install/tpl/rspamd.local.lua.master

+rspamd_config.R_DUMMY = {
+        callback = function(task)
+                return true
+        end,
+        score = 0,
+        description = 'dummy symbol',
+}
\ No newline at end of file

install/tpl/rspamd_antivirus.conf.master

 clamav {
     # If set force this action if any virus is found (default unset: no action is forced)
     #action = "reject";
+
     # Scan mime_parts separately - otherwise the complete mail will be transferred to AV Scanner 
     scan_mime_parts = true;
+
     # Scanning Text is suitable for some av scanner databases (e.g. Sanesecurity)
     scan_text_mime = true;
     scan_image_mime = true;
+    
     # If `max_size` is set, messages > n bytes in size are not scanned
     #max_size = 20000000;
+    
     # symbol to add (add it to metric if you want non-zero weight)
     symbol = "CLAM_VIRUS";
+    
     # type of scanner: "clamav", "fprot", "sophos" or "savapi"
     type = "clamav";
+    
     # For "savapi" you must also specify the following variable
     #product_id = 12345;
+
     # You can enable logging for clean messages
     #log_clean = true;
+
     # servers to query (if port is unspecified, scanner-specific default is used)
     # can be specified multiple times to pool servers
     # can be set to a path to a unix socket
     # Enable this in local.d/antivirus.conf
     #servers = "127.0.0.1:3310";
     servers = "/var/run/clamav/clamd.ctl";
+    
     # if `patterns` is specified virus name will be matched against provided regexes and the related
     # symbol will be yielded if a match is found. If no match is found, default symbol is yielded.
     patterns {
@@ -32,6 +41,7 @@ clamav {
       # symbol_name = "pattern";
       CLAM_PROTOCOL_ERROR = '^unhandled response';
     }
+    
     # `whitelist` points to a map of IP addresses. Mail from these addresses is not scanned.
     whitelist = "/etc/rspamd/antivirus.wl";
 }

install/tpl/server.ini.master

@@ -21,6 +21,7 @@ backup_dir_is_mount=n
 backup_mode=rootgz
 backup_time=0:00
 backup_delete=n
+sysbackup_copies=3
 monit_url=
 monit_user=
 monit_password=
@@ -58,7 +59,7 @@ mailbox_size_limit=0
 message_size_limit=0
 mailbox_soft_delete=0
 mailbox_quota_stats=y
-realtime_blackhole_list=zen.spamhaus.org
+realtime_blackhole_list=
 overquota_notify_threshold=90
 overquota_notify_admin=y
 overquota_notify_reseller=y
@@ -121,6 +122,7 @@ add_web_users_to_sshusers_group=y
 connect_userid_to_webid=n
 connect_userid_to_webid_start=10000
 web_folder_protection=y
+web_folder_permission=0710
 php_ini_check_minutes=1
 overtraffic_disable_web=y
 overquota_notify_threshold=90
@@ -140,6 +142,11 @@ vhost_proxy_protocol_enabled=n
 vhost_proxy_protocol_protocols=ipv4
 vhost_proxy_protocol_http_port=880
 vhost_proxy_protocol_https_port=8443
+le_signature_type=ECDSA
+le_delete_on_site_remove=y
+le_auto_cleanup=y
+le_revoke_before_delete=y
+le_auto_cleanup_denylist=[server_name]
 
 [dns]
 bind_user=root

install/tpl/system.ini.master

@@ -35,12 +35,12 @@ vhost_aliasdomains=n
 client_username_web_check_disabled=n
 backups_include_into_web_quota=n
 reseller_can_use_options=n
-web_php_options=no,fast-cgi,mod,php-fpm
+web_php_options=no,php-fpm
 show_aps_menu=n
 client_protection=y
 ssh_authentication=
 le_caa_autocreate_options=y
-
+postgresql_database=n
 
 [tools]
 
@@ -75,3 +75,4 @@ session_timeout=0
 session_allow_endless=0
 min_password_length=8
 min_password_strength=3
+show_delete_on_forms=n

install/update.php

@@ -88,7 +88,6 @@ $cur_dir = getcwd();
 if(realpath(dirname(__FILE__)) != $cur_dir) die("Please run installation/update from _inside_ the install directory!\n");
 
 //** Install logfile
-define('ISPC_LOG_FILE', '/var/log/ispconfig_install.log');
 define('ISPC_INSTALL_ROOT', realpath(dirname(__FILE__).'/../'));
 
 //** Include the templating lib
@@ -112,6 +111,7 @@ $dist = get_distname();
 include_once "/usr/local/ispconfig/server/lib/config.inc.php";
 $conf_old = $conf;
 unset($conf);
+define('ISPC_LOG_FILE', $conf_old['ispconfig_log_dir'] . '/update.log');
 
 if($dist['id'] == '') die('Linux distribution or version not recognized.');
 
@@ -279,11 +279,33 @@ $inst->check_mysql_version();
 
 //* initialize the master DB, if we have a multiserver setup
 if($conf['mysql']['master_slave_setup'] == 'y') {
+	//** Get MySQL root credentials
+	$finished = false;
+	do {
+		$tmp_mysql_server_host = $inst->free_query('MySQL master server hostname', $conf['mysql']['master_host'],'mysql_master_hostname');
+		$tmp_mysql_server_port = $inst->free_query('MySQL master server port', $conf['mysql']['master_port'],'mysql_master_port');
+		$tmp_mysql_server_admin_user = $inst->free_query('MySQL master server root username', $conf['mysql']['master_admin_user'],'mysql_master_root_user');
+		$tmp_mysql_server_admin_password = $inst->free_query('MySQL master server root password', $conf['mysql']['master_admin_password'],'mysql_master_root_password');
+		$tmp_mysql_server_database = $inst->free_query('MySQL master server database name', $conf['mysql']['master_database'],'mysql_master_database');
+
+		//* Initialize the MySQL server connection
+		if(@mysqli_connect($tmp_mysql_server_host, $tmp_mysql_server_admin_user, $tmp_mysql_server_admin_password, $tmp_mysql_server_database, (int)$tmp_mysql_server_port)) {
+			$conf['mysql']['master_host'] = $tmp_mysql_server_host;
+			$conf['mysql']['master_port'] = $tmp_mysql_server_port;
+			$conf['mysql']['master_admin_user'] = $tmp_mysql_server_admin_user;
+			$conf['mysql']['master_admin_password'] = $tmp_mysql_server_admin_password;
+			$conf['mysql']['master_database'] = $tmp_mysql_server_database;
+			$finished = true;
+		} else {
+			swriteln($inst->lng('Unable to connect to mysql server').' '.mysqli_connect_error());
+		}
+	} while ($finished == false);
+	unset($finished);
 
 	// initialize the connection to the master database
 	$inst->dbmaster = new db();
 	if($inst->dbmaster->linkId) $inst->dbmaster->closeConn();
-	$inst->dbmaster->setDBData($conf['mysql']["master_host"], $conf['mysql']["master_ispconfig_user"], $conf['mysql']["master_ispconfig_password"], $conf['mysql']["master_port"]);
+	$inst->dbmaster->setDBData($conf['mysql']["master_host"], $conf['mysql']["master_admin_user"], $conf['mysql']["master_admin_password"], $conf['mysql']["master_port"]);
 	$inst->dbmaster->setDBName($conf['mysql']["master_database"]);
 } else {
 	$inst->dbmaster = $inst->db;
@@ -330,35 +352,6 @@ unset($tmp);
 $reconfigure_master_database_rights_answer = $inst->simple_query('Reconfigure Permissions in master database?', array('yes', 'no'), 'no','reconfigure_permissions_in_master_database');
 
 if($reconfigure_master_database_rights_answer == 'yes') {
-	//** Get MySQL root credentials, to upgrade the dbmaster connection.
-	$finished = false;
-	do {
-		$tmp_mysql_server_host = $inst->free_query('MySQL master server hostname', $conf['mysql']['master_host'],'mysql_master_hostname');
-		$tmp_mysql_server_port = $inst->free_query('MySQL master server port', $conf['mysql']['master_port'],'mysql_master_port');
-		$tmp_mysql_server_admin_user = $inst->free_query('MySQL master server root username', $conf['mysql']['master_admin_user'],'mysql_master_root_user');
-		$tmp_mysql_server_admin_password = $inst->free_query('MySQL master server root password', $conf['mysql']['master_admin_password'],'mysql_master_root_password');
-		$tmp_mysql_server_database = $inst->free_query('MySQL master server database name', $conf['mysql']['master_database'],'mysql_master_database');
-
-		//* Initialize the MySQL server connection
-		if(@mysqli_connect($tmp_mysql_server_host, $tmp_mysql_server_admin_user, $tmp_mysql_server_admin_password, $tmp_mysql_server_database, (int)$tmp_mysql_server_port)) {
-			$conf['mysql']['master_host'] = $tmp_mysql_server_host;
-			$conf['mysql']['master_port'] = $tmp_mysql_server_port;
-			$conf['mysql']['master_admin_user'] = $tmp_mysql_server_admin_user;
-			$conf['mysql']['master_admin_password'] = $tmp_mysql_server_admin_password;
-			$conf['mysql']['master_database'] = $tmp_mysql_server_database;
-			$finished = true;
-		} else {
-			swriteln($inst->lng('Unable to connect to mysql server').' '.mysqli_connect_error());
-		}
-	} while ($finished == false);
-	unset($finished);
-
-	// initialize the connection to the master database
-	$inst->dbmaster = new db();
-	if($inst->dbmaster->linkId) $inst->dbmaster->closeConn();
-	$inst->dbmaster->setDBData($conf['mysql']["master_host"], $conf['mysql']["master_admin_user"], $conf['mysql']["master_admin_password"], $conf['mysql']["master_port"]);
-	$inst->dbmaster->setDBName($conf['mysql']["master_database"]);
-
 	$inst->grant_master_database_rights();
 }
 //}
@@ -561,7 +554,7 @@ if($reconfigure_services_answer == 'yes' || $reconfigure_services_answer == 'sel
   }
 
 	if($conf['services']['firewall'] && $inst->reconfigure_app('Firewall', $reconfigure_services_answer)) {
-		if($conf['ufw']['installed'] == true) {
+		if(isset($conf['ufw']['installed']) && $conf['ufw']['installed'] == true) {
 			//* Configure Ubuntu Firewall
 			$conf['services']['firewall'] = true;
 			swriteln('Configuring Ubuntu Firewall');
@@ -698,7 +691,7 @@ if($reconfigure_services_answer == 'yes') {
 	}
 
 	if($conf['services']['firewall']) {
-		if($conf['ufw']['installed'] == true && isset($conf['ufw']['init_script']) && $conf['ufw']['init_script'] != '' && is_executable($conf['init_scripts'].'/'.$conf['ufw']['init_script']))     system($conf['init_scripts'].'/'.$conf['ufw']['init_script'].' restart &> /dev/null');
+		if(isset($conf['ufw']['installed']) && $conf['ufw']['installed'] == true && isset($conf['ufw']['init_script']) && $conf['ufw']['init_script'] != '' && is_executable($conf['init_scripts'].'/'.$conf['ufw']['init_script']))     system($conf['init_scripts'].'/'.$conf['ufw']['init_script'].' restart &> /dev/null');
 	}
 }
 

interface/lib/app.inc.php

@@ -46,7 +46,7 @@ if(DEVSYSTEM !== true) {
 /*
     Application Class
 */
-class app {
+class app extends stdClass {
 
 	private $_language_inc = 0;
 	private $_wb;
@@ -214,8 +214,10 @@ class app {
 
 	public function auth_log($msg) {
 		$authlog_handle = fopen($this->_conf['ispconfig_log_dir'].'/auth.log', 'a');
-		fwrite($authlog_handle, $msg . PHP_EOL);
-		fclose($authlog_handle);
+		if($authlog_handle) {
+			fwrite($authlog_handle, $msg . PHP_EOL);
+			fclose($authlog_handle);
+		}
 	}
 
 	/** Priority values are: 0 = DEBUG, 1 = WARNING,  2 = ERROR */

interface/lib/classes/auth.inc.php

@@ -44,7 +44,7 @@ class auth {
 			return false;
 		}
 	}
-	
+
 	public function is_superadmin() {
 		if($_SESSION['s']['user']['typ'] == 'admin' && $_SESSION['s']['user']['userid'] == 1) {
 			return true;
@@ -53,6 +53,13 @@ class auth {
 		}
 	}
 
+	public function is_reseller() {
+		if($this->has_clients($_SESSION['s']['user']['userid'])) {
+			return true;
+		} else {
+			return false;
+		}
+	}
 	public function has_clients($userid) {
 		global $app, $conf;
 
@@ -64,11 +71,11 @@ class auth {
 			return false;
 		}
 	}
-	
+
 	// Function to check if a client belongs to a reseller
 	public function is_client_of_reseller($userid = 0) {
 		global $app, $conf;
-		
+
 		if($userid == 0) $userid = $_SESSION['s']['user']['userid'];
 
 		$client = $app->db->queryOneRecord("SELECT client.sys_userid, client.sys_groupid FROM sys_user, client WHERE sys_user.userid = ? AND sys_user.client_id = client.client_id", $userid);
@@ -91,7 +98,7 @@ class auth {
 			$groups = explode(',', $user['groups']);
 			if(!in_array($groupid, $groups)) $groups[] = $groupid;
 			$groups_string = implode(',', $groups);
-			$sql = "UPDATE sys_user SET groups = ? WHERE userid = ?";
+			$sql = "UPDATE sys_user SET `groups` = ? WHERE userid = ?";
 			$app->db->query($sql, $groups_string, $userid);
 			return true;
 		} else {
@@ -103,10 +110,10 @@ class auth {
 	public function get_client_limit($userid, $limitname)
 	{
 		global $app;
-		
+
 		$userid = $app->functions->intval($userid);
 		if(!preg_match('/^[a-zA-Z0-9\-\_]{1,64}$/',$limitname)) $app->error('Invalid limit name '.$limitname);
-		
+
 		// simple query cache
 		if($this->client_limits===null)
 			$this->client_limits = $app->db->queryOneRecord("SELECT client.* FROM sys_user, client WHERE sys_user.userid = ? AND sys_user.client_id = client.client_id", $userid);
@@ -133,7 +140,7 @@ class auth {
 			$key = array_search($groupid, $groups);
 			unset($groups[$key]);
 			$groups_string = implode(',', $groups);
-			$sql = "UPDATE sys_user SET groups = ? WHERE userid = ?";
+			$sql = "UPDATE sys_user SET `groups` = ? WHERE userid = ?";
 			$app->db->query($sql, $groups_string, $userid);
 			return true;
 		} else {
@@ -181,11 +188,11 @@ class auth {
                        exit;
 		}
 	}
-	
+
 	public function check_security_permissions($permission) {
-		
+
 		global $app;
-		
+
 		$app->uses('getconf');
 		$security_config = $app->getconf->get_security_config('permissions');
 
@@ -195,7 +202,7 @@ class auth {
 		if($security_check !== true) {
 			$app->error($app->lng('security_check1_txt').' '.$permission.' '.$app->lng('security_check2_txt'));
 		}
-		
+
 	}
 
 	/**
@@ -232,12 +239,12 @@ class auth {
 		if($minLength < 8) $minLength = 8;
 		$maxLength = $minLength + 5;
 		$length = random_int($minLength, $maxLength);
-		
+
 		$alphachars = "abcdefghijklmnopqrstuvwxyz";
 		$upperchars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
 		$numchars = "1234567890";
 		$specialchars = "!@#_";
-		
+
 		$num_special = 0;
 		if($special == true) {
 			$num_special = intval(random_int(0, round($length / 4))) + 1;
@@ -247,23 +254,23 @@ class auth {
 		$upperlen = intval($alphalen / 2);
 		$alphalen = $alphalen - $upperlen;
 		$password = '';
-		
+
 		for($i = 0; $i < $alphalen; $i++) {
 			$password .= substr($alphachars, random_int(0, strlen($alphachars) - 1), 1);
 		}
-		
+
 		for($i = 0; $i < $upperlen; $i++) {
 			$password .= substr($upperchars, random_int(0, strlen($upperchars) - 1), 1);
 		}
-		
+
 		for($i = 0; $i < $num_special; $i++) {
 			$password .= substr($specialchars, random_int(0, strlen($specialchars) - 1), 1);
 		}
-		
+
 		for($i = 0; $i < $numericlen; $i++) {
 			$password .= substr($numchars, random_int(0, strlen($numchars) - 1), 1);
 		}
-		
+
 		return str_shuffle($password);
 	}
 
@@ -271,7 +278,7 @@ class auth {
 		if($charset != 'UTF-8') {
 			$cleartext_password = mb_convert_encoding($cleartext_password, $charset, 'UTF-8');
 		}
-		
+
 		if(defined('CRYPT_SHA512') && CRYPT_SHA512 == 1) {
 			$salt = '$6$rounds=5000$';
 			$salt_length = 16;
@@ -282,7 +289,7 @@ class auth {
 			$salt = '$1$';
 			$salt_length = 12;
 		}
-		
+
 		if(function_exists('openssl_random_pseudo_bytes')) {
 			$salt .= substr(bin2hex(openssl_random_pseudo_bytes($salt_length)), 0, $salt_length);
 		} else {
@@ -294,7 +301,7 @@ class auth {
 		$salt .= "$";
 		return crypt($cleartext_password, $salt);
 	}
-	
+
 	public function csrf_token_get($form_name) {
 		/* CSRF PROTECTION */
 		// generate csrf protection id and key
@@ -304,13 +311,13 @@ class auth {
 		if(!isset($_SESSION['_csrf_timeout'])) $_SESSION['_csrf_timeout'] = array();
 		$_SESSION['_csrf'][$_csrf_id] = $_csrf_key;
 		$_SESSION['_csrf_timeout'][$_csrf_id] = time() + 3600; // timeout hash in 1 hour
-		
+
 		return array('csrf_id' => $_csrf_id,'csrf_key' => $_csrf_key);
 	}
-	
+
 	public function csrf_token_check($method = 'POST') {
 		global $app;
-		
+
 		if($method == 'POST') {
 			$input_vars = $_POST;
 		} elseif ($method == 'GET') {
@@ -318,10 +325,10 @@ class auth {
 		} else {
 			$app->error('Unknown CSRF verification method.');
 		}
-		
+
 		//print_r($input_vars);
 		//die(print_r($_SESSION['_csrf']));
-		
+
 		if(isset($input_vars) && is_array($input_vars)) {
 			$_csrf_valid = false;
 			if(isset($input_vars['_csrf_id']) && isset($input_vars['_csrf_key'])) {
@@ -339,7 +346,7 @@ class auth {
 			$_SESSION['_csrf_timeout'][$_csrf_id] = null;
 			unset($_SESSION['_csrf'][$_csrf_id]);
 			unset($_SESSION['_csrf_timeout'][$_csrf_id]);
-			
+
 			if(isset($_SESSION['_csrf_timeout']) && is_array($_SESSION['_csrf_timeout'])) {
 				$to_unset = array();
 				foreach($_SESSION['_csrf_timeout'] as $_csrf_id => $timeout) {

interface/lib/classes/crypt.inc.php

+<?php
+
+/*
+Copyright (c) 2024, Till Brehm, ISPConfig UG
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+class crypt {
+	
+	/**
+	 * Encode passwords for PostgreSQL with scram-sha-256
+	 *
+	 * @param  mixed $password
+	 * @return string
+	 */
+
+	public function postgres_scram_sha_256($password) {
+		$salt = openssl_random_pseudo_bytes(16); // Salt size = 16
+		$digest_key = hash_pbkdf2("sha256", $password, $salt, 4096, 32, true); // Rounds 4096 and  Digest length = 32
+		$client_key = hash_hmac("sha256", 'Client Key', $digest_key, true);
+		$stored_key = hash("sha256", $client_key, true);
+		$server_key = hash_hmac("sha256", 'Server Key', $digest_key, true);
+		return sprintf('SCRAM-SHA-256$4096:%s$%s:%s', base64_encode($salt), base64_encode($stored_key), base64_encode($server_key));
+	}
+
+}

interface/lib/classes/db_mysql.inc.php

@@ -239,7 +239,7 @@ class db
 						}
 					}
 				}
-				if($ok == true) {
+				if($ok) {
 					return true;
 				} else {
 					if($ids_config['sql_scan_action'] == 'warn') {
@@ -252,6 +252,8 @@ class db
 				}
 			}
 		}
+
+		return true;
 	}
 
 	private function _query($sQuery = '') {
@@ -298,7 +300,9 @@ class db
 		} while($ok == false);
 
 		$sQuery = call_user_func_array(array(&$this, '_build_query_string'), $aArgs);
-		$this->securityScan($sQuery);
+		if (!$this->securityScan($sQuery)) {
+			return false;
+		}
 		$this->_iQueryId = mysqli_query($this->_iConnId, $sQuery);
 		if (!$this->_iQueryId) {
 			$this->_sqlerror('Falsche Anfrage / Wrong Query', 'SQL-Query = ' . $sQuery);
@@ -590,6 +594,7 @@ class db
 	}
 
 	public function toLower($record) {
+		$out = [];
 		if(is_array($record)) {
 			foreach($record as $key => $val) {
 				$key = strtolower($key);
@@ -668,7 +673,7 @@ class db
 			$clientdb_user     = ($conf['db_user']) ? $conf['db_user'] : NULL;
 			$clientdb_password = ($conf['db_password']) ? $conf['db_password'] : NULL;
 			$clientdb_port     = ((int)$conf['db_port']) ? (int)$conf['db_port'] : NULL;
-			$clientdb_flags    = ($conf['db_flags'] !== NULL) ? $conf['db_flags'] : NULL;
+			$clientdb_flags    = (isset($conf['db_flags']) && $conf['db_flags'] !== NULL) ? $conf['db_flags'] : NULL;
 
 			require_once 'lib/mysql_clientdb.conf';
 
@@ -678,7 +683,7 @@ class db
 		$result = $db->_query("SELECT SUM(data_length+index_length) FROM information_schema.TABLES WHERE table_schema='".$db->escape($database_name)."'");
 		if(!$result) {
 			$db->_sqlerror('Unable to determine the size of database ' . $database_name);
-			return;
+			return 0;
 		}
 		$database_size = $result->getAsRow();
 		$result->free();
@@ -847,7 +852,7 @@ class db
 
 		$result = $this->queryAllRecords("SELECT COUNT( * ) AS cnt, sys_datalog.action, sys_datalog.dbtable
 				FROM sys_datalog, server
-				WHERE server.server_id = sys_datalog.server_id AND sys_datalog.user = ? AND sys_datalog.datalog_id > server.updated
+				WHERE (server.server_id = sys_datalog.server_id or sys_datalog.server_id = 0) AND sys_datalog.user = ? AND sys_datalog.datalog_id > server.updated AND server.active = 1
 				GROUP BY sys_datalog.dbtable, sys_datalog.action",
 			$login);
 		foreach($result as $row) {
@@ -1075,7 +1080,7 @@ class db
 	}
 
 	public function mapType($metaType, $typeValue) {
-		global $go_api;
+		global $app;
 		$metaType = strtolower($metaType);
 		switch ($metaType) {
 		case 'int16':
@@ -1107,6 +1112,8 @@ class db
 			return 'date';
 			break;
 		}
+		$app->error('Unknown meta type: '.$metaType);
+		return false;
 	}
 
 	/**
@@ -1148,36 +1155,173 @@ class db
 	 * Get a mysql password hash
 	 *
 	 * @access public
-	 * @param string   cleartext password
+	 * @param string $password cleartext password
+	 * @param string $hash_type MySQL hash type to use. either mysql_native_password or caching_sha2_password
 	 * @return string  Password hash
 	 */
 
-	public function getPasswordHash($password) {
+	public function getPasswordHash($password, $hash_type = 'mysql_native_password') {
+		if($hash_type == 'caching_sha2_password') {
+			$password_hash = $this->mysqlSha256Crypt($password, $this->genSalt(20), 5000);
+		} else {
+			$password_hash = '*' . strtoupper(sha1(sha1($password, true)));
+		}
 
-		$password_type = 'password';
+		return $password_hash;
+	}
 
-		/* Disabled until caching_sha2_password is implemented
-		if($this->getDatabaseType() == 'mysql' && $this->getDatabaseVersion(true) >= 8) {
-			// we are in MySQL 8 mode
-			$tmp = $this->queryOneRecord("show variables like 'default_authentication_plugin'");
-			if($tmp['default_authentication_plugin'] == 'caching_sha2_password') {
-				$password_type = 'caching_sha2_password';
+	/**
+	 * @param $size int length of salt in bytes
+	 *
+	 * @return string
+	 */
+	private function genSalt($size) {
+		$salt = random_bytes($size);
+		if($salt === false) {
+			throw new Exception('Cannot generate salt.');
+		}
+		for($i = 0; $i < $size; $i++) {
+			$ord = ord($salt[$i]) & 0x7f;
+			if($ord < 32) {
+				$ord += 32;
+			}
+			if($ord == 36 /* $ */) {
+				$ord += 1;
 			}
+			$salt[$i] = chr($ord);
 		}
-		*/
 
-		if($password_type == 'caching_sha2_password') {
-			/*
-				caching_sha2_password hashing needs to be implemented, have not
-				found valid PHP implementation for the new password hash type.
-			*/
-		} else {
-			$password_hash = '*'.strtoupper(sha1(sha1($password, true)));
+		return $salt;
+	}
+
+	/**
+	 * this is the SHA256 algorithm of the crypt unix call – the only difference is that we do not truncate the salt to 16 chars
+	 * @see https://www.akkadia.org/drepper/SHA-crypt.txt
+	 * @see https://github.com/mysql/mysql-server/blob/trunk/mysys/crypt_genhash_impl.cc
+	 *
+	 * @param string $plaintext the plain text password
+	 * @param string $salt the raw salt (needs to be 20 bytes long)
+	 * @param int $rounds number of rounds. MySQL default is 5000.  Must be between 1000 and 4095000 (0xFFF * 1000)
+	 *
+	 * @return string hashed password in MySQL format
+	 */
+	private function mysqlSha256Crypt($plaintext, $salt, $rounds) {
+		$plaintext_len = strlen($plaintext);
+		$salt_len = strlen($salt);
+
+		// 1
+		$ctxA = hash_init('sha256');
+		// 2
+		hash_update($ctxA, $plaintext);
+		// 3
+		hash_update($ctxA, $salt);
+		// 4
+		$ctxB = hash_init('sha256');
+		// 5
+		hash_update($ctxB, $plaintext);
+		// 6
+		hash_update($ctxB, $salt);
+		// 7
+		hash_update($ctxB, $plaintext);
+		// 8
+		$B = hash_final($ctxB, true);
+		// 9
+		for($i = $plaintext_len; $i > 32; $i -= 32) {
+			hash_update($ctxA, $B);
 		}
+		// 10
+		hash_update($ctxA, substr($B, 0, $i));
+		// 11
+		for($i = $plaintext_len; $i > 0; $i >>= 1) {
+			if(($i & 1) != 0) {
+				hash_update($ctxA, $B);
+			} else {
+				hash_update($ctxA, $plaintext);
+			}
+		}
+		// 12
+		$A = hash_final($ctxA, true);
+		// 13
+		$ctxDP = hash_init('sha256');
+		// 14
+		for($i = 0; $i < $plaintext_len; $i++) {
+			hash_update($ctxDP, $plaintext);
+		}
+		// 15
+		$DP = hash_final($ctxDP, true);
+		// 16
+		$P = "";
+		for($i = $plaintext_len; $i > 32; $i -= 32) {
+			$P .= $DP;
+		}
+		$P .= substr($DP, 0, $i);
+		// 17
+		$ctxDS = hash_init('sha256');
+		// 18
+		for($i = 0; $i < 16 + ord($A[0]); $i++) {
+			hash_update($ctxDS, $salt);
+		}
+		// 19
+		$DS = hash_final($ctxDS, true);
+		// 20
+		$S = "";
+		for($i = $salt_len; $i >= 32; $i -= 32) {
+			$S .= $DS;
+		}
+		$S .= substr($DS, 0, $i);
+		// 21
+		$C = "";
+		for($i = 0; $i < $rounds; $i++) {
+			$ctxC = hash_init('sha256');
+			if(($i & 1) != 0) {
+				hash_update($ctxC, $P);
+			} else {
+				hash_update($ctxC, $i == 0 ? $A : $C);
+			}
 
-		return $password_hash;
-	}
+			if($i % 3 != 0) {
+				hash_update($ctxC, $S);
+			}
+
+			if($i % 7 != 0) {
+				hash_update($ctxC, $P);
+			}
+
+			if(($i & 1) != 0) {
+				hash_update($ctxC, $i == 0 ? $A : $C);
+			} else {
+				hash_update($ctxC, $P);
+			}
+			$C = hash_final($ctxC, true);
+		}
 
+		// 22
+		$b64result = str_repeat(' ', 43);
+		$p = 0;
+		$b64_from_24bit = function($B2, $B1, $B0, $N) use (&$b64result, &$p) {
+			$b64_alphabet = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+			$w = ($B2 << 16) | ($B1 << 8) | $B0;
+			$n = $N;
+			while(--$n >= 0) {
+				$b64result[$p++] = $b64_alphabet[$w & 0x3f];
+				$w = $w >> 6;
+			}
+		};
+		$b64_from_24bit(ord($C[0]), ord($C[10]), ord($C[20]), 4);
+		$b64_from_24bit(ord($C[21]), ord($C[1]), ord($C[11]), 4);
+		$b64_from_24bit(ord($C[12]), ord($C[22]), ord($C[2]), 4);
+		$b64_from_24bit(ord($C[3]), ord($C[13]), ord($C[23]), 4);
+		$b64_from_24bit(ord($C[24]), ord($C[4]), ord($C[14]), 4);
+		$b64_from_24bit(ord($C[15]), ord($C[25]), ord($C[5]), 4);
+		$b64_from_24bit(ord($C[6]), ord($C[16]), ord($C[26]), 4);
+		$b64_from_24bit(ord($C[27]), ord($C[7]), ord($C[17]), 4);
+		$b64_from_24bit(ord($C[18]), ord($C[28]), ord($C[8]), 4);
+		$b64_from_24bit(ord($C[9]), ord($C[19]), ord($C[29]), 4);
+		$b64_from_24bit(0, ord($C[31]), ord($C[30]), 3);
+
+		// we do not truncate $salt to 16 chars since MySQL does not do that and uses 20 bytes salts
+		return sprintf('$A$%03x$%s%s', $rounds / 1000, $salt, $b64result);
+	}
 
 }
 
@@ -1191,10 +1335,11 @@ class db_result {
 
 	/**
 	 *
-	 *
+	 * @var mysqli_result|null
 	 * @access private
 	 */
 	private $_iResId = null;
+	/** @var mysqli|null  */
 	private $_iConnection = null;
 
 
@@ -1406,7 +1551,7 @@ class fakedb_result {
 	 *
 	 * @access public
 	 * @param int     $iStart offset to start read
-	 * @param int     iLength amount of datasets to read
+	 * @param int     $iLength amount of datasets to read
 	 */
 	public function limit_result($iStart, $iLength) {
 		$this->aLimitedData = array_slice($this->aResultData, $iStart, $iLength, true);

interface/lib/classes/dns_wizard.inc.php

@@ -268,7 +268,7 @@ class dns_wizard
                 "expire" => $expire,
                 "minimum" => $minimum,
                 "ttl" => $ttl,
-                "active" => 'Y',
+                "active" => 'N', // Activated later when all DNS records are added.
                 "xfer" => $xfer,
                 "also_notify" => $also_notify,
                 "update_acl" => $update_acl,
@@ -301,6 +301,9 @@ class dns_wizard
                 }
             }
 
+            // Activate the DNS zone.
+            $app->db->datalogUpdate('dns_soa', array('active' => 'Y'), 'id', $dns_soa_id);
+
             return 'ok';
 
         } else {

interface/lib/classes/functions.inc.php

@@ -287,11 +287,33 @@ class functions {
 	 * @return string - formated bytes
 	 */
 	public function formatBytes($size, $precision = 2) {
+		// 0 is a special as it would give NAN otehrwise.
+		if ($size == 0) {
+			return 0;
+		}
+
 		$base=log($size)/log(1024);
 		$suffixes=array('', ' kB', ' MB', ' GB', ' TB');
 		return round(pow(1024, $base-floor($base)), $precision).$suffixes[floor($base)];
 	}
 
+	/**
+	 * Function to change bytes to kB, MB, GB or TB or the translated string 'Unlimited' for -1
+	 * @param int $size - size in bytes
+	 * @param int precicion - after-comma-numbers (default: 2)
+	 * @return string - formated bytes
+	 */
+	public function formatBytesOrUnlimited($size, $precision = 2) {
+		global $app;
+
+		if ($size == -1) {
+			return $app->lng('unlimited_txt');
+		}
+		else {
+			return $this->formatBytes($size, $precision);
+		}
+
+	}
 
 	/**
 	 * Normalize a path and strip duplicate slashes from it
@@ -650,7 +672,23 @@ class functions {
 			$result = false;
 		}
 		return $result;
-	}	
+	}
+
+    /**
+     * Lookup a client's group + all groups he is reselling.
+     *
+     * @return string Comma separated list of groupid's
+     */
+    function clientid_to_groups_list($client_id) {
+      global $app;
+
+      if ($client_id != null) {
+        // Get the clients groupid, and in case it's a reseller the groupid's of its clients.
+        $group = $app->db->queryOneRecord("SELECT GROUP_CONCAT(groupid) AS `groups` FROM `sys_group` WHERE client_id IN (SELECT client_id FROM `client` WHERE client_id=? OR parent_client_id=?)", $client_id, $client_id);
+        return $group['groups'];
+      }
+      return null;
+    }
 
 }
 

interface/lib/classes/ids.inc.php

@@ -49,11 +49,14 @@ class ids {
 		require_once(ISPC_CLASS_PATH.'/IDS/Report.php');
 		require_once(ISPC_CLASS_PATH.'/IDS/Event.php');
 		require_once(ISPC_CLASS_PATH.'/IDS/Converter.php');
+
+		$ispcookie = array();
+		$ispcookie['ISPCSESS'] = $_COOKIE['ISPCSESS'];
 		
 		$ids_request = array(
 			'GET' => $_GET,
 			'POST' => $_POST,
-			'COOKIE' => $_COOKIE
+			'COOKIE' => $ispcookie
 		);
 		
 		$ids_init = IDS\Init::init(ISPC_CLASS_PATH.'/IDS/Config/Config.ini.php');

interface/lib/classes/ispcmail.inc.php

@@ -823,7 +823,7 @@ class ispcmail {
 				$recipname = trim(str_replace('"', '', $recipname));
 
 				if($rec_string != '') $rec_string .= ', ';
-				if($recipname && !is_numeric($recipname)) $rec_string .= $recipname . '<' . $recip . '>';
+				if($recipname && !is_numeric($recipname)) $rec_string .= '"' . $recipname . '"<' . $recip . '>';
 				else $rec_string .= $recip;
 			}
 			$to = $this->_encodeHeader($rec_string, $this->mail_charset);

interface/lib/classes/quota_lib.inc.php

@@ -14,7 +14,10 @@ class quota_lib {
 		//print_r($monitor_data);
 
 		// select all websites or websites belonging to client
-		$sites = $app->db->queryAllRecords("SELECT * FROM web_domain WHERE active = 'y' AND type = 'vhost'".(($clientid != null)?" AND sys_groupid = (SELECT default_group FROM sys_user WHERE client_id=?)":'') . " ORDER BY domain", $clientid);
+		$q = "SELECT * FROM web_domain WHERE type = 'vhost' AND ";
+		$q .= $app->tform->getAuthSQL('r', '', '', $app->functions->clientid_to_groups_list($clientid));
+		$q .= " ORDER BY domain";
+		$sites = $app->db->queryAllRecords($q, $clientid);
 
 		//print_r($sites);
 		if(is_array($sites) && !empty($sites)){
@@ -36,9 +39,10 @@ class quota_lib {
 				if (!is_numeric($sites[$i]['hard'])) $sites[$i]['hard']=$sites[$i]['hard'][1];
 				if (!is_numeric($sites[$i]['files'])) $sites[$i]['files']=$sites[$i]['files'][1];
 
-				$sites[$i]['used_raw'] = $sites[$i]['used'];
-				$sites[$i]['soft_raw'] = $sites[$i]['soft'];
-				$sites[$i]['hard_raw'] = $sites[$i]['hard'];
+                               // Convert from kb to bytes, and use -1 for instead of 0 for Unlimited.
+				$sites[$i]['used_raw'] = $sites[$i]['used'] * 1024;
+                               $sites[$i]['soft_raw'] = ($sites[$i]['soft'] > 0) ? $sites[$i]['soft'] * 1024 : -1;
+                               $sites[$i]['hard_raw'] = ($sites[$i]['hard'] > 0) ? $sites[$i]['hard'] * 1024 : -1;
 				$sites[$i]['files_raw'] = $sites[$i]['files'];
 				$sites[$i]['used_percentage'] = ($sites[$i]['soft'] > 0 && $sites[$i]['used'] > 0 ? round($sites[$i]['used'] * 100 / $sites[$i]['soft']) : 0);
 
@@ -53,29 +57,6 @@ class quota_lib {
 					if($used_ratio >= 0.8) $sites[$i]['display_colour'] = '#fd934f';
 					if($used_ratio >= 1) $sites[$i]['display_colour'] = '#cc0000';
 
-					if($sites[$i]['used'] > 1024) {
-						$sites[$i]['used'] = round($sites[$i]['used'] / 1024, 1).' MB';
-					} else {
-						if ($sites[$i]['used'] != '') $sites[$i]['used'] .= ' KB';
-					}
-
-					if($sites[$i]['soft'] > 1024) {
-						$sites[$i]['soft'] = round($sites[$i]['soft'] / 1024, 1).' MB';
-					} else {
-						$sites[$i]['soft'] .= ' KB';
-					}
-
-					if($sites[$i]['hard'] > 1024) {
-						$sites[$i]['hard'] = round($sites[$i]['hard'] / 1024, 1).' MB';
-					} else {
-						$sites[$i]['hard'] .= ' KB';
-					}
-
-					if($sites[$i]['soft'] == " KB") $sites[$i]['soft'] = $app->lng('unlimited_txt');
-					if($sites[$i]['hard'] == " KB") $sites[$i]['hard'] = $app->lng('unlimited_txt');
-
-					if($sites[$i]['soft'] == '0 B' || $sites[$i]['soft'] == '0 KB' || $sites[$i]['soft'] == '0') $sites[$i]['soft'] = $app->lng('unlimited_txt');
-					if($sites[$i]['hard'] == '0 B' || $sites[$i]['hard'] == '0 KB' || $sites[$i]['hard'] == '0') $sites[$i]['hard'] = $app->lng('unlimited_txt');
 
 					/*
 					 if(!strstr($sites[$i]['used'],'M') && !strstr($sites[$i]['used'],'K')) $sites[$i]['used'].= ' B';
@@ -83,13 +64,7 @@ class quota_lib {
 					if(!strstr($sites[$i]['hard'],'M') && !strstr($sites[$i]['hard'],'K')) $sites[$i]['hard'].= ' B';
 					*/
 				}
-				else {
-					if (empty($sites[$i]['soft'])) $sites[$i]['soft'] = -1;
-					if (empty($sites[$i]['hard'])) $sites[$i]['hard'] = -1;
 
-					if($sites[$i]['soft'] == '0 B' || $sites[$i]['soft'] == '0 KB' || $sites[$i]['soft'] == '0') $sites[$i]['soft'] = -1;
-					if($sites[$i]['hard'] == '0 B' || $sites[$i]['hard'] == '0 KB' || $sites[$i]['hard'] == '0') $sites[$i]['hard'] = -1;
-				}
 			}
 		}
 
@@ -218,7 +193,7 @@ class quota_lib {
 		return $traffic_data;
 	}
 
-	public function get_mailquota_data($clientid = null, $readable = true) {
+       public function get_mailquota_data($clientid = null, $readable = true, $email = null) {
 		global $app;
 
 		$tmp_rec =  $app->db->queryAllRecords("SELECT data from monitor_data WHERE type = 'email_quota' ORDER BY created DESC");
@@ -236,14 +211,32 @@ class quota_lib {
 		}
 		//print_r($monitor_data);
 
+               if ($email !== null && !empty($email)) {
+				   if(isset($monitor_data[$email])) {
+					   return $monitor_data[$email];
+				   } else {
+					   return '';
+				   }
+                       
+               }
 		// select all email accounts or email accounts belonging to client
-		$emails = $app->db->queryAllRecords("SELECT * FROM mail_user".(($clientid != null)? " WHERE sys_groupid = (SELECT default_group FROM sys_user WHERE client_id=?)" : '') . " ORDER BY email", $clientid);
+		$q = "SELECT * FROM mail_user WHERE";
+		$q .= $app->tform->getAuthSQL('r', '', '', $app->functions->clientid_to_groups_list($clientid));
+		$q .= " ORDER BY email";
+		$emails = $app->db->queryAllRecords($q, $clientid);
 
 		//print_r($emails);
 		if(is_array($emails) && !empty($emails)) {
 			for($i=0;$i<sizeof($emails);$i++){
 				$email = $emails[$i]['email'];
 
+				if (empty($emails[$i]['last_access'])) {
+					$emails[$i]['last_access'] = $app->lng('never_accessed_txt');
+				}
+				else {
+					$emails[$i]['last_access'] = date($app->lng('conf_format_dateshort'), $emails[$i]['last_access']);
+				}
+
 				$emails[$i]['name'] = $app->functions->htmlentities($emails[$i]['name']);
 				$emails[$i]['used'] = isset($monitor_data[$email]['used']) ? $monitor_data[$email]['used'] : array(1 => 0);
 
@@ -265,17 +258,8 @@ class quota_lib {
 					if($used_ratio >= 0.8) $emails[$i]['display_colour'] = '#fd934f';
 					if($used_ratio >= 1) $emails[$i]['display_colour'] = '#cc0000';
 
-					if($emails[$i]['quota'] == 0){
-						$emails[$i]['quota'] = $app->lng('unlimited_txt');
-					} else {
-                                               $emails[$i]['quota'] = round($emails[$i]['quota'] / 1048576, 1).' MB';
-					}
-
-
-					if($emails[$i]['used'] < 1544000) {
-                                               $emails[$i]['used'] = round($emails[$i]['used'] / 1024, 1).' KB';
-					} else {
-                                               $emails[$i]['used'] = round($emails[$i]['used'] / 1048576, 1).' MB';
+					if($emails[$i]['quota'] == 0) {
+						$emails[$i]['quota'] = -1;
 					}
 				}
 			}
@@ -302,18 +286,21 @@ class quota_lib {
 		//print_r($monitor_data);
 
 		// select all databases belonging to client
-		$databases = $app->db->queryAllRecords("SELECT * FROM web_database".(($clientid != null)? " WHERE sys_groupid = (SELECT default_group FROM sys_user WHERE client_id=?)" : '') . " ORDER BY database_name", $clientid);
+		$q = "SELECT * FROM web_database WHERE";
+		$q .= $app->tform->getAuthSQL('r', '', '', $app->functions->clientid_to_groups_list($clientid));
+		$q .= " ORDER BY database_name";
+		$databases = $app->db->queryAllRecords($q);
 
 		//print_r($databases);
 		if(is_array($databases) && !empty($databases)){
 			for($i=0;$i<sizeof($databases);$i++){
 				$databasename = $databases[$i]['database_name'];
 
-				$databases[$i]['used'] = isset($monitor_data[$databasename]['size']) ? $monitor_data[$databasename]['size'] : 0;
+				$size = isset($monitor_data[$databasename]['size']) ? $monitor_data[$databasename]['size'] : 0;
 
-				$databases[$i]['quota_raw'] = $databases[$i]['database_quota'];
-				$databases[$i]['used_raw'] = $databases[$i]['used'] / 1024 / 1024; //* quota is stored as MB - calculated bytes
-				$databases[$i]['used_percentage'] = (($databases[$i]['database_quota'] > 0) && ($databases[$i]['used'] > 0)) ? round($databases[$i]['used_raw'] * 100 / $databases[$i]['database_quota']) : 0;
+				$databases[$i]['database_quota_raw'] = ($databases[$i]['database_quota'] == -1) ? -1 : $databases[$i]['database_quota'] * 1000 * 1000;
+				$databases[$i]['used_raw'] = $size; // / 1024 / 1024; //* quota is stored as MB - calculated bytes
+				$databases[$i]['used_percentage'] = (($databases[$i]['database_quota'] > 0) && ($size > 0)) ? round($databases[$i]['used_raw'] * 100 / $databases[$i]['database_quota_raw']) : 0;
 
 				if ($readable) {
 					// colours
@@ -326,18 +313,8 @@ class quota_lib {
 					if($used_ratio >= 0.8) $databases[$i]['display_colour'] = '#fd934f';
 					if($used_ratio >= 1) $databases[$i]['display_colour'] = '#cc0000';
 
-					if($databases[$i]['database_quota'] == -1) {
-						$databases[$i]['database_quota'] = $app->lng('unlimited_txt');
-					} else {
-						$databases[$i]['database_quota'] = $databases[$i]['database_quota'] . ' MB';
-					}
 
 
-					if($databases[$i]['used'] < 1544000) {
-						$databases[$i]['used'] = round($databases[$i]['used'] / 1024, 1).' KB';
-					} else {
-						$databases[$i]['used'] = round($databases[$i]['used'] / 1048576, 1).' MB';
-					}
 				}
 			}
 		}

interface/lib/classes/remote.d/client.inc.php

@@ -113,20 +113,20 @@ class remoting_client extends remoting {
 		}
 
 	}
-	
+
 	//* Get the contact details to send a email like email address, name, etc.
 	public function client_get_emailcontact($session_id, $client_id) {
 		global $app;
-		
+
 		if(!$this->checkPerm($session_id, 'client_get_emailcontact')) {
 			throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
 			return false;
 		}
-		
+
 		$client_id = $app->functions->intval($client_id);
 
 		$rec = $app->db->queryOneRecord("SELECT company_name,contact_name,gender,email,language FROM client WHERE client_id = ?", $client_id);
-		
+
 		if(is_array($rec)) {
 			return $rec;
 		} else {
@@ -159,7 +159,7 @@ class remoting_client extends remoting {
 	public function client_add($session_id, $reseller_id, $params)
 	{
 		global $app;
-		
+
 		if (!$this->checkPerm($session_id, 'client_add'))
 		{
 			throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
@@ -198,7 +198,7 @@ class remoting_client extends remoting {
 		$app->uses('remoting_lib');
 		$app->remoting_lib->loadFormDef('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php');
 		$old_rec = $app->remoting_lib->getDataRecord($client_id);
-		
+
 		//* merge old record with params, so only new values have to be set in $params
 		$params = $app->functions->array_merge($old_rec,$params);
 
@@ -218,7 +218,7 @@ class remoting_client extends remoting {
 			}
 		}
 
-		// we need the previuos templates assigned here
+		// we need the previous templates assigned here
 		$this->oldTemplatesAssigned = $app->db->queryAllRecords('SELECT * FROM `client_template_assigned` WHERE `client_id` = ?', $client_id);
 		if(!is_array($this->oldTemplatesAssigned) || count($this->oldTemplatesAssigned) < 1) {
 			// check previous type of storing templates
@@ -243,7 +243,7 @@ class remoting_client extends remoting {
 		$affected_rows = $this->updateQuery('../client/form/' . (isset($params['limit_client']) && $params['limit_client'] != 0 ? 'reseller' : 'client') . '.tform.php', $reseller_id, $client_id, $params, 'client:' . ($reseller_id ? 'reseller' : 'client') . ':on_after_update');
 
 		$app->remoting_lib->ispconfig_sysuser_update($params, $client_id);
-		
+
 		// if canceled
         if ($params['canceled']) {
         	$result = $app->functions->func_client_cancel($client_id, $params['canceled']);
@@ -482,7 +482,7 @@ class remoting_client extends remoting {
 			return false;
 		}
 	}
-	
+
 	public function client_get_by_customer_no($session_id, $customer_no) {
 		global $app;
 		if(!$this->checkPerm($session_id, 'client_get_by_customer_no')) {
@@ -573,16 +573,16 @@ class remoting_client extends remoting {
 		$result = $app->db->queryAllRecords($sql);
 		return $result;
 	}
-	
+
 	public function client_login_get($session_id,$username,$password,$remote_ip = '') {
 		global $app;
-		
+
 		//* Check permissions
 		if(!$this->checkPerm($session_id, 'client_get')) {
 			throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
 			return false;
 		}
-		
+
 		//* Check username and password
 		if(!preg_match("/^[\w\.\-\_\@]{1,128}$/", $username)) {
 			throw new SoapFault('user_regex_error', 'Username contains invalid characters.');
@@ -592,21 +592,21 @@ class remoting_client extends remoting {
 			throw new SoapFault('password_length_error', 'Invalid password length or no password provided.');
 			return false;
 		}
-		
+
 		//* Check failed logins
 		$sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND  `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1";
 		$alreadyfailed = $app->db->queryOneRecord($sql, $remote_ip);
-		
+
 		//* too many failedlogins
 		if($alreadyfailed['times'] > 5) {
 			throw new SoapFault('error_user_too_many_logins', 'Too many failed logins.');
 			return false;
 		}
-		
-		
+
+
 		//*Set variables
 		$returnval == false;
-		
+
 		if(strstr($username,'@')) {
 			// Check against client table
 			$sql = "SELECT * FROM client WHERE email = ?";
@@ -628,7 +628,7 @@ class remoting_client extends remoting {
 					}
 				}
 			}
-			
+
 			if(is_array($user)) {
 				$returnval = array(	'username' 	=> 	$user['username'],
 									'type'		=>	'user',
@@ -636,7 +636,7 @@ class remoting_client extends remoting {
 									'language'	=>	$user['language'],
 									'country'	=>	$user['country']);
 			}
-			
+
 		} else {
 			// Check against sys_user table
 			$sql = "SELECT * FROM sys_user WHERE username = ?";
@@ -658,7 +658,7 @@ class remoting_client extends remoting {
 					}
 				}
 			}
-			
+
 			if(is_array($user)) {
 				$returnval = array(	'username' 	=> 	$user['username'],
 									'type'		=>	$user['typ'],
@@ -669,7 +669,7 @@ class remoting_client extends remoting {
 				throw new SoapFault('login_failed', 'Login failed.');
 			}
 		}
-		
+
 		//* Log failed login attempts
 		if($user === false) {
 			if(!$alreadyfailed['times'] ) {
@@ -682,10 +682,10 @@ class remoting_client extends remoting {
 				$app->db->query($sql, $remote_ip);
 			}
 		}
-		
+
 		return $returnval;
 	}
-	
+
 	public function client_get_by_groupid($session_id, $group_id)
 	{
 		global $app;

interface/lib/classes/remote.d/dns.inc.php

@@ -218,10 +218,11 @@ class remoting_dns extends remoting {
 		if(!$this->checkPerm($session_id, 'dns_' . $rr_type . '_add')) {
 			throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
 		}
+		$primary_id = $this->insertQuery('../dns/form/dns_' . $rr_type . '.tform.php', $client_id, $params);
 		if($update_serial) {
 			$this->increase_serial($session_id, $client_id, $params);
 		}
-		return $this->insertQuery('../dns/form/dns_' . $rr_type . '.tform.php', $client_id, $params);
+		return $primary_id;
 	}
 
 	//* Update a record

interface/lib/classes/remote.d/sites.inc.php

@@ -167,9 +167,8 @@ class remoting_sites extends remoting {
 			$retval = $this->updateQueryExecute($sql, $primary_id, $params);
 
 			// set correct values for backup_interval and backup_copies
-			if(isset($params['backup_interval']) || isset($params['backup_copies']) || isset($params['backup_format_web']) || isset($params['backup_format_db'])){
+			if(isset($params['backup_copies']) || isset($params['backup_format_web']) || isset($params['backup_format_db'])){
 				$sql_set = array();
-				if(isset($params['backup_interval'])) $sql_set[] = "backup_interval = '".$app->db->quote($params['backup_interval'])."'";
 				if(isset($params['backup_copies'])) $sql_set[] = "backup_copies = ".$app->functions->intval($params['backup_copies']);
 				if(isset($params['backup_format_web'])) $sql_set[] = "backup_format_web = ".$app->functions->intval($params['backup_format_web']);
 				if(isset($params['backup_format_db'])) $sql_set[] = "backup_format_db = ".$app->functions->intval($params['backup_format_db']);
@@ -434,10 +433,10 @@ class remoting_sites extends remoting {
 		if($params['log_retention'] == '') $params['log_retention'] = 30;
 
 		//* Set a few defaults for nginx servers
-		if($params['pm_max_children'] == '') $params['pm_max_children'] = 1;
-		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 1;
+		if($params['pm_max_children'] == '') $params['pm_max_children'] = 10;
+		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 2;
 		if($params['pm_min_spare_servers'] == '') $params['pm_min_spare_servers'] = 1;
-		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 1;
+		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 5;
 
 		$domain_id = $this->insertQuery('../sites/form/web_vhost_domain.tform.php', $client_id, $params, 'sites:web_vhost_domain:on_after_insert');
 		if ($readonly === true)
@@ -456,10 +455,10 @@ class remoting_sites extends remoting {
 		if($params['log_retention'] == '') $params['log_retention'] = 30;
 
 		//* Set a few defaults for nginx servers
-		if($params['pm_max_children'] == '') $params['pm_max_children'] = 1;
-		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 1;
+		if($params['pm_max_children'] == '') $params['pm_max_children'] = 10;
+		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 2;
 		if($params['pm_min_spare_servers'] == '') $params['pm_min_spare_servers'] = 1;
-		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 1;
+		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 5;
 
 		$affected_rows = $this->updateQuery('../sites/form/web_vhost_domain.tform.php', $client_id, $primary_id, $params);
 		return $affected_rows;
@@ -508,10 +507,10 @@ class remoting_sites extends remoting {
 		if($params['log_retention'] == '') $params['log_retention'] = 30;
 
 		//* Set a few defaults for nginx servers
-		if($params['pm_max_children'] == '') $params['pm_max_children'] = 1;
-		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 1;
+		if($params['pm_max_children'] == '') $params['pm_max_children'] = 10;
+		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 2;
 		if($params['pm_min_spare_servers'] == '') $params['pm_min_spare_servers'] = 1;
-		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 1;
+		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 5;
 
 		$domain_id = $this->insertQuery('../sites/form/web_vhost_domain.tform.php', $client_id, $params, 'sites:web_vhost_aliasdomain:on_after_insert');
 		return $domain_id;
@@ -528,10 +527,10 @@ class remoting_sites extends remoting {
 		if($params['log_retention'] == '') $params['log_retention'] = 30;
 
 		//* Set a few defaults for nginx servers
-		if($params['pm_max_children'] == '') $params['pm_max_children'] = 1;
-		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 1;
+		if($params['pm_max_children'] == '') $params['pm_max_children'] = 10;
+		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 2;
 		if($params['pm_min_spare_servers'] == '') $params['pm_min_spare_servers'] = 1;
-		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 1;
+		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 5;
 
 		$affected_rows = $this->updateQuery('../sites/form/web_vhost_domain.tform.php', $client_id, $primary_id, $params, 'sites:web_vhost_aliasdomain:on_after_insert');
 		return $affected_rows;
@@ -580,10 +579,10 @@ class remoting_sites extends remoting {
 		if($params['log_retention'] == '') $params['log_retention'] = 30;
 
 		//* Set a few defaults for nginx servers
-		if($params['pm_max_children'] == '') $params['pm_max_children'] = 1;
-		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 1;
+		if($params['pm_max_children'] == '') $params['pm_max_children'] = 10;
+		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 2;
 		if($params['pm_min_spare_servers'] == '') $params['pm_min_spare_servers'] = 1;
-		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 1;
+		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 5;
 
 		$domain_id = $this->insertQuery('../sites/form/web_vhost_domain.tform.php', $client_id, $params, 'sites:web_vhost_subdomain:on_after_insert');
 		return $domain_id;
@@ -600,10 +599,10 @@ class remoting_sites extends remoting {
 		if($params['log_retention'] == '') $params['log_retention'] = 30;
 
 		//* Set a few defaults for nginx servers
-		if($params['pm_max_children'] == '') $params['pm_max_children'] = 1;
-		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 1;
+		if($params['pm_max_children'] == '') $params['pm_max_children'] = 10;
+		if($params['pm_start_servers'] == '') $params['pm_start_servers'] = 2;
 		if($params['pm_min_spare_servers'] == '') $params['pm_min_spare_servers'] = 1;
-		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 1;
+		if($params['pm_max_spare_servers'] == '') $params['pm_max_spare_servers'] = 5;
 
 		$affected_rows = $this->updateQuery('../sites/form/web_vhost_domain.tform.php', $client_id, $primary_id, $params, 'sites:web_vhost_subdomain:on_after_insert');
 		return $affected_rows;

interface/lib/classes/remoting_lib.inc.php

@@ -82,11 +82,22 @@ class remoting_lib extends tform_base {
 	//* Load the form definition from file. - special version for remoting
 	// module parameter is only for compatibility with base class
 	function loadFormDef($file, $module = '') {
-		global $app, $conf;
+		global $app;
 
 		include $file;
 
+		// Search for module name by path because $_SESSION['s']['module']['name']
+		// isn't set in a remote call.
+		$module_path = array_reverse(explode('/', $file));
+		$module_name = isset($module_path[2]) && $module_path[1] == 'form' && preg_match("/^[a-z]{2,20}$/i", $module_path[2]) ? $module_path[2] : '';
+
+		// Allow plugins to be loaded
+		if ($module_name) {
+			$app->plugin->raiseEvent($module_name.':'.$form['name'] . ':on_remote_before_formdef', $this);
+		}
+
 		$this->formDef = $form;
+
 		unset($this->formDef['tabs']);
 
 		//* Copy all fields from all tabs into one form definition
@@ -97,6 +108,11 @@ class remoting_lib extends tform_base {
 		}
 		unset($form);
 
+		// Allow plugins to be loaded
+		if ($module_name) {
+			$app->plugin->raiseEvent($module_name.':'.$this->formDef['name'] . ':on_remote_after_formdef', $this);
+		}
+
 		$this->dateformat = 'Y-m-d'; //$app->lng('conf_format_dateshort');
 		$this->datetimeformat = 'Y-m-d H:i:s'; //$app->lng('conf_format_datetime');
 
@@ -127,6 +143,10 @@ class remoting_lib extends tform_base {
 			$_SESSION["s"]["user"]["typ"] = 'admin';
 		} else {
 			$user = $app->db->queryOneRecord("SELECT * FROM sys_user WHERE client_id = ?", $this->client_id);
+			if(empty($user)) {
+				throw new SoapFault('invalid_client_id', 'Invalid client_id '.$this->client_id);
+				return false;
+			}
 			$this->sys_username         = $user['username'];
 			$this->sys_userid            = $user['userid'];
 			$this->sys_default_group     = $user['default_group'];
@@ -199,14 +219,14 @@ class remoting_lib extends tform_base {
 	function getSQL($record, $action = 'INSERT', $primary_id = 0, $sql_ext_where = '', $dummy = '') {
 
 		global $app;
-		
+
 		// early usage. make sure _primary_id is sanitized if present.
 		if ( isset($record['_primary_id']) && is_numeric($record['_primary_id'])) {
 			$_primary_id = intval($record['_primary_id']);
 			if ($_primary_id > 0)
 				$this->primary_id_override = $_primary_id;
 		}
-		
+
 		if(!is_array($this->formDef)) $app->error("Form definition not found.");
 		$this->dataRecord = $record;
 

interface/lib/classes/sites_database_plugin.inc.php

@@ -44,8 +44,7 @@ class sites_database_plugin {
 
 			//* The Database user shall be owned by the same group then the website
 			$sys_groupid = $app->functions->intval($web['sys_groupid']);
-			$backup_interval = $web['backup_interval'];
-			$backup_format_web = $web['backup_format_web'];
+			$backup_interval = $app->db->quote($form_page->dataRecord["backup_interval"]);
 			$backup_format_db = $web['backup_format_db'];
 			$backup_copies = $app->functions->intval($web['backup_copies']);
 

interface/lib/classes/tform.inc.php

@@ -115,7 +115,7 @@ class tform extends tform_base {
 			// Show the same tab again in case of an error
 			$active_tab = $_SESSION["s"]["form"]["tab"];
 		}
-		
+
 		if(!preg_match('/^[a-zA-Z0-9_]{0,50}$/',$active_tab)) {
 			die('Invalid next tab name.');
 		}
@@ -132,7 +132,7 @@ class tform extends tform_base {
 
 	function isReadonlyTab($tab, $primary_id) {
 		global $app, $conf;
-		
+
 		if(isset($this->formDef['tabs'][$tab]['readonly']) && $this->formDef['tabs'][$tab]['readonly'] == true) {
 
 			// Add backticks for incomplete table names.
@@ -149,7 +149,7 @@ class tform extends tform_base {
 			if($record['sys_userid'] != $_SESSION["s"]["user"]["userid"]) {
 				return true;
 			} else {
-				return false;	
+				return false;
 			}
 		} else {
 			return false;
@@ -204,7 +204,7 @@ class tform extends tform_base {
 		if($client['parent_client_id'] != 0) {
 
 			//* first we need to know the groups of this reseller
-			$tmp = $app->db->queryOneRecord("SELECT userid, groups FROM sys_user WHERE client_id = ?", $client['parent_client_id']);
+			$tmp = $app->db->queryOneRecord("SELECT userid, `groups` FROM sys_user WHERE client_id = ?", $client['parent_client_id']);
 			$reseller_groups = $tmp["groups"];
 			$reseller_userid = $tmp["userid"];
 
@@ -247,7 +247,7 @@ class tform extends tform_base {
 		return $diffrec;
 
 	}
-	
+
 	/**
 	 * Generate HTML for DATE fields.
 	 *
@@ -260,10 +260,10 @@ class tform extends tform_base {
 	{
 		$_date = ($default_value && $default_value != '0000-00-00' ? strtotime($default_value) : false);
 		$_showdate = ($_date === false) ? false : true;
-		
+
 		$tmp_dt = strtr($this->dateformat,array('d' => 'dd', 'm' => 'mm', 'Y' => 'yyyy', 'y' => 'yy'));
-		
-		return '<input type="text" class="form-control" name="' . $form_element . '" value="' . ($_showdate ? date($this->dateformat, $_date) : '') . '"  data-input-element="date" data-date-format="' . $tmp_dt . '" />'; 
+
+		return '<input type="text" class="form-control" name="' . $form_element . '" value="' . ($_showdate ? date($this->dateformat, $_date) : '') . '"  data-input-element="date" data-date-format="' . $tmp_dt . '" />';
 	}
 
 
@@ -285,12 +285,12 @@ class tform extends tform_base {
 		if ($display_seconds === true) {
 			$dselect[] = 'second';
 		}
-		
+
 		$tmp_dt = strtr($this->datetimeformat,array('d' => 'dd', 'm' => 'mm', 'Y' => 'yyyy', 'y' => 'yy', 'H' => 'hh', 'h' => 'HH', 'i' => 'ii')) . ($display_seconds ? ':ss' : '');
 
 		$out = '';
-		
-		return '<input type="text" class="form-control" name="' . $form_element . '" value="' . ($_showdate ? date($this->datetimeformat . ($display_seconds ? ':s' : ''), $_datetime) : '') . '"  data-input-element="datetime" data-date-format="' . $tmp_dt . '" />'; 
+
+		return '<input type="text" class="form-control" name="' . $form_element . '" value="' . ($_showdate ? date($this->datetimeformat . ($display_seconds ? ':s' : ''), $_datetime) : '') . '"  data-input-element="datetime" data-date-format="' . $tmp_dt . '" />';
 /*
 		foreach ($dselect as $dt_element)
 		{
@@ -352,7 +352,7 @@ class tform extends tform_base {
 				$selected_value = (int)floor(date('s', $_datetime));
 				break;
 			}
-	
+
 			$out .= "<select name=\"".$form_element."[$dt_element]\" id=\"".$form_element."_$dt_element\" class=\"selectInput\" style=\"width: auto; float: none;\">";
 			if (!$_showdate) {
 				$out .= "<option value=\"-\" selected=\"selected\">--</option>" . PHP_EOL;