $($HESTIA/bin/v-list-web-domain $user $domain plain | cut -f7 | tr ',' '\n'); do
-            chown root:$user /var/log/$WEB_SYSTEM/domains/$sub_domain.* > /dev/null 2>&1
-        done
-    done
-done
-
-chown root:root /var/log/$WEB_SYSTEM/domains/$WEBMAIL_ALIAS* > /dev/null 2>&1
-
-# Enable IMAP/POP3 quota information
-if [ "$IMAP_SYSTEM" = "dovecot" ]; then
-    echo "(*) Enabling IMAP quota information reporting..."
-    if [ -e /etc/dovecot/conf.d/20-pop3.conf ]; then
-        cp -f $HESTIA/install/deb/dovecot/conf.d/20-pop3.conf /etc/dovecot/conf.d/20-pop3.conf
-    fi
-    if [ -e /etc/dovecot/conf.d/20-imap.conf ]; then
-        cp -f $HESTIA/install/deb/dovecot/conf.d/20-imap.conf /etc/dovecot/conf.d/20-imap.conf
-    fi
-    if [ -e /etc/dovecot/conf.d/90-quota.conf ]; then
-        cp -f $HESTIA/install/deb/dovecot/conf.d/90-quota.conf /etc/dovecot/conf.d/90-quota.conf
-    fi
-fi
-
-# Trigger multiphp legacy migration script
-num_php_versions=$(ls -d /etc/php/*/fpm/pool.d 2>/dev/null |wc -l)
-if [ "$num_php_versions" -gt 1 ] && [ -z "$WEB_BACKEND" ]; then
-    echo "(*) Enabling modular Multi-PHP backend..."
-    cp -rf $HESTIA/data/templates/web $HESTIA_BACKUP/templates/web
-    bash $HESTIA/install/upgrade/manual/migrate_multiphp.sh > /dev/null 2>&1
-fi
-
-# Disable global subfolder alias for webmail in favor of subdomain
-if [ -e /etc/nginx/conf.d/webmail.inc ]; then
-    rm -f /etc/nginx/conf.d/webmail.inc
-fi
-if [ -e /etc/apache2/conf.d/roundcube.conf ]; then
-    rm -f /etc/apache2/conf.d/roundcube.conf
-fi
+# Fix phpMyAdmin blowfish and tmp directory issues
+if [ -e "/usr/share/phpmyadmin/libraries/vendor_config.php" ]; then
+    echo "(*) Updating phpMyAdmin configuration..."
+    sed -i "s|define('CONFIG_DIR', ROOT_PATH);|define('CONFIG_DIR', '/etc/phpmyadmin/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
+    sed -i "s|define('TEMP_DIR', ROOT_PATH . 'tmp/');|define('TEMP_DIR', '/var/lib/phpmyadmin/tmp/');|" /usr/share/phpmyadmin/libraries/vendor_config.php
+fi

install/upgrade/versions/previous/1.1.0.sh

@@ -0,0 +1,224 @@
+#!/bin/sh
+
+# Hestia Control Panel upgrade script for target version 1.1.0
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+
+# Set default theme
+if [ -z $THEME ]; then
+    echo "(*) Enabling support for themes..."
+    $BIN/v-change-sys-theme 'default'
+fi
+
+# Reduce SSH login grace time
+if [ -e /etc/ssh/sshd_config ]; then
+    echo "(*) Hardening SSH daemon configuration..."
+    sed -i "s/LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
+    sed -i "s/#LoginGraceTime 2m/LoginGraceTime 1m/g" /etc/ssh/sshd_config
+fi
+
+# Implement recidive jail for fail2ban
+if [ ! -z "$FIREWALL_EXTENSION" ]; then
+    if ! cat /etc/fail2ban/jail.local | grep -q "\[recidive\]"; then
+        echo -e "\n\n[recidive]\nenabled  = true\nfilter   = recidive\naction   = hestia[name=HESTIA]\nlogpath  = /var/log/fail2ban.log\nmaxretry = 3\nfindtime = 86400\nbantime  = 864000" >> /etc/fail2ban/jail.local
+    fi
+fi
+
+# Enable OCSP SSL stapling and harden nginx configuration for roundcube
+if [ ! -z "$IMAP_SYSTEM" ]; then
+    echo "(*) Hardening security of Roundcube webmail..."
+    $BIN/v-update-mail-templates > /dev/null 2>&1
+    if [ -e /etc/nginx/conf.d/webmail.inc ]; then
+        cp -f /etc/nginx/conf.d/webmail.inc $HESTIA_BACKUP/conf/
+        sed -i "s/config|temp|logs/README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING/g" /etc/nginx/conf.d/webmail.inc
+    fi
+fi
+
+# Fix restart queue
+if [ -z "$($BIN/v-list-cron-jobs admin | grep 'v-update-sys-queue restart')" ]; then
+    command="sudo $BIN/v-update-sys-queue restart"
+    $BIN/v-add-cron-job 'admin' '*/2' '*' '*' '*' '*' "$command"
+fi
+
+# Remove deprecated line from ClamAV configuration file
+if [ -e "/etc/clamav/clamd.conf" ]; then
+    clamd_conf_update_check=$(grep DetectBrokenExecutables /etc/clamav/clamd.conf)
+    if [ ! -z "$clamd_conf_update_check" ]; then
+        echo "(*) Updating ClamAV configuration..."
+        sed -i '/DetectBrokenExecutables/d' /etc/clamav/clamd.conf
+    fi
+fi
+
+# Remove errornous history.log file created by certain builds due to bug in v-restart-system
+if [ -e $HESTIA/data/users/history.log ]; then
+    rm -f $HESTIA/data/users/history.log
+fi
+
+# Use exim4 server hostname instead of mail domain and remove hardcoded mail prefix
+if [ ! -z "$MAIL_SYSTEM" ]; then
+    echo "(*) Updating exim configuration..."
+    if cat /etc/exim4/exim4.conf.template | grep -q 'helo_data = mail.${sender_address_domain}'; then
+        sed -i 's/helo_data = mail.${sender_address_domain}/helo_data = ${primary_hostname}/g' /etc/exim4/exim4.conf.template
+    fi
+    if ! grep -q '^OUTGOING_IP = /' /etc/exim4/exim4.conf.template; then
+        sed -i '/^OUTGOING_IP/d' /etc/exim4/exim4.conf.template
+        sed -i 's|^begin acl|OUTGOING_IP = /etc/exim4/domains/$sender_address_domain/ip\nbegin acl|' /etc/exim4/exim4.conf.template
+    fi
+    if ! grep -q 'interface =' /etc/exim4/exim4.conf.template; then
+        sed -i '/interface =/d' /etc/exim4/exim4.conf.template
+        sed -i 's|dkim_strict = 0|dkim_strict = 0\n  interface = ${if exists{OUTGOING_IP}{${readfile{OUTGOING_IP}}}}|' /etc/exim4/exim4.conf.template
+    fi
+fi
+
+# Members of admin group should be permitted to enter admin folder
+if [ -d /home/admin ]; then
+    setfacl -m "g:admin:r-x" /home/admin
+fi
+
+# Fix sftp jail cronjob
+if [ -e "/etc/cron.d/hestia-sftp" ]; then
+    if ! cat /etc/cron.d/hestia-sftp | grep -q 'root'; then
+        echo "@reboot root /usr/local/hestia/bin/v-add-sys-sftp-jail" > /etc/cron.d/hestia-sftp
+    fi
+fi
+
+# Create default writeable folders for all users
+echo "(*) Updating default writable folders for all users..."
+for user in $($HESTIA/bin/v-list-sys-users plain); do
+    mkdir -p \
+        $HOMEDIR/$user/.cache \
+        $HOMEDIR/$user/.config \
+        $HOMEDIR/$user/.local \
+        $HOMEDIR/$user/.composer \
+        $HOMEDIR/$user/.ssh
+
+    chown $user:$user \
+        $HOMEDIR/$user/.cache \
+        $HOMEDIR/$user/.config \
+        $HOMEDIR/$user/.local \
+        $HOMEDIR/$user/.composer \
+        $HOMEDIR/$user/.ssh
+done
+
+# Remove redundant fail2ban jail
+if fail2ban-client status sshd > /dev/null 2>&1 ; then
+    fail2ban-client stop sshd >/dev/null 2>&1
+    if [ -f /etc/fail2ban/jail.d/defaults-debian.conf ]; then
+        mkdir -p $HESTIA_BACKUP/conf/fail2ban/jail.d
+        mv /etc/fail2ban/jail.d/defaults-debian.conf $HESTIA_BACKUP/conf/fail2ban/jail.d/
+    fi
+fi
+
+# Update Office 365/Microsoft 365 DNS template
+if [ -e "$HESTIA/data/templates/dns/office365.tpl" ]; then
+    echo "(*) Updating DNS template for Office 365..."
+    cp -f $HESTIA/install/deb/templates/dns/office365.tpl $HESTIA/data/templates/dns/office365.tpl
+fi
+
+# Ensure that backup compression level is correctly set
+GZIP_LVL_CHECK=$(cat $HESTIA/conf/hestia.conf | grep BACKUP_GZIP)
+if [ -z "$GZIP_LVL_CHECK" ]; then
+    echo "(*) Updating backup compression level variable..."
+    $BIN/v-change-sys-config-value "BACKUP_GZIP" '9'
+fi
+
+# Randomize Roundcube des_key for better security
+if [ -f "/etc/roundcube/config.inc.php" ]; then
+    rcDesKey="$(openssl rand -base64 30 | tr -d "/" | cut -c1-24)"
+    sed -i "s/vtIOjLZo9kffJoqzpSbm5r1r/$rcDesKey/g" /etc/roundcube/config.inc.php
+fi
+
+# Place robots.txt to prevent webmail crawling by search engine bots.
+if [ -e "/var/lib/roundcube/" ]; then
+    if [ ! -f "/var/lib/roundcube/robots.txt" ]; then
+        echo "User-agent: *" > /var/lib/roundcube/robots.txt
+        echo "Disallow: /" >> /var/lib/roundcube/robots.txt
+    fi
+fi
+
+# Installing postgresql repo
+if [ -e "/etc/postgresql" ]; then
+    echo "(*) Enabling native PostgreSQL APT repository..."
+    osname="$(cat /etc/os-release | grep "^ID\=" | sed "s/ID\=//g")"
+    if [ "$osname" = "ubuntu" ]; then
+        codename="$(lsb_release -s -c)"
+    else
+        codename="$(cat /etc/os-release |grep VERSION= |cut -f 2 -d \(|cut -f 1 -d \))"
+    fi
+    echo "deb http://apt.postgresql.org/pub/repos/apt/ $codename-pgdg main" > /etc/apt/sources.list.d/postgresql.list
+    wget --quiet https://www.postgresql.org/media/keys/ACCC4CF8.asc -O /tmp/psql_signing.key
+    APT_KEY_DONT_WARN_ON_DANGEROUS_USAGE=1 apt-key add /tmp/psql_signing.key > /dev/null 2>&1
+    rm /tmp/psql_signing.key
+fi
+
+# Hardening MySQL configuration, prevent local infile.
+if [ -e "/etc/mysql/my.cnf" ]; then
+    mysql_local_infile_check=$(grep local-infile /etc/mysql/my.cnf)
+    if [ -z "$mysql_local_infile_check" ]; then
+        echo "(*) Hardening MySQL configuration..."
+        sed -i '/symbolic-links\=0/a\local-infile=0' /etc/mysql/my.cnf
+    fi
+fi
+
+# Hardening nginx configuration, drop TLSv1.1 support.
+if [ -e "/etc/nginx/nginx.conf" ]; then
+    nginx_tls_check=$(grep TLSv1.1 /etc/nginx/nginx.conf)
+    if [ ! -z "$nginx_tls_check" ]; then
+        echo "(*) Updating nginx security settings - disabling TLS v1.1..."
+        sed -i 's/TLSv1.1 //g' /etc/nginx/nginx.conf
+    fi
+fi
+
+# Fix logrotate permission bug for nginx
+if [ -e "/etc/logrotate/nginx" ]; then
+    sed -i "s/create 640 nginx adm/create 640/g" /etc/logrotate.d/nginx
+fi
+
+# Fix logrotate permission bug for apache
+if [ -e "/etc/logrotate/apache2" ]; then
+    sed -i "s/create 640 root adm/create 640/g" /etc/logrotate.d/apache2
+fi
+
+# Repair messed up user log permissions from the logrotate bug. Ignoring errors
+for user in $($HESTIA/bin/v-list-users plain | cut -f1); do
+    for domain in $($HESTIA/bin/v-list-web-domains $user plain | cut -f1); do
+        chown root:$user /var/log/$WEB_SYSTEM/domains/$domain.* > /dev/null 2>&1
+        for sub_domain in $($HESTIA/bin/v-list-web-domain $user $domain plain | cut -f7 | tr ',' '\n'); do
+            chown root:$user /var/log/$WEB_SYSTEM/domains/$sub_domain.* > /dev/null 2>&1
+        done
+    done
+done
+
+chown root:root /var/log/$WEB_SYSTEM/domains/$WEBMAIL_ALIAS* > /dev/null 2>&1
+
+# Enable IMAP/POP3 quota information
+if [ "$IMAP_SYSTEM" = "dovecot" ]; then
+    echo "(*) Enabling IMAP quota information reporting..."
+    if [ -e /etc/dovecot/conf.d/20-pop3.conf ]; then
+        cp -f $HESTIA/install/deb/dovecot/conf.d/20-pop3.conf /etc/dovecot/conf.d/20-pop3.conf
+    fi
+    if [ -e /etc/dovecot/conf.d/20-imap.conf ]; then
+        cp -f $HESTIA/install/deb/dovecot/conf.d/20-imap.conf /etc/dovecot/conf.d/20-imap.conf
+    fi
+    if [ -e /etc/dovecot/conf.d/90-quota.conf ]; then
+        cp -f $HESTIA/install/deb/dovecot/conf.d/90-quota.conf /etc/dovecot/conf.d/90-quota.conf
+    fi
+fi
+
+# Trigger multiphp legacy migration script
+num_php_versions=$(ls -d /etc/php/*/fpm/pool.d 2>/dev/null |wc -l)
+if [ "$num_php_versions" -gt 1 ] && [ -z "$WEB_BACKEND" ]; then
+    echo "(*) Enabling modular Multi-PHP backend..."
+    cp -rf $HESTIA/data/templates/web $HESTIA_BACKUP/templates/web
+    bash $HESTIA/install/upgrade/manual/migrate_multiphp.sh > /dev/null 2>&1
+fi
+
+# Disable global subfolder alias for webmail in favor of subdomain
+if [ -e /etc/nginx/conf.d/webmail.inc ]; then
+    rm -f /etc/nginx/conf.d/webmail.inc
+fi
+if [ -e /etc/apache2/conf.d/roundcube.conf ]; then
+    rm -f /etc/apache2/conf.d/roundcube.conf
+fi

src/deb/hestia/control

@@ -1,7 +1,7 @@
 Source: hestia
 Package: hestia
 Priority: optional
-Version: 1.1.0
+Version: 1.1.1
 Section: admin
 Maintainer: HestiaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com

src/deb/php/control

@@ -1,7 +1,7 @@
 Source: hestia-php
 Package: hestia-php
 Priority: optional
-Version: 7.4.3
+Version: 7.4.4
 Section: admin
 Maintainer: HestaCP <info@hestiacp.com>
 Homepage: https://www.hestiacp.com

src/deb/php/php.ini

@@ -108,11 +108,6 @@
 ;   Development Value: E_ALL
 ;   Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
 
-; html_errors
-;   Default Value: On
-;   Development Value: On
-;   Production value: On
-
 ; log_errors
 ;   Default Value: Off
 ;   Development Value: On
@@ -289,6 +284,13 @@ implicit_flush = Off
 ; callback-function.
 unserialize_callback_func =
 
+; The unserialize_max_depth specifies the default depth limit for unserialized
+; structures. Setting the depth limit too high may result in stack overflows
+; during unserialization. The unserialize_max_depth ini setting can be
+; overridden by the max_depth option on individual unserialize() calls.
+; A value of 0 disables the depth limit.
+;unserialize_max_depth = 4096
+
 ; When floats & doubles are serialized, store serialize_precision significant
 ; digits after the floating point. The default value ensures that when floats
 ; are decoded with unserialize, the data will remain the same.
@@ -307,7 +309,7 @@ serialize_precision = -1
 ; This directive allows you to disable certain functions for security reasons.
 ; It receives a comma-delimited list of function names.
 ; http://php.net/disable-functions
-disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,passthru,system,proc_open,popen,show_source,
+disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,passthru,system,proc_open,popen,show_source,
 
 ; This directive allows you to disable certain classes for security reasons.
 ; It receives a comma-delimited list of class names.
@@ -359,6 +361,12 @@ zend.enable_gc = On
 ; Default: ""
 ;zend.script_encoding =
 
+; Allows to include or exclude arguments from stack traces generated for exceptions
+; Default: Off
+; In production, it is recommended to turn this setting on to prohibit the output
+; of sensitive information in stack traces
+zend.exception_ignore_args = On
+
 ;;;;;;;;;;;;;;;;;
 ; Miscellaneous ;
 ;;;;;;;;;;;;;;;;;
@@ -511,7 +519,7 @@ ignore_repeated_errors = Off
 ignore_repeated_source = Off
 
 ; If this parameter is set to Off, then memory leaks will not be shown (on
-; stdout or in the log). This has only effect in a debug compile, and if
+; stdout or in the log). This is only effective in a debug compile, and if
 ; error reporting includes E_WARNING in the allowed list
 ; http://php.net/report-memleaks
 report_memleaks = On
@@ -540,11 +548,8 @@ report_memleaks = On
 ; error message as HTML for easier reading. This directive controls whether
 ; the error message is formatted as HTML or not.
 ; Note: This directive is hardcoded to Off for the CLI SAPI
-; Default Value: On
-; Development Value: On
-; Production value: On
 ; http://php.net/html-errors
-;html_errors = On
+html_errors = On
 
 ; If html_errors is set to On *and* docref_root is not empty, then PHP
 ; produces clickable error messages that direct to a page describing the error
@@ -598,6 +603,7 @@ syslog.ident = hestia-php
 ;   ascii (all printable ASCII characters and NL)
 ;   no-ctrl (all characters except control characters)
 ;   all (all characters)
+;   raw (like "all", but messages are not split at newlines)
 ; http://php.net/syslog.filter
 ;syslog.filter = ascii
 
@@ -668,7 +674,7 @@ register_argc_argv = Off
 ; first used (Just In Time) instead of when the script starts. If these
 ; variables are not used within a script, having this directive on will result
 ; in a performance gain. The PHP directive register_argc_argv must be disabled
-; for this directive to have any affect.
+; for this directive to have any effect.
 ; http://php.net/auto-globals-jit
 auto_globals_jit = On
 
@@ -906,13 +912,14 @@ default_socket_timeout = 60
 ;
 ;extension=bz2
 ;extension=curl
+;extension=ffi
+;extension=ftp
 ;extension=fileinfo
 ;extension=gd2
 ;extension=gettext
 ;extension=gmp
 ;extension=intl
 ;extension=imap
-;extension=interbase
 ;extension=ldap
 ;extension=mbstring
 ;extension=exif      ; Must be after mbstring as it depends on it
@@ -1127,37 +1134,6 @@ odbc.defaultlrl = 4096
 ; http://php.net/odbc.defaultbinmode
 odbc.defaultbinmode = 1
 
-[Interbase]
-; Allow or prevent persistent links.
-ibase.allow_persistent = 1
-
-; Maximum number of persistent links.  -1 means no limit.
-ibase.max_persistent = -1
-
-; Maximum number of links (persistent + non-persistent).  -1 means no limit.
-ibase.max_links = -1
-
-; Default database name for ibase_connect().
-;ibase.default_db =
-
-; Default username for ibase_connect().
-;ibase.default_user =
-
-; Default password for ibase_connect().
-;ibase.default_password =
-
-; Default charset for ibase_connect().
-;ibase.default_charset =
-
-; Default timestamp format.
-ibase.timestampformat = "%Y-%m-%d %H:%M:%S"
-
-; Default date format.
-ibase.dateformat = "%Y-%m-%d"
-
-; Default time format.
-ibase.timeformat = "%H:%M:%S"
-
 [MySQLi]
 
 ; Maximum number of persistent links.  -1 means no limit.
@@ -1188,11 +1164,11 @@ mysqli.default_port = 3306
 ; http://php.net/mysqli.default-socket
 mysqli.default_socket =
 
-; Default host for mysql_connect() (doesn't apply in safe mode).
+; Default host for mysqli_connect() (doesn't apply in safe mode).
 ; http://php.net/mysqli.default-host
 mysqli.default_host =
 
-; Default user for mysql_connect() (doesn't apply in safe mode).
+; Default user for mysqli_connect() (doesn't apply in safe mode).
 ; http://php.net/mysqli.default-user
 mysqli.default_user =
 
@@ -1422,12 +1398,9 @@ session.cookie_samesite =
 ; http://php.net/session.serialize-handler
 session.serialize_handler = php
 
-; Defines the probability that the 'garbage collection' process is started
-; on every session initialization. The probability is calculated by using
-; gc_probability/gc_divisor. Where session.gc_probability is the numerator
-; and gc_divisor is the denominator in the equation. Setting this value to 1
-; when the session.gc_divisor value is 100 will give you approximately a 1% chance
-; the gc will run on any given request.
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
 ; Default Value: 1
 ; Development Value: 1
 ; Production Value: 1
@@ -1435,13 +1408,9 @@ session.serialize_handler = php
 session.gc_probability = 0
 
 ; Defines the probability that the 'garbage collection' process is started on every
-; session initialization. The probability is calculated by using the following equation:
-; gc_probability/gc_divisor. Where session.gc_probability is the numerator and
-; session.gc_divisor is the denominator in the equation. Setting this value to 100
-; when the session.gc_probability value is 1 will give you approximately a 1% chance
-; the gc will run on any given request. Increasing this value to 1000 will give you
-; a 0.1% chance the gc will run on any given request. For high volume production servers,
-; this is a more efficient approach.
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
+; For high volume production servers, using a value of 1000 is a more efficient approach.
 ; Default Value: 100
 ; Development Value: 1000
 ; Production Value: 1000
@@ -1719,6 +1688,11 @@ zend.assertions = -1
 ; Default: 100000
 ;mbstring.regex_stack_limit=100000
 
+; This directive specifies maximum retry count for mbstring regular expressions. It is similar
+; to the pcre.backtrack_limit for PCRE.
+; Default: 1000000
+;mbstring.regex_retry_limit=1000000
+
 [gd]
 ; Tell the jpeg decode to ignore warnings and try to create
 ; a gd image. The warning will then be displayed as notices
@@ -1886,6 +1860,10 @@ ldap.max_links = -1
 ; errors.
 ;opcache.mmap_base=
 
+; Facilitates multiple OPcache instances per user (for Windows only). All PHP
+; processes with the same cache ID and user share an OPcache instance.
+;opcache.cache_id=
+
 ; Enables and sets the second level cache directory.
 ; It should improve performance when SHM memory is full, at server restart or
 ; SHM reset. The default "" disables file based caching.
@@ -1916,6 +1894,24 @@ opcache.validate_root=1
 ; optimizations.
 ;opcache.opt_debug_level=0
 
+; Specifies a PHP script that is going to be compiled and executed at server
+; start-up.
+; http://php.net/opcache.preload
+;opcache.preload=
+
+; Preloading code as root is not allowed for security reasons. This directive
+; facilitates to let the preloading to be run as another user.
+; http://php.net/opcache.preload_user
+;opcache.preload_user=
+
+; Prevents caching files that are less than this number of seconds old. It
+; protects from caching of incompletely updated files. In case all file updates
+; on your site are atomic, you may increase performance by setting it to "0".
+;opcache.file_update_protection=2
+
+; Absolute path used to store shared lockfiles (for *nix only).
+;opcache.lockfile_path=/tmp
+
 [curl]
 ; A default value for the CURLOPT_CAINFO option. This is required to be an
 ; absolute path.
@@ -1939,6 +1935,12 @@ opcache.validate_root=1
 ; SSL stream context option.
 ;openssl.capath=
 
-; Local Variables:
-; tab-width: 4
-; End:
+[ffi]
+; FFI API restriction. Possible values:
+; "preload" - enabled in CLI scripts and preloaded files (default)
+; "false"   - always disabled
+; "true"    - always enabled
+;ffi.enable=preload
+
+; List of headers files to preload, wildcard patterns allowed.
+;ffi.preload=

web/css/styles.min.css

@@ -784,8 +784,8 @@ a {
   width: 100%;
   z-index: 900;
   height: 38px;
-  text-shadow: 1px 1px rgba(0,0,0,0.5);
-  box-shadow: 0px 8px 20px rgba(120,120,120,0.35);
+  text-shadow: 1px 1px rgba(0,0,0,0.65);
+  box-shadow: 0px 8px 16px rgba(140,140,140,0.5);
   border-bottom: 1px solid #fff;
 }
 
@@ -936,7 +936,7 @@ a {
 
 .notification-container {
   background-color: rgba(255,255,255,0.95);
-  box-shadow: 0 3px 30px 0 rgba(0, 0, 0, 0.5);
+  box-shadow: 0 3px 20px 0 rgba(0, 0, 0, 0.4);
   list-style-type: none;
   margin: 0 18px;
   max-height: 90%;
@@ -1285,6 +1285,10 @@ form#vstobjects .alert {
   padding: 4px;
 }
 
+.l-stat__col--active .fas {
+  color: #cc3366;
+}
+
 .l-separator.selected,
 .l-separator {
   height: 1px;
@@ -1370,7 +1374,7 @@ div.l-content > div.l-separator:nth-of-type(4) {
   top: 42px;
   background-color: rgba(255,255,255,0.95);
   list-style-type: none;
-  box-shadow: 0 2px 12px 0 rgba(20, 20, 20, 0.25);
+  box-shadow: 0 2px 14px 0 rgba(20, 20, 20, 0.35);
   border-radius: 4px;
   border: 1px solid rgba(255,255,255,1);
   padding: 0px;
@@ -1662,12 +1666,12 @@ div.l-content > div.l-separator:nth-of-type(4) {
 .table-header {
   font-size: 0.95em !important;
   background: linear-gradient(to bottom, rgba(247,247,247,1) 0%,rgba(255,255,255,1) 100%) !important;
-  border-left: 1px solid #ddd !important;
-  border-right: 1px solid #ddd !important;
-  border-bottom: 1px solid #ddd !important;
-  border-top: 1px solid #ddd !important;
-  text-shadow: 0px 1px rgba(255,255,255,0.95);
-  box-shadow: inset 0px 0px 1px rgba(255,255,255,1), inset 0px 0px 4px rgba(255,255,255,0.8), 0px 4px 6px rgba(190,190,190,0.3) !important;
+  border-left: 1px solid #d0d0d0 !important;
+  border-right: 1px solid #d0d0d0 !important;
+  border-bottom: 1px solid #d0d0d0 !important;
+  border-top: 1px solid #d0d0d0 !important;
+  text-shadow: 0px 1px rgba(255,255,255,1);
+  box-shadow: inset 0px 1px 1px rgba(255,255,255,1), inset 0px 0px 1px rgba(255,255,255,1), inset 0px 0px 4px rgba(255,255,255,0.8), 0px 2px 6px rgba(140,140,140,0.35) !important;
   border-top-left-radius: 0px;
   border-top-right-radius: 0px;
   border-bottom-left-radius: 6px;
@@ -1682,8 +1686,8 @@ div.l-content > div.l-separator:nth-of-type(4) {
 
 .table-header:hover {
   background-color: linear-gradient(to bottom, rgba(247,247,247,1) 0%,rgba(255,255,255,1) 100%) !important;
-  border-left: 1px solid #ddd !important;
-  border-right: 1px solid #ddd !important;
+  border-left: 1px solid #d0d0d0 !important;
+  border-right: 1px solid #d0d0d0 !important;
 }
 
 .table-header .fas {
@@ -2528,7 +2532,7 @@ label:hover {
   border: 1px solid #94c8f0;
 }
 .vst-input:focus {
-  border: 1px solid #3b9de8;
+  border: 1px solid #008fee;
   background-color: #D7F9FF;
   color: #333;
 }
@@ -2608,7 +2612,7 @@ select.vst-list:-moz-focusring {
   border: 1px solid #94c8f0;
 }
 .vst-list:focus {
-  border: 1px solid #3b9de8;
+  border: 1px solid #008fee;
   color: #333;
 }
 
@@ -2684,7 +2688,7 @@ a.vst-text:active b{
   border: 1px solid #94c8f0;
 }
 .vst-textinput:focus {
-  border: 1px solid #3b9de8;
+  border: 1px solid #008fee;
   background-color: #D7F9FF;
   color: #333;
 }
@@ -2728,12 +2732,16 @@ a.vst-text:active b{
   font-size: 0.8rem;
   padding: 2px 2px 0;
   text-decoration: none;
-  text-transform: uppercase;
+  text-transform: none;
 }
 .login-box .vst-advanced:hover {
   color: #cc3366;
   background-color: transparent;
   border-color: transparent;
+  font-size: 0.85em !important;
+  box-shadow: none !important;
+  background: none !important;
+  border: none !important
 }
 
 .vst-advanced:hover {
@@ -2749,6 +2757,10 @@ a.vst-text:active b{
   background-color: #F7D616;
   border-color: #F7D616;
   text-decoration: none;
+  font-size: 0.85em !important;
+  box-shadow: none !important;
+  background: none !important;
+  border: none !important
 }
 
 .login-box .vst-advanced {
@@ -2758,6 +2770,10 @@ a.vst-text:active b{
   padding: 2px 2px 0;
   text-decoration: none;
   text-transform: uppercase;
+  font-size: 0.85em !important;
+  box-shadow: none !important;
+  background: none !important;
+  border: none !important
 }
 .vst-checkbox {
   font-size: 0.85rem;
@@ -2854,7 +2870,7 @@ td.hint {
   inset 0px 0px 3px rgba(255,255,255,0.5) !important;
 }
 
-.ui-button, .button, .ui-button.ui-widget.ui-state-default.ui-corner-all.ui-button-text-only.submit {
+.ui-button, .button, .ui-button.ui-widget.ui-state-default.ui-corner-all.ui-button-text-only.submit, .vst-advanced {
   filter:chroma(color=#000);
   cursor: pointer;
   border-radius: 3px 3px 3px 3px !important;
@@ -2864,21 +2880,22 @@ td.hint {
   min-width: 100px !important;
   height: 28px !important;
   color: #30659d !important;
-  border: 1px solid #3b9de8 !important;
+  border: 1px solid #0083db !important;
   background-color: #3b9de8 !important;
   background: linear-gradient(to bottom, rgba(235,243,249,1) 0%,rgba(215,230,243,1) 50%,rgba(192,216,236,1) 51%,rgba(223,235,245,1) 100%) !important;
-  box-shadow: 0px 1px 4px rgba(0,0,0,0.2),
+  box-shadow: 0px 1px 3px rgba(0,0,0,0.25),
               inset 0px 0px 1px #fff,
               inset 0px 0px 3px rgba(255,255,255,0.5) !important;
-  text-shadow: 0px 1px 1px rgba(255,255,255,0.6) !important;
+  text-shadow: 0px 1px 1px rgba(255,255,255,0.85) !important;
 }
 .ui-button:hover, .button:hover, .ui-button.cancel:hover, .button.cancel:hover,
-.ui-button.ui-widget.ui-state-default.ui-corner-all.ui-button-text-only.submit:hover {
-  color: #3b9de8 !important;
+.ui-button.ui-widget.ui-state-default.ui-corner-all.ui-button-text-only.submit:hover,
+.vst-advanced:hover {
+  color: #0099ff !important;
   text-shadow: 1px 1px rgba(255,255,255,0.5) !important;
   border: 1px solid #54a6e5 !important;
   background: linear-gradient(to bottom, rgba(241,248,253,1) 0%,rgba(218,236,250,1) 50%,rgba(190,221,246,1) 51%,rgba(227,240,251,1) 100%) !important;
-  box-shadow: 0px 1px 3px rgba(0,0,0,0.15),
+  box-shadow: 0px 1px 3px rgba(0,0,0,0.25),
               inset 0px 0px 1px #fff,
               inset 0px 0px 6px rgba(255,255,255,0.6) !important;
   transition: 0.2s;
@@ -2886,12 +2903,13 @@ td.hint {
 .ui-button:focus,.ui-button:active,
 .button:active,.button:focus,.ui-button.cancel:focus,.ui-button.cancel:active,
 .button.cancel:active,.button.cancel:focus,
-.ui-button.ui-widget.ui-state-default.ui-corner-all.ui-button-text-only.submit:active {
-  border: 1px solid #378ccd !important;
+.ui-button.ui-widget.ui-state-default.ui-corner-all.ui-button-text-only.submit:active,
+.vst-advanced:active,.vst-advanced:focus {
+  border: 1px solid #0066b4 !important;
   background: linear-gradient(to bottom, rgba(210,232,250,1) 0%,rgba(187,220,247,1) 50%,rgba(162,207,244,1) 51%,rgba(194,224,248,1) 100%) !important;
   color: #046c98 !important;
   text-shadow: 0px -1px 1px rgba(255,255,255,0.5) !important;
-  box-shadow: 0px 1px 3px rgba(0,0,0,0.15),
+  box-shadow: 0px 1px 2px rgba(0,0,0,0.2),
               inset 0px 0px 1px #fff,
               inset -1px -1px 4px rgba(220,220,220,0.4) !important;
 }
@@ -2916,7 +2934,8 @@ td.hint {
 }
 
 .ui-button.cancel,
-.button.cancel {
+.button.cancel,
+.to-top, .to-shortcuts {
   color: #717171 !important;
   border: 1px solid #aaaaaa !important;
   background: linear-gradient(to bottom, rgba(250,250,250,1) 0%,rgba(236,236,236,1) 50%,rgba(221,221,221,1) 51%,rgba(241,241,241,1) 100%) !important;
@@ -2927,7 +2946,8 @@ td.hint {
   color: #30659d !important;
 }
 .ui-button.cancel:active,
-.button.cancel:active {
+.button.cancel:active,
+.to-top:active, .to-shortcuts:active {
   border: 1px solid #378ccd;
   background-color: #378ccd;
 }
@@ -2952,8 +2972,9 @@ a.button.cancel {
 
 .ui-button.danger:active, .button.danger:active, .ui-button.danger:focus, .button.danger:focus {
   background: linear-gradient(to bottom, #f9e3df 0%,#f5a69d 50%,#f48578 51%,#fcd0ca 100%) !important; 
-  color: #fff !important;
-  text-shadow: 0px -1px 1px rgba(0,0,0,0.3) !important;
+  color: #ce1500 !important;
+  text-shadow: 0px 1px 1px rgba(255,255,255,0.2),
+               0px -1px 1px rgba(255,255,255,0.6) !important;
   border: 1px solid #F4301A !important;
 }
 
@@ -3069,7 +3090,7 @@ a.button.cancel {
 ::-moz-focus-inner {border:0;}
 
 .login {
-  background-color: #fff;
+  background-color: rgba(255,255,255,0.65);
   box-shadow: 0px 8px 25px rgba(0,0,0, 0.3);
   font-family: 'Exo', Tahoma, Arial, Helvetica, sans-serif;
   margin: 0;
@@ -3081,10 +3102,15 @@ a.button.cancel {
   cursor: default;
 }
 
+.login .vst-input {
+  border-color: #5787c8;
+}
+
 .login-welcome {
   font-size: 1.05rem !important;
   font-weight: 500 !important;
   padding-bottom: 30px !important;
+  font-weight: 600;
 }
 
 .page-title {
@@ -3269,11 +3295,11 @@ form#vstobjects.suspended {
   padding-right: 8px;
   margin-right: 10px;
   line-height: 0.75rem;
-  box-shadow: 0px 1px 1px rgba(0,0,0,0.25), inset 0px 0px 1px rgba(0,0,0,0.15);
-  background-color: rgba(255,255,255,0.75);
+  box-shadow: 0px 1px 1px rgba(0,0,0,0.35), inset 0px 1px 0px rgba(0,0,0,0.1);
+  background-color: rgba(255,255,255,0.65);
   font-weight: 500;
-  border: 1px solid rgba(255,255,255,0.9);
-  text-shadow: 0px 1px 1px rgba(255,255,255,0.5);
+  border: 1px solid rgba(255,255,255,0.75);
+  text-shadow: 0px 1px 1px rgba(255,255,255,0.6);
   color: #30659d;
 }
 

web/reset/index.php

@@ -30,13 +30,16 @@ if ((!empty($_POST['user'])) && (empty($_POST['code']))) {
         } else {
             $mailtext = __('GREETINGS');
         }
-        $mailtext .= __('PASSWORD_RESET_REQUEST',$_SERVER['HTTP_HOST'],$user,$rkey,$_SERVER['HTTP_HOST'],$user,$rkey);
-        if (!empty($rkey)) send_email($to, $subject, $mailtext, $from);
+        if (in_array(str_replace(':'.$_SERVER['SERVER_PORT'],'.conf',$_SERVER['HTTP_HOST']), array_merge(scandir('/etc/nginx/conf.d'),scandir('/etc/nginx/conf.d/domains'),scandir('/etc/apache2/conf.d/domains'),scandir('/etc/apache2/conf.d')))){
+            $mailtext .= __('PASSWORD_RESET_REQUEST',$_SERVER['HTTP_HOST'],$user,$rkey,$_SERVER['HTTP_HOST'],$user,$rkey);
+            if (!empty($rkey)) send_email($to, $subject, $mailtext, $from);
+            header("Location: /reset/?action=code&user=".$_POST['user']);
+            exit;
+        } else {
+            $ERROR = "<a class=\"error\">".__('Invalid host domain')."</a>";
+        }
         unset($output);
     }
-
-    header("Location: /reset/?action=code&user=".$_POST['user']);
-    exit;
 }
 
 if ((!empty($_POST['user'])) && (!empty($_POST['code'])) && (!empty($_POST['password'])) ) {