From f68122272dcca8694ccac70578b0fc35d3d70e06 Mon Sep 17 00:00:00 2001
From: tbrehm <t.brehm@ispconfig.org>
Date: Mon, 23 Mar 2009 20:31:48 +0000
Subject: [PATCH] Changed default encryption method for ispconfig controlpanel
 users from md5 to crypt-md5.

---
 interface/web/admin/form/users.tform.php      |   1 +
 interface/web/client/form/client.tform.php    |   2 +-
 interface/web/login/index.php                 |  27 +-
 interface/web/login/lib/lang/en.lng           |  31 +-
 interface/web/login/lib/lang/es.lng           |  26 +-
 interface/web/login/lib/lang/fr.lng           |  26 +-
 interface/web/login/lib/lang/it.lng           |  26 +-
 interface/web/login/lib/lang/nl.lng           |  26 +-
 interface/web/login/lib/lang/se.lng           |  26 +-
 interface/web/login/password_reset.php        | 164 +++++-----
 .../web/tools/form/user_settings.tform.php    | 285 +++++++++---------
 11 files changed, 342 insertions(+), 298 deletions(-)

diff --git a/interface/web/admin/form/users.tform.php b/interface/web/admin/form/users.tform.php
index 2466b23d0..1edbb0cc4 100644
--- a/interface/web/admin/form/users.tform.php
+++ b/interface/web/admin/form/users.tform.php
@@ -158,6 +158,7 @@ $form['tabs']['users'] = array (
 		'passwort' => array (
 			'datatype'	=> 'VARCHAR',
 			'formtype'	=> 'PASSWORD',
+			'encryption'=> 'CRYPT',
 			'regex'		=> '',
 			'errmsg'	=> '',
 			'default'	=> '',
diff --git a/interface/web/client/form/client.tform.php b/interface/web/client/form/client.tform.php
index 7497fdaed..288e8939a 100644
--- a/interface/web/client/form/client.tform.php
+++ b/interface/web/client/form/client.tform.php
@@ -119,7 +119,7 @@ $form["tabs"]['address'] = array (
 		'password' => array (
 			'datatype'	=> 'VARCHAR',
 			'formtype'	=> 'PASSWORD',
-			'encryption'=> 'MD5',
+			'encryption'=> 'CRYPT',
 			'default'	=> '',
 			'value'		=> '',
 			'separator'	=> '',
diff --git a/interface/web/login/index.php b/interface/web/login/index.php
index 36a3c3a1f..77fdf493e 100644
--- a/interface/web/login/index.php
+++ b/interface/web/login/index.php
@@ -58,8 +58,8 @@ class login_index {
 		if(count($_POST) > 0) {
 			
 			//** Check variables
-			if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = 'Username contains unallowed characters or is longer then 64 characters.';
-			if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = 'The password length is > 64 characters.';
+			if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) $error = $app->lng('user_regex_error');
+			if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = $app->lng('pw_error_length');
 			
 	        //** iporting variables
 	        $ip 	  = $app->db->quote(ip2long($_SERVER['REMOTE_ADDR']));
@@ -105,10 +105,29 @@ class login_index {
 	        	} else {
 					if ($loginAs){
 			        	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";
+						$user = $app->db->queryOneRecord($sql);
 					} else {
-			        	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and ( PASSWORT = '".md5($passwort)."' or PASSWORT = password('$passwort') )";
+			        	$sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'";
+						$user = $app->db->queryOneRecord($sql);
+						if($user && $user['active'] == 1) {
+							$saved_password = stripslashes($user['passwort']);
+							if(substr($saved_password,0,3) == '$1$') {
+								//* The password is crypt-md5 encrypted
+								$salt = '$1$'.substr($saved_password,3,8).'$';
+								if(crypt($passwort,$salt) != $saved_password) {
+									$user = false;
+								}
+							} else {
+								//* The password is md5 encrypted
+								if(md5($passwort) != $saved_password) {
+									$user = false;
+								}
+							}
+						} else {
+							$user = false;
+						}
 					}
-		            $user = $app->db->queryOneRecord($sql);
+		            
 		            if($user) {
 		                if($user['active'] == 1) {
 		                	// User login right, so attempts can be deleted
diff --git a/interface/web/login/lib/lang/en.lng b/interface/web/login/lib/lang/en.lng
index 0bfe02a26..9f93331b8 100644
--- a/interface/web/login/lib/lang/en.lng
+++ b/interface/web/login/lib/lang/en.lng
@@ -1,15 +1,18 @@
-<?php
-
-$wb[1001]	= "Username or Password empty.";
-$wb[1002]	= "Username or Password wrong.";
-$wb[1003]	= "User is blocked.";
-$wb[1004]	= "To many wrong login's, Please retry it after 15 minutes";
-$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
-$wb['pw_reset'] = 'The password has been reset and send to your email address.';
-$wb['pw_error'] = 'Username or email address does not match.';
-$wb['pw_error_noinput'] = 'Please enter email address and username.';
-
-$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
-$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
-
+<?php
+
+$wb[1001]	= "Username or Password empty.";
+$wb[1002]	= "Username or Password wrong.";
+$wb[1003]	= "User is blocked.";
+$wb[1004]	= "To many wrong login's, Please retry it after 15 minutes";
+$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
+$wb['pw_reset'] = 'The password has been reset and send to your email address.';
+$wb['pw_error'] = 'Username or email address does not match.';
+$wb['pw_error_noinput'] = 'Please enter email address and username.';
+
+$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
+$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
+
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+
 ?>
\ No newline at end of file
diff --git a/interface/web/login/lib/lang/es.lng b/interface/web/login/lib/lang/es.lng
index 19c223331..f51ac8a19 100644
--- a/interface/web/login/lib/lang/es.lng
+++ b/interface/web/login/lib/lang/es.lng
@@ -1,12 +1,14 @@
-<?php
-$wb['1001'] = 'Usuario o contraseña vacíos.';
-$wb['1002'] = 'Usuario o contraseña incorrectos.';
-$wb['1003'] = 'El usuario está bloqueado';
-$wb['1004'] = 'Demasiados intentos erroneos, por favor, inténtelo dentro de 15 minutos.';
-$wb['pass_reset_txt'] = 'Se generará una nueva contraseña que se le enviará a la cuenta de correo que tiene configurada.';
-$wb['pw_reset'] = 'La contraseña ha sido reseteada y enviada a su cuenta de correo.';
-$wb['pw_error'] = 'El usuario o la cuenta de correo no coinciden.';
-$wb['pw_error_noinput'] = 'Por favor, introduzca la dirección de correo y el nombre de usuario.';
-$wb['pw_reset_mail_msg'] = 'La contraseña de su cuenta de panel de control ISPConfig 3 ha sido reseteada. La nueva contraseña es: ';
-$wb['pw_reset_mail_title'] = 'La contraseña del panel de control ISPConfig 3 ha sido reseteada.';
-?>
+<?php
+$wb['1001'] = 'Usuario o contraseña vacíos.';
+$wb['1002'] = 'Usuario o contraseña incorrectos.';
+$wb['1003'] = 'El usuario está bloqueado';
+$wb['1004'] = 'Demasiados intentos erroneos, por favor, inténtelo dentro de 15 minutos.';
+$wb['pass_reset_txt'] = 'Se generará una nueva contraseña que se le enviará a la cuenta de correo que tiene configurada.';
+$wb['pw_reset'] = 'La contraseña ha sido reseteada y enviada a su cuenta de correo.';
+$wb['pw_error'] = 'El usuario o la cuenta de correo no coinciden.';
+$wb['pw_error_noinput'] = 'Por favor, introduzca la dirección de correo y el nombre de usuario.';
+$wb['pw_reset_mail_msg'] = 'La contraseña de su cuenta de panel de control ISPConfig 3 ha sido reseteada. La nueva contraseña es: ';
+$wb['pw_reset_mail_title'] = 'La contraseña del panel de control ISPConfig 3 ha sido reseteada.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+?>
diff --git a/interface/web/login/lib/lang/fr.lng b/interface/web/login/lib/lang/fr.lng
index e142b6e94..d0d6b8172 100644
--- a/interface/web/login/lib/lang/fr.lng
+++ b/interface/web/login/lib/lang/fr.lng
@@ -1,12 +1,14 @@
-<?php
-$wb['1001'] = 'Nom dutilisateur ou mot de passe vide.';
-$wb['1002'] = 'Nom dutilisateur ou mot de passe faux.';
-$wb['1003'] = 'Utilisateur bloqué.';
-$wb['1004'] = 'To many wrong logins, Please retry it after 15 minutes';
-$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
-$wb['pw_reset'] = 'The password has been reset and send to your email address.';
-$wb['pw_error'] = 'Username or email address does not match.';
-$wb['pw_error_noinput'] = 'Please enter email address and username.';
-$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
-$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
-?>
+<?php
+$wb['1001'] = 'Nom dutilisateur ou mot de passe vide.';
+$wb['1002'] = 'Nom dutilisateur ou mot de passe faux.';
+$wb['1003'] = 'Utilisateur bloqué.';
+$wb['1004'] = 'To many wrong logins, Please retry it after 15 minutes';
+$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
+$wb['pw_reset'] = 'The password has been reset and send to your email address.';
+$wb['pw_error'] = 'Username or email address does not match.';
+$wb['pw_error_noinput'] = 'Please enter email address and username.';
+$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
+$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+?>
diff --git a/interface/web/login/lib/lang/it.lng b/interface/web/login/lib/lang/it.lng
index 55d980ec5..35941734f 100644
--- a/interface/web/login/lib/lang/it.lng
+++ b/interface/web/login/lib/lang/it.lng
@@ -1,12 +1,14 @@
-<?php
-$wb['1001'] = 'Nome utente o Password vuoti.';
-$wb['1002'] = 'Nome utente o Password errati.';
-$wb['1003'] = 'Utente bloccato.';
-$wb['1004'] = 'Troppi tentativi di login errati, Riprova tra 15 minuti';
-$wb['pass_reset_txt'] = 'Una nuova password sarà generata e spedita alla tua email se l`email inserita corrisponde a quella delle impostazioni dell`utente.';
-$wb['pw_reset'] = 'La password è stata reimpostata e spedita al tuo indirizzo mail.';
-$wb['pw_error'] = 'Nome utente o email non corrispondenti.';
-$wb['pw_error_noinput'] = 'Inserisci nome utente e indirizzo email.';
-$wb['pw_reset_mail_msg'] = 'La password nel tuo pannello di controllo ISPConfig 3 è stata reimpostata. La nuova password è: ';
-$wb['pw_reset_mail_title'] = 'Password del pannello di controllo ISPConfig 3 reimpostata.';
-?>
+<?php
+$wb['1001'] = 'Nome utente o Password vuoti.';
+$wb['1002'] = 'Nome utente o Password errati.';
+$wb['1003'] = 'Utente bloccato.';
+$wb['1004'] = 'Troppi tentativi di login errati, Riprova tra 15 minuti';
+$wb['pass_reset_txt'] = 'Una nuova password sarà generata e spedita alla tua email se l`email inserita corrisponde a quella delle impostazioni dell`utente.';
+$wb['pw_reset'] = 'La password è stata reimpostata e spedita al tuo indirizzo mail.';
+$wb['pw_error'] = 'Nome utente o email non corrispondenti.';
+$wb['pw_error_noinput'] = 'Inserisci nome utente e indirizzo email.';
+$wb['pw_reset_mail_msg'] = 'La password nel tuo pannello di controllo ISPConfig 3 è stata reimpostata. La nuova password è: ';
+$wb['pw_reset_mail_title'] = 'Password del pannello di controllo ISPConfig 3 reimpostata.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+?>
diff --git a/interface/web/login/lib/lang/nl.lng b/interface/web/login/lib/lang/nl.lng
index 28dfc7318..ef775cdd8 100644
--- a/interface/web/login/lib/lang/nl.lng
+++ b/interface/web/login/lib/lang/nl.lng
@@ -1,12 +1,14 @@
-<?php
-$wb['1001'] = 'Gebruikersnaam of wachtwoord is leeg.';
-$wb['1002'] = 'Gebruikersnaam of wachtwoord ongeldig.';
-$wb['1003'] = 'Gebruiker is geblokkeerd.';
-$wb['1004'] = 'Teveel ongeldige login pogingen, Probeer het na 15 minuten opnieuw.';
-$wb['pass_reset_txt'] = 'Een nieuw wachtwoord zal worden gegenereerd en na het hierboven ingevulde Emailadres worden gestuurd, op voorwaarde dat het Emailadres overeenkomt met het Emailadres in uw klanten-settings';
-$wb['pw_reset'] = 'Het wachtwoord is gereset en is verzonden aan uw Emailadres.';
-$wb['pw_error'] = 'Gebruikersnaam of Emailadres komen niet overeen.';
-$wb['pw_error_noinput'] = 'Voer a.u.b. uw Emailadres en gebruikersnaam in.';
-$wb['pw_reset_mail_msg'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset. Het nieuwe wachtwoord is: ';
-$wb['pw_reset_mail_title'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset.';
-?>
+<?php
+$wb['1001'] = 'Gebruikersnaam of wachtwoord is leeg.';
+$wb['1002'] = 'Gebruikersnaam of wachtwoord ongeldig.';
+$wb['1003'] = 'Gebruiker is geblokkeerd.';
+$wb['1004'] = 'Teveel ongeldige login pogingen, Probeer het na 15 minuten opnieuw.';
+$wb['pass_reset_txt'] = 'Een nieuw wachtwoord zal worden gegenereerd en na het hierboven ingevulde Emailadres worden gestuurd, op voorwaarde dat het Emailadres overeenkomt met het Emailadres in uw klanten-settings';
+$wb['pw_reset'] = 'Het wachtwoord is gereset en is verzonden aan uw Emailadres.';
+$wb['pw_error'] = 'Gebruikersnaam of Emailadres komen niet overeen.';
+$wb['pw_error_noinput'] = 'Voer a.u.b. uw Emailadres en gebruikersnaam in.';
+$wb['pw_reset_mail_msg'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset. Het nieuwe wachtwoord is: ';
+$wb['pw_reset_mail_title'] = 'Het wachtwoord dat toegang biedt tot ISPConfig 3 is gereset.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+?>
diff --git a/interface/web/login/lib/lang/se.lng b/interface/web/login/lib/lang/se.lng
index 706aa5c3e..e6172cfbd 100644
--- a/interface/web/login/lib/lang/se.lng
+++ b/interface/web/login/lib/lang/se.lng
@@ -1,12 +1,14 @@
-<?php
-$wb['1001'] = 'Användarnamn eller Lösenord är tomt.';
-$wb['1002'] = 'Felaktigt Användarnamn eller Lösenord.';
-$wb['1003'] = 'Användaren är spärrad.';
-$wb['1004'] = 'To many wrong logins, Please retry it after 15 minutes';
-$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
-$wb['pw_reset'] = 'The password has been reset and send to your email address.';
-$wb['pw_error'] = 'Username or email address does not match.';
-$wb['pw_error_noinput'] = 'Please enter email address and username.';
-$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
-$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
-?>
+<?php
+$wb['1001'] = 'Användarnamn eller Lösenord är tomt.';
+$wb['1002'] = 'Felaktigt Användarnamn eller Lösenord.';
+$wb['1003'] = 'Användaren är spärrad.';
+$wb['1004'] = 'To many wrong logins, Please retry it after 15 minutes';
+$wb['pass_reset_txt'] = 'A new password will be generated and send to your email address if the email address entered below matches the email address in your client settings.';
+$wb['pw_reset'] = 'The password has been reset and send to your email address.';
+$wb['pw_error'] = 'Username or email address does not match.';
+$wb['pw_error_noinput'] = 'Please enter email address and username.';
+$wb['pw_reset_mail_msg'] = 'The password to your ISPConfig 3 control panel account has been reset. The new password is: ';
+$wb['pw_reset_mail_title'] = 'ISPConfig 3 Control panel password has been reset.';
+$wb['user_regex_error'] = 'Username contains unallowed characters or is longer then 64 characters.';
+$wb['pw_error_length'] = 'The password length is > 64 characters.';
+?>
diff --git a/interface/web/login/password_reset.php b/interface/web/login/password_reset.php
index 23516f355..4b39def30 100644
--- a/interface/web/login/password_reset.php
+++ b/interface/web/login/password_reset.php
@@ -1,78 +1,88 @@
-<?php
-
-/*
-Copyright (c) 2008, Till Brehm, projektfarm Gmbh
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-    * Redistributions in binary form must reproduce the above copyright notice,
-      this list of conditions and the following disclaimer in the documentation
-      and/or other materials provided with the distribution.
-    * Neither the name of ISPConfig nor the names of its contributors
-      may be used to endorse or promote products derived from this software without
-      specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
-OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
-EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-
-require_once('../../lib/config.inc.php');
-require_once('../../lib/app.inc.php');
-
-// Loading the template
-$app->uses('tpl');
-$app->tpl->newTemplate("form.tpl.htm");
-$app->tpl->setInclude('content_tpl','templates/password_reset.htm');
-
-$app->tpl_defaults();
-
-include(ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng');
-$app->tpl->setVar($wb);
-
-if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '' && $_POST['username'] != 'admin') {
-	
-	$username = $app->db->quote($_POST['username']);
-	$email = $app->db->quote($_POST['email']);
-	
-	$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' && email = '$email'");
-	
-	if($client['client_id'] > 0) {
-		$new_password = md5 (uniqid (rand()));
-		$new_password = $app->db->quote($new_password);
-		$username = $app->db->quote($client['username']);
-		$app->db->query("UPDATE sys_user SET passwort = md5('$new_password') WHERE username = '$username'");
-		$app->db->query("UPDATE client SET ´password´ = md5('$new_password') WHERE username = '$username'");
-		$app->tpl->setVar("message",$wb['pw_reset']);
-		
-		mail($client['email'],$wb['pw_reset_mail_title'],$wb['pw_reset_mail_msg'].$new_password);
-		
-	} else {
-		$app->tpl->setVar("message",$wb['pw_error']);
-	}
-	
-} else {
-	$app->tpl->setVar("message",$wb['pw_error_noinput']);
-}
-
-
-
-$app->tpl_defaults();
-$app->tpl->pparse();
-
-
-
-
-
+<?php
+
+/*
+Copyright (c) 2008, Till Brehm, projektfarm Gmbh
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once('../../lib/config.inc.php');
+require_once('../../lib/app.inc.php');
+
+// Loading the template
+$app->uses('tpl');
+$app->tpl->newTemplate("form.tpl.htm");
+$app->tpl->setInclude('content_tpl','templates/password_reset.htm');
+
+$app->tpl_defaults();
+
+include(ISPC_ROOT_PATH.'/web/login/lib/lang/'.$_SESSION['s']['language'].'.lng');
+$app->tpl->setVar($wb);
+
+if(isset($_POST['username']) && $_POST['username'] != '' && $_POST['email'] != '' && $_POST['username'] != 'admin') {
+	
+	if(!preg_match("/^[\w\.\-\_]{1,64}$/", $_POST['username'])) die($app->lng('user_regex_error'));
+	if(!preg_match("/^\w+[\w.-]*\w+@\w+[\w.-]*\w+\.[a-z]{2,10}$/i", $_POST['email'])) die($app->lng('email_error'));
+	
+	$username = $app->db->quote($_POST['username']);
+	$email = $app->db->quote($_POST['email']);
+	
+	$client = $app->db->queryOneRecord("SELECT * FROM client WHERE username = '$username' AND email = '$email'");
+	
+	if($client['client_id'] > 0) {
+		$new_password = md5 (uniqid (rand()));
+		$salt="$1$";
+		for ($n=0;$n<11;$n++) {
+			$salt.=chr(mt_rand(64,126));
+		}
+		$salt.="$";
+		$new_password_encrypted = crypt($new_password,$salt);
+		$new_password_encrypted = $app->db->quote($new_password_encrypted);
+		
+		$username = $app->db->quote($client['username']);
+		$app->db->query("UPDATE sys_user SET passwort = '$new_password_encrypted' WHERE username = '$username'");
+		$app->db->query("UPDATE client SET ´password´ = '$new_password_encrypted' WHERE username = '$username'");
+		$app->tpl->setVar("message",$wb['pw_reset']);
+		
+		mail($client['email'],$wb['pw_reset_mail_title'],$wb['pw_reset_mail_msg'].$new_password);
+		
+	} else {
+		$app->tpl->setVar("message",$wb['pw_error']);
+	}
+	
+} else {
+	$app->tpl->setVar("message",$wb['pw_error_noinput']);
+}
+
+
+
+$app->tpl_defaults();
+$app->tpl->pparse();
+
+
+
+
+
 ?>
\ No newline at end of file
diff --git a/interface/web/tools/form/user_settings.tform.php b/interface/web/tools/form/user_settings.tform.php
index 05b3e8c0f..516031a18 100644
--- a/interface/web/tools/form/user_settings.tform.php
+++ b/interface/web/tools/form/user_settings.tform.php
@@ -1,143 +1,144 @@
-<?php
-
-/*
-Copyright (c) 2005, Till Brehm, projektfarm Gmbh
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-      this list of conditions and the following disclaimer.
-    * Redistributions in binary form must reproduce the above copyright notice,
-      this list of conditions and the following disclaimer in the documentation
-      and/or other materials provided with the distribution.
-    * Neither the name of ISPConfig nor the names of its contributors
-      may be used to endorse or promote products derived from this software without
-      specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
-INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
-OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
-NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
-EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-*/
-
-/*
-	Form Definition
-
-	Tabellendefinition
-
-	Datentypen:
-	- INTEGER (Wandelt Ausdr�cke in Int um)
-	- DOUBLE
-	- CURRENCY (Formatiert Zahlen nach W�hrungsnotation)
-	- VARCHAR (kein weiterer Format Check)
-	- TEXT (kein weiterer Format Check)
-	- DATE (Datumsformat, Timestamp Umwandlung)
-
-	Formtype:
-	- TEXT (normales Textfeld)
-	- TEXTAREA (normales Textfeld)
-	- PASSWORD (Feldinhalt wird nicht angezeigt)
-	- SELECT (Gibt Werte als option Feld aus)
-	- RADIO
-	- CHECKBOX
-	- CHECKBOXARRAY
-	- FILE
-
-	VALUE:
-	- Wert oder Array
-
-	Hinweis:
-	Das ID-Feld ist nicht bei den Table Values einzuf�gen.
-
-
-*/
-
-$form['title'] 			= 'User Settings';
-$form['description'] 	= 'Form to edit the user password and language.';
-$form['name'] 			= 'usersettings';
-$form['action']			= 'user_settings.php';
-$form['db_table']		= 'sys_user';
-$form['db_table_idx']	= 'userid';
-$form["db_history"]		= "no";
-$form['tab_default']	= 'users';
-$form['list_default']	= 'index.php';
-$form['auth']			= 'no';
-
-//* 0 = id of the user, > 0 id must match with id of current user
-$form['auth_preset']['userid']  = 0; 
-//* 0 = default groupid of the user, > 0 id must match with groupid of current user
-$form['auth_preset']['groupid'] = 0; 
-
-//** Permissions are: r = read, i = insert, u = update, d = delete
-$form['auth_preset']['perm_user']  = 'riud';
-$form['auth_preset']['perm_group'] = 'riud';
-$form['auth_preset']['perm_other'] = '';
-
-//* Languages
-$language_list = array();
-$handle = @opendir(ISPC_ROOT_PATH.'/lib/lang'); 
-while ($file = @readdir ($handle)) { 
-    if ($file != '.' && $file != '..') {
-        if(@is_file(ISPC_ROOT_PATH.'/lib/lang/'.$file) and substr($file,-4,4) == '.lng') {
-			$tmp = substr($file, 0, 2);
-			$language_list[$tmp] = $tmp;
-        }
-	}
-} 
-
-$form['tabs']['users'] = array (
-	'title' 	=> 'Settings',
-	'width' 	=> 80,
-	'template' 	=> 'templates/user_settings.htm',
-	'fields' 	=> array (
-	##################################
-	# Beginn Datenbankfelder
-	##################################
-		'passwort' => array (
-			'datatype'	=> 'VARCHAR',
-			'formtype'	=> 'PASSWORD',
-			'regex'		=> '',
-			'errmsg'	=> '',
-			'default'	=> '',
-			'value'		=> '',
-			'separator'	=> '',
-			'width'		=> '15',
-			'maxlength'	=> '100',
-			'rows'		=> '',
-			'cols'		=> ''
-		),
-		'language' => array (
-			'datatype'	=> 'VARCHAR',
-			'formtype'	=> 'SELECT',
-			'validators'	=> array ( 	0 => array (	'type'	=> 'NOTEMPTY',
-														'errmsg'=> 'language_is_empty'),
-										1 => array (	'type'	=> 'REGEX',
-														'regex' => '/^[a-z]{2}$/i',
-														'errmsg'=> 'language_regex_mismatch'),
-									),
-			'regex'		=> '',
-			'errmsg'	=> '',
-			'default'	=> '',
-			'value'		=> $language_list,
-			'separator'	=> '',
-			'width'		=> '30',
-			'maxlength'	=> '2',
-			'rows'		=> '',
-			'cols'		=> ''
-		)
-	##################################
-	# ENDE Datenbankfelder
-	##################################
-	)
-);
-
-
+<?php
+
+/*
+Copyright (c) 2005, Till Brehm, projektfarm Gmbh
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of ISPConfig nor the names of its contributors
+      may be used to endorse or promote products derived from this software without
+      specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 'AS IS' AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
+EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/*
+	Form Definition
+
+	Tabellendefinition
+
+	Datentypen:
+	- INTEGER (Wandelt Ausdr�cke in Int um)
+	- DOUBLE
+	- CURRENCY (Formatiert Zahlen nach W�hrungsnotation)
+	- VARCHAR (kein weiterer Format Check)
+	- TEXT (kein weiterer Format Check)
+	- DATE (Datumsformat, Timestamp Umwandlung)
+
+	Formtype:
+	- TEXT (normales Textfeld)
+	- TEXTAREA (normales Textfeld)
+	- PASSWORD (Feldinhalt wird nicht angezeigt)
+	- SELECT (Gibt Werte als option Feld aus)
+	- RADIO
+	- CHECKBOX
+	- CHECKBOXARRAY
+	- FILE
+
+	VALUE:
+	- Wert oder Array
+
+	Hinweis:
+	Das ID-Feld ist nicht bei den Table Values einzuf�gen.
+
+
+*/
+
+$form['title'] 			= 'User Settings';
+$form['description'] 	= 'Form to edit the user password and language.';
+$form['name'] 			= 'usersettings';
+$form['action']			= 'user_settings.php';
+$form['db_table']		= 'sys_user';
+$form['db_table_idx']	= 'userid';
+$form["db_history"]		= "no";
+$form['tab_default']	= 'users';
+$form['list_default']	= 'index.php';
+$form['auth']			= 'no';
+
+//* 0 = id of the user, > 0 id must match with id of current user
+$form['auth_preset']['userid']  = 0; 
+//* 0 = default groupid of the user, > 0 id must match with groupid of current user
+$form['auth_preset']['groupid'] = 0; 
+
+//** Permissions are: r = read, i = insert, u = update, d = delete
+$form['auth_preset']['perm_user']  = 'riud';
+$form['auth_preset']['perm_group'] = 'riud';
+$form['auth_preset']['perm_other'] = '';
+
+//* Languages
+$language_list = array();
+$handle = @opendir(ISPC_ROOT_PATH.'/lib/lang'); 
+while ($file = @readdir ($handle)) { 
+    if ($file != '.' && $file != '..') {
+        if(@is_file(ISPC_ROOT_PATH.'/lib/lang/'.$file) and substr($file,-4,4) == '.lng') {
+			$tmp = substr($file, 0, 2);
+			$language_list[$tmp] = $tmp;
+        }
+	}
+} 
+
+$form['tabs']['users'] = array (
+	'title' 	=> 'Settings',
+	'width' 	=> 80,
+	'template' 	=> 'templates/user_settings.htm',
+	'fields' 	=> array (
+	##################################
+	# Beginn Datenbankfelder
+	##################################
+		'passwort' => array (
+			'datatype'	=> 'VARCHAR',
+			'formtype'	=> 'PASSWORD',
+			'encryption'=> 'CRYPT',
+			'regex'		=> '',
+			'errmsg'	=> '',
+			'default'	=> '',
+			'value'		=> '',
+			'separator'	=> '',
+			'width'		=> '15',
+			'maxlength'	=> '100',
+			'rows'		=> '',
+			'cols'		=> ''
+		),
+		'language' => array (
+			'datatype'	=> 'VARCHAR',
+			'formtype'	=> 'SELECT',
+			'validators'	=> array ( 	0 => array (	'type'	=> 'NOTEMPTY',
+														'errmsg'=> 'language_is_empty'),
+										1 => array (	'type'	=> 'REGEX',
+														'regex' => '/^[a-z]{2}$/i',
+														'errmsg'=> 'language_regex_mismatch'),
+									),
+			'regex'		=> '',
+			'errmsg'	=> '',
+			'default'	=> '',
+			'value'		=> $language_list,
+			'separator'	=> '',
+			'width'		=> '30',
+			'maxlength'	=> '2',
+			'rows'		=> '',
+			'cols'		=> ''
+		)
+	##################################
+	# ENDE Datenbankfelder
+	##################################
+	)
+);
+
+
 ?>
\ No newline at end of file
-- 
GitLab