(.*?)<\/subject>/si", $template, $matches); $subject = $matches[1]; $subject = str_replace( ["{{date}}", "{{hostname}}", "{{appname}}", "{{user}}"], [date("Y-m-d H:i:s"), get_hostname(), $_SESSION["APP_NAME"], $user], $subject, ); $template = str_replace($matches[0], "", $template); } else { putenv("LANGUAGE=" . $data[$user]["LANGUAGE"]); $template = _( "Hello {{name}},\n" . "\n" . "To reset your {{appname}} password, please follow this link:\n" . "https://{{hostname}}/reset/?action=confirm&user={{user}}&code={{resetcode}}\n" . "\n" . "Alternatively, you may go to https://{{hostname}}/reset/?action=code&user={{user}} and enter the following reset code:\n" . "{{resetcode}}\n" . "\n" . "If you did not request password reset, please ignore this message and accept our apologies.\n" . "\n" . "Best regards,\n" . "\n" . "--\n" . "{{appname}}", ); putenv("LANGUAGE=" . detect_user_language()); } $name = $data[$user]["NAME"]; $contact = $data[$user]["CONTACT"]; $to = $data[$user]["CONTACT"]; if (empty($subject)) { $subject = str_replace( ["{{subject}}", "{{hostname}}", "{{appname}}"], [ sprintf(_("Password Reset at %s"), date("Y-m-d H:i:s")), get_hostname(), $_SESSION["APP_NAME"], ], $_SESSION["SUBJECT_EMAIL"], ); } $hostname = get_hostname(); if ($hostname) { $host = preg_replace( "/(\[?[^]]*\]?):([0-9]{1,5})$/", "$1", $_SERVER["HTTP_HOST"], ); if ($host == $hostname) { $port_is_defined = preg_match( "/\[?[^]]*\]?:[0-9]{1,5}$/", $_SERVER["HTTP_HOST"], ); if ($port_is_defined) { $port = ":" . preg_replace( "/(\[?[^]]*\]?):([0-9]{1,5})$/", "$2", $_SERVER["HTTP_HOST"], ); } else { $port = ""; } } else { $port = ":" . $_SERVER["SERVER_PORT"]; } $from = !empty($_SESSION["FROM_EMAIL"]) ? $_SESSION["FROM_EMAIL"] : "noreply@" . $hostname; $from_name = !empty($_SESSION["FROM_NAME"]) ? $_SESSION["FROM_NAME"] : $_SESSION["APP_NAME"]; putenv("LANGUAGE=" . $data[$user]["LANGUAGE"]); $name = empty($data[$user]["NAME"]) ? $user : $data[$user]["NAME"]; $mailtext = translate_email($template, [ "name" => htmlentities($name), "hostname" => htmlentities($hostname . $port), "user" => htmlentities($user), "resetcode" => htmlentities($rkey), "appname" => $_SESSION["APP_NAME"], ]); send_email($to, $subject, $mailtext, $from, $from_name, $data[$user]["NAME"]); putenv("LANGUAGE=" . detect_user_language()); $error = _( "Password reset instructions have been sent to the email address associated with this account.", ); } $error = _( "Password reset instructions have been sent to the email address associated with this account.", ); } else { # Prevent user enumeration and let hackers guess username and working email $error = _( "Password reset instructions have been sent to the email address associated with this account.", ); } } else { $error = _("Please wait 15 minutes before sending a new request."); } } else { # Prevent user enumeration and let hackers guess username and working email $error = _( "Password reset instructions have been sent to the email address associated with this account.", ); } unset($output); } if (!empty($_POST["user"]) && !empty($_POST["code"]) && !empty($_POST["password"])) { // Check token verify_csrf($_POST); if ($_POST["password"] == $_POST["password_confirm"]) { $v_user = quoteshellarg($_POST["user"]); $user = $_POST["user"]; exec(HESTIA_CMD . "v-list-user " . $v_user . " json", $output, $return_var); if ($return_var == 0) { $data = json_decode(implode("", $output), true); $rkey = $data[$user]["RKEY"]; if (password_verify($_POST["code"], $rkey)) { unset($output); exec(HESTIA_CMD . "v-get-user-value " . $v_user . " RKEYEXP", $output, $return_var); if ($output[0] > time() - 900) { $v_password = tempnam("/tmp", "vst"); $fp = fopen($v_password, "w"); fwrite($fp, $_POST["password"] . "\n"); fclose($fp); exec( HESTIA_CMD . "v-change-user-password " . $v_user . " " . $v_password, $output, $return_var, ); unlink($v_password); if ($return_var > 0) { sleep(5); $error = _("An internal error occurred"); } else { $_SESSION["user"] = $_POST["user"]; header("Location: /"); exit(); } } else { sleep(5); $error = _("Code has been expired"); exec( HESTIA_CMD . "v-log-user-login " . $v_user . " " . $v_ip . " failed " . $v_session_id . " " . $v_user_agent . ' yes "Reset code has been expired"', $output, $return_var, ); } } else { sleep(5); $error = _("Invalid username or code"); exec( HESTIA_CMD . "v-log-user-login " . $v_user . " " . $v_ip . " failed " . $v_session_id . " " . $v_user_agent . ' yes "Invalid Username or Code"', $output, $return_var, ); } } else { sleep(5); $error = _("Invalid username or code"); } } else { $error = _("Passwords do not match"); } } if (empty($_GET["action"])) { require_once "../templates/header.php"; require_once "../templates/pages/login/reset_1.php"; } else { require_once "../templates/header.php"; if ($_GET["action"] == "code") { require_once "../templates/pages/login/reset_2.php"; } if ($_GET["action"] == "confirm" && !empty($_GET["code"])) { require_once "../templates/pages/login/reset_3.php"; } }