Home Explore Help
Sign In
yosoyhendrix
/
hestiacp
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: cfbecddf00
Branches Tags
hestiacp
/
web
/
reset
/
mail
/
index.php

index.php 2.7 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889 
  1. <?php
    2. 

  2. use function Hestiacp\quoteshellarg\quoteshellarg;
    3. 

  3. // Init
    4. 

  4. define('NO_AUTH_REQUIRED',true);
    5. 

  5. define('NO_AUTH_REQUIRED2',true);
    6. 

  6. header('Content-Type: text/plain; charset=utf-8');
    7. 

  7. 

  8. include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");
    9. 

  9. 

  10. // Checking IP of incoming connection, checking is it NAT address
    11. 

  11. $ok=0;
    12. 

  12. $ip=$_SERVER['REMOTE_ADDR'];
    13. 

  13. 

  14. exec (HESTIA_CMD."v-list-sys-ips json", $output, $return_var);
    15. 

  15. $output=implode('', $output);
    16. 

  16. $arr=json_decode($output, true);
    17. 

  17. foreach ($arr as $arr_key => $arr_val) {
    18. 

  18.     // search for NAT IPs and allow them
    19. 

  19. 	if ($ip==$arr_key || $ip==$arr_val['NAT']) {
    20. 

  20. 		$ok=1;
    21. 

  21. 		break;
    22. 

  22. 	}
    23. 

  23. }
    24. 

  24. if ($ip == $_SERVER['SERVER_ADDR']) $ok=1;
    25. 

  25. if ($ip == '127.0.0.1') $ok=1;
    26. 

  26. if ($ok==0) exit;
    27. 

  27. if (isset($_SERVER['HTTP_X_REAL_IP']) || isset($_SERVER['HTTP_X_FORWARDED_FOR'])) exit;
    28. 

  28. 

  29. 

  30. 

  31. // Check arguments
    32. 

  32. 

  33. if (empty($_POST['email'])) {
    34. 

  34.     echo "error email address not provided";
    35. 

  35.     exit;
    36. 

  36. }
    37. 

  37. if (empty($_POST['password'])) {
    38. 

  38.     echo "error old password provided";
    39. 

  39.     exit;
    40. 

  40. }
    41. 

  41. if (empty($_POST['new'])) {
    42. 

  42.     echo "error new password not provided";
    43. 

  43.     exit;
    44. 

  44. }
    45. 

  45. 

  46. list($v_account, $v_domain) = explode('@', $_POST['email']);
    47. 

  47. $v_domain = quoteshellarg($v_domain);
    48. 

  48. $v_account = quoteshellarg($v_account);
    49. 

  49. $v_password = $_POST['password'];
    50. 

  50. 

  51. // Get domain owner
    52. 

  52. exec(HESTIA_CMD . "v-search-domain-owner " . $v_domain . " 'mail'", $output, $return_var);
    53. 

  53. if ($return_var != 0 || empty($output[0])) {
    54. 

  54.     echo "error domain owner not found";
    55. 

  55.     exit;
    56. 

  56. }
    57. 

  57. $v_user = $output[0];
    58. 

  58. unset($output);
    59. 

  59. 

  60. 

  61. // Get current password hash (called "md5" for legacy reasons, it's not guaranteed to be md5)
    62. 

  62. exec(HESTIA_CMD . "v-get-mail-account-value " . quoteshellarg($v_user) . " " . $v_domain . " " . $v_account . " 'md5'", $output, $return_var);
    63. 

  63. if ($return_var != 0 || empty($output[0])) {
    64. 

  64.     echo "error unable to get current account password hash";
    65. 

  65.     exit;
    66. 

  66. }
    67. 

  67. $v_hash = $output[0];
    68. 

  68. unset($output);
    69. 

  69. 

  70. // v_hash use doveadm password hash format, which is basically {HASH_NAME}normal_crypt_format,
    71. 

  71. // so we just need to remove the {HASH_NAME} before we can ask password_verify if its correct or not.
    72. 

  72. $hash_for_password_verify = explode('}', $v_hash, 2);
    73. 

  73. $hash_for_password_verify = end($hash_for_password_verify);
    74. 

  74. if (!password_verify($v_password, $hash_for_password_verify)) {
    75. 

  75.     die("error old password does not match");
    76. 

  76. }
    77. 

  77. 

  78. // Change password
    79. 

  79. $fp = tmpfile();
    80. 

  80. $new_password_file = stream_get_meta_data($fp)['uri'];
    81. 

  81. fwrite($fp, $_POST['new'] . "\n");
    82. 

  82. exec(HESTIA_CMD . "v-change-mail-account-password " . quoteshellarg($v_user) . " " . $v_domain . " " . $v_account . " " . quoteshellarg($new_password_file), $output, $return_var);
    83. 

  83. fclose($fp);
    84. 

  84. if ($return_var == 0) {
    85. 

  85.     echo "==ok==";
    86. 

  86.     exit;
    87. 

  87. }
    88. 

  88. echo 'error v-change-mail-account-password returned non-zero: ' . $return_var;
    89. 

  89. exit;
    90.