<? /*
// File: login.inc.php
// Purpose: web://cp login screen, handle logout
// Creation: 2001-10-29
// Author: Felix <hide@address.com>
*/
//
// Check if needed vars are there
if (!isset($cfg))
return 'login.inc.php :: $cfg not loaded (web/config.inc.phps)';
if (!is_array($T))
include("lang/".$cfg['defaultlang'].".phps");
if (!isset($web_name))
return 'login.inc.php :: $web_name not loaded (web/init.inc.phps)';
//
// If fetch method is a POST (attempted login), verify its authenticity
if ($HTTP_POST_VARS AND $failed != "recover") {
// Standardize Input
$username = trim($username);
if (!eregi($rx['user'],$data['username']))
$data['username'] = '_invalid';
if (!$cfg['ssl']) {
$salt = floor(time() / 300);
$password = trim($md5pass);
}
else {
$password = md5(trim($password));
$salt = '';
}
// get remote IP address
if (getenv(HTTP_X_FORWARDED_FOR)) {
$ip = getenv(HTTP_X_FORWARDED_FOR);
} else {
$ip = getenv(REMOTE_ADDR);
}
// Check for failed logins within the last 24 hrs from this IP
$fl = mysql_query("SELECT count(id) as FailCount FROM log WHERE remote_ip = \"$ip\" AND log_msg = \"login failed\" AND time > DATE_SUB(NOW(), INTERVAL 1 DAY)");
$fldata = mysql_fetch_array($fl);
if ($fldata['FailCount'] < 15 && $fldata['FailCount'] > 2) {
sleep($fldata['FailCount']);
} elseif ($fldata['FailCount'] >= 15) {
$password = "";
}
// Check user against database
$dbp = mysql_query("SELECT type,favorites,DECODE(password,'".$cfg['key']."') AS password FROM users WHERE username='$username'") or print(mysql_error());
$data = mysql_fetch_array($dbp);
if (md5($data['password'].$salt) != $password)
unset($data);
// If the user is valid
if ($data) {
// Log it
webcp_log(2,"",$username,"login successful",$REMOTE_ADDR);
// If user is a demo, associate current webcp_tag (if it exists, else pass on)
switch ($data['type']) {
case 'demo':
$dbp = mysql_query("SELECT webcp_tag FROM users WHERE username='$username'");
$data2 = mysql_fetch_array($dbp);
if (trim($data2['webcp_tag'])) {
$webcp_tag = $data2['webcp_tag'];
break;
}
default:
// Generate Unique Tag & Update the db
srand((float) microtime() * 1000000);
do {
$webcp_tag = md5(uniqid(rand()));
$dbp = mysql_query("SELECT username FROM users WHERE webcp_tag='$webcp_tag'");
} while (mysql_num_rows($dbp));
mysql_query("UPDATE users SET webcp_tag='$webcp_tag', remote_addr='$REMOTE_ADDR', timeout='".(time() + $timeout)."' WHERE username='$username'");
}
// if 'cookiesec' is set, set cookie with ssl and sysname settings. Else don't.
if ($cfg['cookiesec'])
send_cookie("webcp_tag",$webcp_tag,time()+5000000,"",$cfg['sysname'], $cfg['ssl']?1:0);
else
send_cookie("webcp_tag",$webcp_tag,time()+5000000,"",$HTTP_HOST);
// If 'bookmark' is set, redirect user to nothing (init will pick it up), else reload to allow in
if (trim($data['favorites']) AND !trim($cp)) {
$tmp = explode(":",$data['favorites']);
send_header("Location: ".$web_name."/?".time());
return false;
}
else {
send_header("Location: ".$web_name."/?cp=$cp&url=$url&number=$number&user=$user&".time());
return false;
}
}
// Else if User / Password not valid
else {
// Check if username is valid & log if appropriate (warn)
$dbp = mysql_query("SELECT username FROM users WHERE username='$username'");
if (mysql_num_rows($dbp))
webcp_log(2,"",$username,"login failed",$REMOTE_ADDR);
// Stay in login and display error message
$failed = "invalid";
}
}
// If $failed is a logout, unset the cookie, clear the tag & timeout.
if ($failed == "logout" OR $failed == "access") {
// if 'cookiesec' is set, unset cookie with ssl and domain settings. Else don't.
if ($cfg['cookiesec'])
send_cookie("webcp_tag","",time() - 3600,"/",$cfg['sysname']);
else
send_cookie("webcp_tag","",time() - 3600,"/",$HTTP_HOST);
// update database
mysql_query("UPDATE users SET webcp_tag='', timeout='' WHERE webcp_tag='$webcp_tag'");
}
// If $failed is a su (substitute user), verify user level, unset the cookie, re-login.
elseif ($failed == "su") {
$dbp = mysql_query("SELECT id,level FROM users WHERE webcp_tag='$webcp_tag'");
$tmpdata = mysql_fetch_array($dbp);
// only preset password if current user is server admin+
if ($tmpdata['id'] AND $tmpdata['level'] <= 1) {
$tmpdata = fetchdata("password","user",$username);
$password = $tmpdata['password'];
}
// if 'cookiesec' is set, unset cookie with ssl and domain settings. Else don't.
if ($cfg['cookiesec'])
send_cookie("webcp_tag","",time() - 3600,"/",$cfg['sysname']);
else
send_cookie("webcp_tag","",time() - 3600,"/",$HTTP_HOST);
// update database
mysql_query("UPDATE users SET webcp_tag='', timeout='' WHERE webcp_tag='$webcp_tag'");
}
// If $failed is a recover, e-mail the user's password to the domain admin's e-mail address
elseif ($failed == "recover") {
// Standardize Input
$username = trim($username);
// Check user against database
$userdata = fetchdata("id,password","user",$username);
// If the user is valid
if ($userdata) {
$domain = fetchdata("email","domain",$userdata['id']);
if ($domain)
mail($domain['email'],"web://cp ".$T['Password Recovery']." -- ".$username,$T['Pass Recovery Msg'].$userdata['password'], "From: <".$cfg['adminmail'].">\n");
else
$failed = "recover-failed";
}
else
$failed = "recover-failed";
}
// Check if its a case of initializing: The webcp database hasn't been created yet
$dbp = mysql_query("SHOW TABLES FROM ".$cfg['dbname']);
if (!mysql_num_rows($dbp) && !file_exists($cfg['basedir'].'/config.php')) {
send_header("Location: ".$web_name."/setup_config.php");
return false;
}
// Check if its a case of initializing: There are no users in the users table
$dbp = mysql_query("SELECT username FROM users");
if (!mysql_num_rows($dbp)) {
send_header("Location: ".$web_name."/setup.php");
return false;
}
// Show login screen
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>web://cp <?=$cfg['webcp']." . ".$T['Web Hosting Control Panel'];?></title>
<style type="text/css">
<!--
body { font-family: Arial; }
-->
</style>
<script language='JavaScript' src='script.js'></script>
</head>
<body bgcolor="#F5F5F5" text="#000000" link="#4B5C6C" vlink="#4B5C6C" alink="#667E93"
leftmargin="0" marginwidth="0" topmargin="0" marginheight="0"
onLoad="document.forms[0].username.focus();">
<div align="center"><br><br><br>
<?
// If $failed is set (failed login), echo the error
if (isset($failed)) {
echo "<p><center><font color='#990000'>";
echo $T['err']['login'][$failed];
echo "</font></center></p>\n";
}
// set salt for md5 (5 minute 'timer' to login)
$utime = floor(time() / 300);
?>
<form name="webcplogin" action="<?="./?cp=$cp&url=$url&number=$number&user=$user"; ?>" method="POST" onSubmit="submitonce(this); <? if (!$cfg['ssl']) echo "md5crypt('webcplogin','password','md5pass',$utime);" ?>">
<table border="0" cellspacing="0" cellpadding="0">
<tr><td align="right">
<table border="1" bordercolor="#FAFAFA" cellspacing="0" width="300" cellpadding="1" bordercolorlight="#A2A2A2">
<tr>
<td bgcolor="white" style="font-size:15px;"><b>web://cp <?=$cfg['webcp'];?> <?=$T['Login'];?></b></td>
</tr>
<tr>
<td bgcolor="#DEDEDE" align="center" valign="top" style="font-size:14px;">
<table border="0" cellspacing="0" cellpadding="0">
<tr>
<td align="right"><font size="1">
<br>
<div style="font-size:14px;"><?=$T['Username'];?> </div>
<input type="text" name="username" size="35" maxlength="40" value="<? if ($username) echo $username;?>"> <br>
<div style="font-size:14px;"><?=$T['Password'];?> </div>
<input type="password" name="password" size="35" maxlength="40" value=""> <br><br>
<div style="font-size:14px;"><?=$T['Timeout'];?> </div>
<select name="timeout">
<option value="3600"> <?=$T['1 Hour'];?>
<option value="86400"> <?=$T['1 Day'];?>
<option value="604800"> <?=$T['1 Week'];?>
<option value="2592000"> <?=$T['1 Month'];?>
</select>
</td>
</tr>
</table>
</td>
</tr>
</table>
<input type="hidden" value="" name="md5pass">
<div style="font-size:10px;" align="center"><?=$cfg['sysname'];?>
</div><input type="submit" value="<?=$T['Login'];?>"></td>
</tr>
</table>
</form>
<br><br>
<div style="font-size:10px;">
<?=$T['login note'];?>
</div>
<? include("loginfooter.inc.phps") ?>
</div>
</body>
</html>