CVE-2021-43498: ATutor/password_reminder.php at master · atutor/ATutor

<?php /****************************************************************/ /* ATutor */ /****************************************************************/ /* Copyright © 2002-2010 */ /* Inclusive Design Institute */ /* http://atutor.ca */ /* */ /* This program is free software. You can redistribute it and/or*/ /* modify it under the terms of the GNU General Public License */ /* as published by the Free Software Foundation. */ /****************************************************************/ // $Id$ $_user_location = 'public’; define(‘AT_INCLUDE_PATH’, ‘include/’); require (AT_INCLUDE_PATH.’vitals.inc.php’); if (isset($_POST[‘cancel’])) { $msg->addFeedback(‘CANCELLED’); header(‘Location: login.php’); exit; } else if (isset($_POST[‘form_password_reminder’])) { //get database info to create & email change-password-link $_POST[‘form_email’] = $addslashes($_POST[‘form_email’]); $sql = "SELECT member_id, login, first_name, password, email FROM %smembers WHERE email=’%s’"; $row = queryDB($sql,array(TABLE_PREFIX, $_POST[‘form_email’]), TRUE); if (isset($row[‘member_id’]) && $row[‘member_id’] != ‘’) { //date link was generated (# days since epoch) $gen = intval(((time()/60)/60)/24); $hash = sha1($row[‘member_id’] . $gen . $row[‘password’]); $hash_bit = substr($hash, 5, 15); $change_link = $_base_href.’password_reminder.php?id=’.$row[‘member_id’].’&g=’.$gen.’&h=’.$hash_bit; if($row[‘first_name’] != ‘’){ $reply_name = $row[‘first_name’]; }else{ $reply_name = $row[‘login’]; } $tmp_message = _AT(array('password_request2’,$reply_name, $row[‘login’], AT_PASSWORD_REMINDER_EXPIRY, $change_link)); //send email require(AT_INCLUDE_PATH . ‘classes/phpmailer/atutormailer.class.php’); $mail = new ATutorMailer; $mail->From = $_config[‘contact_email’]; $mail->AddAddress($row[‘email’]); $mail->Subject = $_config[‘site_name’] . ': ' . _AT(‘password_forgot’); $mail->Body = $tmp_message; if(!$mail->Send()) { $msg->addError(‘SENDING_ERROR’); $savant->display(‘password_reminder_feedback.tmpl.php’); exit; } $msg->addFeedback(‘CONFIRM_EMAIL2’); unset($mail); header(‘Location:index.php’); //$savant->display(‘password_reminder_feedback.tmpl.php’); } else { $msg->addError(‘EMAIL_NOT_FOUND’); $savant->display(‘password_reminder.tmpl.php’); } } else if (isset($_REQUEST[‘id’]) && isset($_REQUEST[‘g’]) && isset($_REQUEST[‘h’])) { //coming from an email link //check if expired $current = intval(((time()/60)/60)/24); $expiry_date = $_REQUEST[‘g’] + AT_PASSWORD_REMINDER_EXPIRY; //2 days after creation if ($current > $expiry_date) { $msg->addError(‘INVALID_LINK’); $savant->display(‘password_reminder_feedback.tmpl.php’); exit; } /* check if already visited (possibley add a “last login” field to members table)… if password was changed, won’t work anyway. do later. */ //check for valid hash $sql = "SELECT password, email FROM %smembers WHERE member_id=%d"; $row = queryDB($sql, array(TABLE_PREFIX, $_REQUEST[‘id’]), TRUE); if (isset($row[‘email’]) && $row[‘email’] != ‘’) { $email = $row[‘email’]; $hash = sha1($_REQUEST[‘id’] . $_REQUEST[‘g’] . $row[‘password’]); $hash_bit = substr($hash, 5, 15); if ($_REQUEST[‘h’] !== $hash_bit) { $msg->addError(‘INVALID_LINK’); } else if (($_REQUEST[‘h’] == $hash_bit) && !isset($_POST[‘form_change’])) { $savant->assign('id’, $_REQUEST[‘id’]); $savant->assign('g’, $_REQUEST[‘g’]); $savant->assign('h’, $_REQUEST[‘h’]); $savant->display(‘password_change.tmpl.php’); } } else { $msg->addError(‘INVALID_LINK’); $savant->display(‘password_reminder_feedback.tmpl.php’); exit; } //changing the password if (isset($_POST[‘form_change’])) { /* password check: password is verified front end by javascript. here is to handle the errors from javascript */ if ($_POST[‘password_error’] <> “”) { $pwd_errors = explode(",", $_POST[‘password_error’]); foreach ($pwd_errors as $pwd_error) { if ($pwd_error == “missing_password”) $missing_fields[] = _AT(‘password’); else $msg->addError($pwd_error); } } if (!$msg->containsErrors()) { //save data $password = $addslashes($_POST[‘form_password_hidden’]); $sql = "UPDATE %smembers SET password=’%s’, last_login=last_login, creation_date=creation_date WHERE member_id=%d"; $result = queryDB($sql,array(TABLE_PREFIX, $password, $_REQUEST[‘id’])); //reset login attempts if (isset($result)){ $sql = "SELECT login FROM %smembers WHERE member_id=%d"; $row = queryDB($sql, array(TABLE_PREFIX, $_REQUEST[‘id’]), TRUE); $sql = "DELETE FROM %smember_login_attempt WHERE login=’%s’"; queryDB($sql, array(TABLE_PREFIX, $row[‘login’])); } //send confirmation email require(AT_INCLUDE_PATH . ‘classes/phpmailer/atutormailer.class.php’); $tmp_message = _AT(array('password_change_confirm’, $_config[‘site_name’], $_base_href))."\n\n"; $mail = new ATutorMailer; $mail->From = $_config[‘contact_email’]; $mail->AddAddress($email); $mail->Subject = $_config[‘site_name’] . ': ' . _AT(‘password_forgot’); $mail->Body = $tmp_message; if(!$mail->Send()) { $msg->printErrors(‘SENDING_ERROR’); exit; } $msg->addFeedback(‘PASSWORD_CHANGED’); unset($mail); header(‘Location:index.php’); } else { $savant->assign('id’, $_REQUEST[‘id’]); $savant->assign('g’, $_REQUEST[‘g’]); $savant->assign('h’, $_REQUEST[‘h’]); $savant->display(‘password_change.tmpl.php’); } } } else { $savant->display(‘password_reminder.tmpl.php’); } ?>