0 ) { sleep(2); unset($_POST['password']); unset($_POST['user']); $error = "".__('Invalid username or password').""; return $error; } else { $user = $_POST['user']; $password = $_POST['password']; $salt = $pam[$user]['SALT']; $method = $pam[$user]['METHOD']; if ($method == 'md5' ) { $hash = crypt($password, '$1$'.$salt.'$'); } if ($method == 'sha-512' ) { $hash = crypt($password, '$6$rounds=5000$'.$salt.'$'); $hash = str_replace('$rounds=5000','',$hash); } if ($method == 'des' ) { $hash = crypt($password, $salt); } // Send hash via tmp file $v_hash = exec('mktemp -p /tmp'); $fp = fopen($v_hash, "w"); fwrite($fp, $hash."\n"); fclose($fp); // Check user hash exec(HESTIA_CMD ."v-check-user-hash ".$v_user." ".$v_hash." ".$v_ip, $output, $return_var); unset($output); // Remove tmp file unlink($v_hash); // Check API answer if ( $return_var > 0 ) { sleep(2); unset($_POST['password']); $error = "".__('Invalid username or password').""; return $error; } else { // Make root admin user if ($_POST['user'] == 'root') $v_user = 'admin'; // Get user speciefic parameters exec (HESTIA_CMD . "v-list-user ".$v_user." json", $output, $return_var); $data = json_decode(implode('', $output), true); // Check if 2FA is active if ($data[$_POST['user']]['TWOFA'] != '') { if (empty($_POST['twofa'])){ return false; }else{ $v_twofa = $_POST['twofa']; exec(HESTIA_CMD ."v-check-user-2fa ".$v_user." ".$v_twofa, $output, $return_var); unset($output); if ( $return_var > 0 ) { sleep(2); $error = "".__('Invalid or missing 2FA token').""; return $error; unset($_POST['twofa']); } } } // Define session user $_SESSION['user'] = key($data); $v_user = $_SESSION['user']; // Define language $output = ''; exec (HESTIA_CMD."v-list-sys-languages json", $output, $return_var); $languages = json_decode(implode('', $output), true); if (in_array($data[$v_user]['LANGUAGE'], $languages)){ $_SESSION['language'] = $data[$v_user]['LANGUAGE']; } else { $_SESSION['language'] = 'en'; } // Regenerate session id to prevent session fixation session_regenerate_id(); // Redirect request to control panel interface if (!empty($_SESSION['request_uri'])) { header("Location: ".$_SESSION['request_uri']); unset($_SESSION['request_uri']); exit; } else { if ($v_user == 'admin') { header("Location: /list/user/"); } else { header("Location: /list/web/"); } exit; } } } } } if (!empty($_POST['user']) && !empty($_POST['password']) && !empty($_POST['twofa'])){ $error = authenticate_user(); } else if (!empty($_POST['user']) && !empty($_POST['password'])) { $error = authenticate_user(); } // Check system configuration load_hestia_config(); // Detect language if (empty($_SESSION['language'])) { $output = ''; exec (HESTIA_CMD."v-list-sys-config json", $output, $return_var); $config = json_decode(implode('', $output), true); $lang = $config['config']['LANGUAGE']; $output = ''; exec (HESTIA_CMD."v-list-sys-languages json", $output, $return_var); $languages = json_decode(implode('', $output), true); if(in_array($lang, $languages)){ $_SESSION['language'] = $lang; } else { $_SESSION['language'] = 'en'; } } // Generate CSRF token $_SESSION['token'] = md5(uniqid(mt_rand(), true)); require_once($_SERVER['DOCUMENT_ROOT'].'/inc/i18n/'.$_SESSION['language'].'.php'); require_once('../templates/header.html'); if (empty($_POST['user'])) { require_once('../templates/login.html'); }else if (empty($_POST['password'])) { require_once('../templates/login_1.html'); }else if (empty($_POST['twofa'])) { require_once('../templates/login_2.html'); } else { require_once('../templates/login.html'); } ?>