exec($sqlStmtPwd);
if ($db->connect_errno) : die (); endif;
if ($db->affected_rows > 0) :
$usrName = getFieldValueFromId("user","usr_id",$usrId,"usr_name");
$usrFirstname = getFieldValueFromId("user","usr_id",$usrId,"usr_firstname");
$usrHqId = getFieldValueFromId("user","usr_id",$usrId,"hq_id");
$mailFrom = getParameterValue("0", "MAIL_SENDER_ADDRESS", $usrHqId);
$mailTo = $usrEmail;
$mailBcc = "support@assecutor.de";
$mailSubject = getParameterValue("0", "MAIL_SUBJECT_PREFIX", "0", "0") . "Passwort vergessen";
$mailMode = "html";
if ($mailMode == "html") :
$mailText = "Hallo " . $usrFirstname . " " . $usrName . "soeben wurde f�r Ihr Konto \"" . $f_chk_account
. "\" auf https://" . $_SERVER['SERVER_NAME']
. " das folgende Einmalpasswort erzeugt:"
. "" . $newPwd . ""
. "Sollte diese Nachfrage nicht von Ihnen stammen, handelt es sich m�glicherweise um eine nicht autorisierte Anfrage."
. "Diese Nachricht wurde automatisch erzeugt und dient nur als Hinweis, bitte antworten Sie nicht darauf.";
else :
$mailText = "Hallo" . $usrFirstname . " " . $usrName . ",\n\nsoeben wurde f�r Ihr Konto \"" . $f_chk_account
. "\" auf https://" . $_SERVER['SERVER_NAME']
. " das folgende Einmalpasswort erzeugt:\n\n"
. $newPwd
. "\n\nSollte diese Nachfrage nicht von Ihnen stammen, handelt es sich m�glicherweise um eine nicht autorisierte Anfrage."
. "\n\nDiese Nachricht wurde automatisch erzeugt und dient nur als Hinweis, bitte antworten Sie nicht darauf.";
endif;
$mailLogContent = $currentClientIP . " | " . $mailMode . " | " . $mailSubject . " | " . $usrFirstname . " " . $usrName . " | " . $f_chk_account . " | " . $newPwd;
sendExternalMail($mailText, $mailSubject, $mailTo, $mailFrom, $mailCc, $mailBcc, $mailMode, $mailLogContent);
else :
$statusMessage = getLngt("Der Vorgang hat leider nicht geklappt! Bitte versuchen Sie es noch einmal oder wenden sich ggfs. an die zust�ndige Niederlassung!");
endif;
else :
$statusMessage = getLngt("Es wurde leider keine E-Mail-Adresse gefunden! Bitte wenden Sie sich ggfs. an die zust�ndige Niederlassung!");
endif;
else :
$statusMessage = getLngt("Der angegebene Benutzername wurde leider nicht gefunden! Bitte wenden Sie sich ggfs. an die zust�ndige Niederlassung!");
endif;
endif;
endif;
$pageTitel = getLngt("ANMELDUNG");
$usr_id = -1;
include_once ("../admin/menu.php");
include_once ("../include/html.inc.php");
getCurrentScript(__FILE__);
$constMaxLoginTrials = getParameterValue("0", "MAXIMUM_LOGIN_TRIALS", "0", "0");
$loginTrials = checkClientLoginTrials();
if ($loginTrials == 20) :
$conf = prepareSendMailPear("smtp.1und1.com","admin@assecutor.de","a7=!wURsT","admin@assecutor.de","ALERT: CHECK FOR BOT-ATTACK !!!","Assecutor","admin@assecutor.de","ALERT: CHECK FOR BOT-ATTACK !!!) (IP=".$currentClientIP.", account=".$f_chk_account.")");
$mail_object =& Mail::factory("smtp", $conf[0]);
$mail_object->send($conf[1], $conf[2], $conf[3]);
endif;
if ($loginTrials == $constMaxLoginTrials) :
$conf = prepareSendMailPear("smtp.1und1.com","admin@assecutor.de","a7=!wURsT","admin@assecutor.de","ALERT: SYSTEM ACCESS DENIED - BOT-ATTACK !!! (IP=".$currentClientIP.", account=".$f_chk_account.")",
"Assecutor","admin@assecutor.de","ALERT: SYSTEM ACCESS DENIED - BOT-ATTACK !!!) ");
$mail_object =& Mail::factory("smtp", $conf[0]);
$mail_object->send($conf[1], $conf[2], $conf[3]);
endif;
if ($loginTrials > $constMaxLoginTrials) :
// Referer
header("Location: ../admin/accessdenied.php");
endif;
if (substr(phpversion(), 0, 1) >= "5") :
if (isset($_SESSION['state']) && !isset($_SESSION['sso_error']) && isset($_SESSION['sso']) && !isset($_SESSION['usr_id']) && !isset($_SESSION['hq_id'])):
$statusMessage = checkSSOLogin();
// Wenn login ok, dann gelangt das Script nicht an diese Stelle (exit in checkLogin())!
// list($f_chk_account) = getHttpVars(array('f_chk_account'));
elseif (isset($_SESSION['state']) && isset($_SESSION['sso_error'])) :
$statusMessage = getLngt($_SESSION['sso_error']);
unset($_SESSION['sso_error']);
elseif (!isset($_SESSION['usr_id']) && !isset($_SESSION['hq_id'])):
$statusMessage = checkLogin();
// Wenn login ok, dann gelangt das Script nicht an diese Stelle (exit in checkLogin())!
list($f_chk_account) = getHttpVars(array('f_chk_account'));
else:
if(isset($_SESSION['sso'])) {
header("Location: ../admin/start.php");
exit();
} else {
// $randomCryptionNumber = $HTTP_SESSION_VARS["randomCryptionNumber"];
$randomCryptionNumber = $_SESSION["randomCryptionNumber"];
// header("Location: ../admin/menu_fs.php?p=" . ec("1"));
$usrTotpSecretCurrent = getFieldValueFromId("user", "usr_id", $_SESSION['usr_id'], "usr_totp_secret");
$usrTotpActivated = getFieldValueFromId("user", "usr_id", $_SESSION['usr_id'], "usr_totp_activated");
if ($usrTotpSecretCurrent == "" || $usrTotpActivated != "1") :
// 2-FA has to be activated
header("Location: ../admin/start.php");
else :
// 2-FA is activated and codes have to be checked
header("Location: ../admin/GA_verification.php");
endif;
}
endif;
else :
if (!isset($HTTP_SESSION_VARS['usr_id']) && !isset($HTTP_SESSION_VARS['hq_id'])):
$statusMessage = checkLogin();
// Wenn login ok, dann gelangt das Script nicht an diese Stelle (exit in checkLogin())!
list($f_chk_account) = getHttpVars(array('f_chk_account'));
else:
if(isset($_SESSION['sso'])) {
header("Location: ../admin/start.php");
exit();
} else {
// $randomCryptionNumber = $HTTP_SESSION_VARS["randomCryptionNumber"];
$randomCryptionNumber = $HTTP_SESSION_VARS["randomCryptionNumber"];
// header("Location: ../admin/menu_fs.php?p=" . ec("1"));
$usrTotpSecretCurrent = getFieldValueFromId("user", "usr_id", $_SESSION['usr_id'], "usr_totp_secret");
if (isset($_SESSION['sso']) || $usrTotpSecretCurrent == "") :
// 2-FA has to be activated
header("Location: ../admin/start.php");
else :
// 2-FA is activated and codes have to be checked
header("Location: ../admin/GA_verification.php");
endif;
}
endif;
endif;
//function checkSSOLogin() {
// global $PHP_SELF, $HTTP_SESSION_VARS, $_SESSION, $hq_id, $usr_id, $emp_id, $db, $dbname, $multipleAccounts, $accountsList;
//
// // Wurde bereits ein Account ausgewählt?
//// if (isset($_POST['sso_selected_account'])) {
//// $_SESSION['selected_account'] = $_POST['sso_selected_account'];
//// }
//
// if (isset($_POST['sso_selected_account'])) {
// $_SESSION['selected_account'] = $_POST['sso_selected_account'];
// // WICHTIG: Nach dem Setzen der Session-Variable MUSS die Seite neu geladen werden,
// // um den Login-Prozess mit dem nun bekannten Account fortzusetzen.
// // Das Formular POST war erfolgreich, jetzt redirecten.
// header("Location: $PHP_SELF");
// exit();
// }
//
// $usr_email = $_SESSION['sso'];
//
// if ($usr_email != ''):
// $sqlquery = "
// SELECT usr.usr_id, usr.hq_id, usr.usr_account
// FROM user AS usr
// JOIN headquarters AS hq ON usr.hq_id = hq.hq_id
// WHERE usr.usr_email = '$usr_email'
// ";
//
// $result = $db->dbQ($sqlquery);
// if (DB::isError($result)) die("$PHP_SELF: [$sqlquery] " . $result->getMessage());
//
// $accounts = [];
// while ($row = $result->fetch_assoc()) {
// $accounts[] = $row;
// }
// $result->free();
//
// if (count($accounts) > 1 && !isset($_SESSION['selected_account'])) {
// $multipleAccounts = true;
// $accountsList = $accounts;
//// showAccountSelectionModal($accounts);
//// exit();
// }
//
// if (isset($_SESSION['selected_account'])) {
// foreach ($accounts as $acc) {
// if ($acc['usr_account'] == $_SESSION['selected_account']) {
// $usr_id = $acc["usr_id"];
// $hq_id = $acc["hq_id"];
// $usr_account = $acc["usr_account"];
// }
// }
// unset($_SESSION['selected_account']);
// }
//
// elseif (count($accounts) === 1) {
// $usr_id = $accounts[0]["usr_id"];
// $hq_id = $accounts[0]["hq_id"];
// $usr_account = $accounts[0]["usr_account"];
// }
// else {
// unset($_SESSION['sso']);
// return "Benutzer $usr_email im System nicht gefunden.";
// }
//
// $emp_id = getOneStmt(
// "SELECT emp.emp_id FROM employee AS emp, user AS usr
// WHERE emp.usr_id = $usr_id
// AND usr.usr_account = '$usr_account'
// AND usr.hq_id = $hq_id
// AND usr.usr_email = '$usr_email'",
// "emp_id"
// );
//
// $_SESSION['usr_id'] = $usr_id;
// $_SESSION['hq_id'] = $hq_id;
// $_SESSION['emp_id'] = $emp_id;
// $_SESSION['dbname'] = $dbname;
// $_SESSION["chgpwd"] = "1";
//
// unset($_SESSION['sso']);
//
// header("Location: $PHP_SELF");
// exit();
// endif;
//}
function checkSSOLogin() {
global $PHP_SELF, $HTTP_SESSION_VARS, $_SESSION, $hq_id, $usr_id, $emp_id, $db, $dbname, $multipleAccounts, $accountsList;
// 1. POST VERARBEITUNG
// Wenn ein Account ausgewählt wurde, speichern wir ihn und machen einen Reload (Redirect),
// damit die Seite sauber mit der Auswahl neu lädt.
if (isset($_POST['sso_selected_account'])) {
$_SESSION['selected_account'] = $_POST['sso_selected_account'];
// WICHTIG: Hier neu laden, damit wir aus dem POST-Modus rauskommen
header("Location: $PHP_SELF");
exit();
}
$usr_email = $_SESSION['sso'];
if ($usr_email != ''):
$sqlquery = "
SELECT usr.usr_id, usr.hq_id, usr.usr_account
FROM user AS usr
JOIN headquarters AS hq ON usr.hq_id = hq.hq_id
WHERE usr.usr_email = '$usr_email'
";
$result = $db->dbQ($sqlquery);
if (DB::isError($result)) die("$PHP_SELF: [$sqlquery] " . $result->getMessage());
$accounts = [];
while ($row = $result->fetch_assoc()) {
$accounts[] = $row;
}
$result->free();
// 2. PRÜFUNG: MUSS MODAL ANGEZEIGT WERDEN?
if (count($accounts) > 1 && !isset($_SESSION['selected_account'])) {
$multipleAccounts = true;
$accountsList = $accounts;
// WICHTIG: Hier abbrechen!
// Wir dürfen nicht weiterlaufen, da wir noch keine User-ID haben.
// Das Skript läuft nun weiter im HTML und zeigt das Modal an.
return;
}
// 3. ACCOUNT ZUWEISUNG (wenn Auswahl getroffen oder nur 1 Account)
if (isset($_SESSION['selected_account'])) {
foreach ($accounts as $acc) {
if ($acc['usr_account'] == $_SESSION['selected_account']) {
$usr_id = $acc["usr_id"];
$hq_id = $acc["hq_id"];
$usr_account = $acc["usr_account"];
}
}
// Auswahl wieder löschen, damit man beim nächsten Mal nicht festhängt
unset($_SESSION['selected_account']);
} elseif (count($accounts) === 1) {
$usr_id = $accounts[0]["usr_id"];
$hq_id = $accounts[0]["hq_id"];
$usr_account = $accounts[0]["usr_account"];
} else {
// Fallback: Session löschen wenn kein Account passt
unset($_SESSION['sso']);
return "Benutzer $usr_email im System nicht gefunden.";
}
// Ab hier haben wir sicher eine $usr_id
$emp_id = getOneStmt(
"SELECT emp.emp_id FROM employee AS emp, user AS usr
WHERE emp.usr_id = $usr_id
AND usr.usr_account = '$usr_account'
AND usr.hq_id = $hq_id
AND usr.usr_email = '$usr_email'",
"emp_id"
);
$_SESSION['usr_id'] = $usr_id;
$_SESSION['hq_id'] = $hq_id;
$_SESSION['emp_id'] = $emp_id;
$_SESSION['dbname'] = $dbname;
$_SESSION["chgpwd"] = "1";
// unset($_SESSION['sso']);
header("Location: $PHP_SELF");
exit();
endif;
}
function showAccountSelectionModal($accounts) {
echo '
Account auswählen
Bitte Account auswählen
';
}
// Login-Formular
function checkLogin()
{
global $PHP_SELF, $HTTP_SESSION_VARS, $_SESSION, $hq_id, $usr_id, $emp_id, $db, $dbname, $currentClientIP;
list($f_submit, $f_chk_account, $f_chk_password, $statusMessage, $deviceIsKnown) =
getHttpVars(array('f_submit', 'f_chk_account', 'f_chk_password', 'statusMessage', 'deviceIsKnown'));
if ($f_submit == getLngt("Anmelden")):
$f_chk_account = str_replace("'", "\'", $f_chk_account);
$f_chk_password = str_replace("'", "\'", $f_chk_password);
$sessionVars = authenticate($f_chk_account, $f_chk_password, $statusMessage);
$usr_id = $sessionVars[0];
$hq_id = $sessionVars[1];
$emp_id = $sessionVars[2];
if ($usr_id != "" && is_numeric($usr_id) && $usr_id > "0") :
$randomCryptionNumber = ($usr_id + 1234);
else :
$randomCryptionNumber = rand(1,10000);
endif;
if ($usr_id != ''):
// Return-Wert ist ungleich '', name/pass ist g�ltig
if (phpversion() < '4.1.0'):
// bis auschl. PHP 4.1.0.
session_register("usr_id","hq_id","emp_id");
$HTTP_SESSION_VARS["usr_id"] = $usr_id;
$HTTP_SESSION_VARS["hq_id"] = $hq_id;
$HTTP_SESSION_VARS["emp_id"] = $emp_id;
$HTTP_SESSION_VARS["dbname"] = $dbname;
$HTTP_SESSION_VARS["randomCryptionNumber"] = $randomCryptionNumber;
$HTTP_SESSION_VARS["chgpwd"] = "1";
else:
// ab einschl. PHP 4.1.0.
$_SESSION['usr_id'] = $usr_id;
$_SESSION['hq_id'] = $hq_id;
$_SESSION['emp_id'] = $emp_id;
$_SESSION['dbname'] = $dbname;
$_SESSION['randomCryptionNumber'] = $randomCryptionNumber;
$_SESSION["chgpwd"] = "1";
endif;
if ($deviceIsKnown != "1" && getParameterValue("0", "LOGIN_CHECK_DEVICE", "0", "0") == "1"):
$usrFreeDevice = getOneStmt("SELECT gdc_content FROM genericdatacontainer WHERE gdc_obj_type = 'usr' AND gdc_obj_id = " . $usr_id . " AND gdc_gen_fieldname = 'usr_free_device'", "gdc_content");
$usr_account = getOneStmt("SELECT usr_account FROM user AS usr WHERE usr_id = " . $usr_id, "usr_account");
if ($usrFreeDevice != "1"):
insertStmt("genericdatacontainer", array("gdc_obj_type", "usr", "gdc_obj_id", $usr_id, "gdc_gen_fieldname", "usr_free_device", "gdc_content", "1", "gdc_context", date("Y-m-d H:i:s")));
myWriteLog(
"usr_free_device = '1' was set:\n" .
"\$usr_id = " . $usr_id . ", \$usr_account = [" . $usr_account . "], \$_SERVER['HTTP_USER_AGENT'] = [" . $_SERVER['HTTP_USER_AGENT'] . "], \$_SERVER['REMOTE_ADDR'] = [" . $currentClientIP . "]"
);
else:
$usr_email = getOneStmt("SELECT usr_email FROM user AS usr WHERE usr_id = " . $usr_id, "usr_email");
// $browser = get_browser(null, true);
if ($usr_email != ""):
include_once("../include/email/htmlMimeMail.php");
$usr_firstname = getOneStmt("SELECT usr_firstname FROM user AS usr WHERE usr_id = " . $usr_id, "usr_firstname");
$usr_name = getOneStmt("SELECT usr_name FROM user AS usr WHERE usr_id = " . $usr_id, "usr_name");
$mailObj = new htmlMimeMail();
$mailObj->setFrom(getParameterValue("0", "MAIL_SENDER_ADDRESS", $hq_id));
$mailObj->setBcc("ca@assecutor.de");
$parMailSubjectPrefix = trim(getParameterValue("0", "MAIL_SUBJECT_PREFIX", "0", "0"));
$mailObj->setSubject($parMailSubjectPrefix . " Anmeldung von einem unbekannten Ger�t");
$mailObj->setText("Hallo " . $usr_firstname . ' ' . $usr_name . ",\n\n". 'soeben hat sich jemand mit Ihrem Konto "' . $usr_account .
'" auf https://' . $_SERVER['SERVER_NAME'] .
" von einem bisher unbekannten Ger�t angemeldet:\n\n" .
$_SERVER['HTTP_USER_AGENT'] .
// $browser["browser"] . " " . $browser["platform"] .
"\n\nSollte diese Anmeldung nicht von Ihnen stammen, handelt es sich m�glicherweise um einen nicht autorisierten Login." .
"\n\nDiese Mail wurde automatisch erzeugt und dient nur als Hinweis, bitte antworten Sie nicht darauf."
);
$mailResult = $mailObj->send(array($usr_email), 'smtp');
// $mailResult = $mailObj->send(array("ca@assecutor.de"), 'smtp');
myWriteLog(
"Warningmail was sent from <" . getParameterValue("0", "MAIL_SENDER_ADDRESS", $hq_id) . "> to <" . $usr_email . ">:\n" .
"\$usr_id = " . $usr_id . ", \$usr_account = [" . $usr_account . "], \$_SERVER['HTTP_USER_AGENT'] = [" . $_SERVER['HTTP_USER_AGENT'] . "], \$_SERVER['REMOTE_ADDR'] = [" . $currentClientIP . "]"
);
else:
myWriteLog(
"Warningmail could not be sent because no mail-address available:\n" .
"\$usr_id = " . $usr_id . ", \$usr_account = [" . $usr_account . "], \$_SERVER['HTTP_USER_AGENT'] = [" . $_SERVER['HTTP_USER_AGENT'] . "], \$_SERVER['REMOTE_ADDR'] = [" . $currentClientIP . "]"
);
endif;
endif;
endif;
header("Location: $PHP_SELF");
exit();
endif;
elseif ($f_submit == 'Registrieren'):
header("Location: register.php");
endif;
return $statusMessage;
}
function myWriteLog($log_text) {
$log_file_name = "../log/login_" . date("Ym") . ".log";
$fileHandle = @fopen($log_file_name, 'a');
@fwrite($fileHandle, "[" . date("Y-m-d H:i:s") . "] " . $log_text . "\n");
@fclose($fileHandle);
}
// authenticate username/password against a database
// returns: 0 if username and password is incorrect
// emp_id if username and password are correct
function authenticate($f_chk_account, $f_chk_password, &$statusMessage)
{
global $db, $PHP_SELF, $currentClientIP;
$retArray = array("","","");
if ($f_chk_account == "" || $f_chk_password == "") :
$statusMessage = getLngt("Benutzername und/oder Passwort fehlt oder ist falsch.");
return "";
endif;
$sqlquery = "SELECT usr.usr_id, usr.hq_id, usr.usr_password FROM user AS usr, headquarters AS hq"
. " WHERE usr.usr_account = '$f_chk_account'"
. " AND (usr.usr_password_old = OLD_PASSWORD('" . $f_chk_password . "') OR usr.usr_password = PASSWORD('" . $f_chk_password . "'))"
. " AND usr.hq_id = hq.hq_id";
$result = $db->dbQ($sqlquery);
$usr_id = "";
$hq_id = "";
while ($row = $result->fetch_assoc()):
$usr_id = intval($row["usr_id"]);
$hq_id = intval($row["hq_id"]);
$usr_password = $row["usr_password"];
endwhile;
$result->free();
if ($db->connect_errno):
$statusMessage = '$PHP_SELF: authenticate: Fehler bei Abfrage von Datenbank.';
else:
// Get the IP of the current client calling the page
// $currentClientIP = trim($_SERVER['REMOTE_ADDR']); // Defined above, global import
if ($usr_id == '') :
$statusMessage = getLngt("Benutzername und/oder Passwort fehlt oder ist falsch.");
// Login-trial failed! Update table "ipsecurity"
updateClientLoginTrials();
// Write logdata into log database
writeToLogDB("52",$hq_id,"",$usr_id,"","","","ACCOUNT=" . $f_chk_account . "|MESS=Login failed|IP=" . $currentClientIP);
else :
if (substr($usr_password, 0, 1) != "*") {
$db->query("UPDATE user SET usr_password = PASSWORD('" . $f_chk_password . "') WHERE usr_id = " . $usr_id);
}
$retArray[0] = $usr_id;
$retArray[1] = $hq_id;
$retArray[2] = "";
$emp_id = getOneStmt(
"SELECT emp.emp_id FROM employee AS emp, user AS usr" .
" WHERE emp.usr_id = $usr_id AND usr.usr_account = '$f_chk_account' AND usr.hq_id = $hq_id"
. " AND usr.usr_password = PASSWORD('$f_chk_password')", "emp_id");
if ($db->connect_errno) :
$statusMessage = getLngt("$PHP_SELF: authenticate: Fehler bei Abfrage von Datenbank.");
else:
$retArray[2] = $emp_id;
endif;
// Write logdata into log database
writeToLogDB("52",$hq_id,"",$usr_id,"","",$emp_id,"ACCOUNT=" . $f_chk_account . "|MESS=Login ok|IP=" . $currentClientIP);
endif;
endif;
// Check status of authentication, if user is a customer
mcIsSet($emp_id);
if ($emp_id != "" && getFieldValueFromId("user","usr_id",$usr_id,"usr_type") == "2") :
$cmp_authenticated = getOneStmt(
"SELECT cmp.cmp_authenticated"
. " FROM company AS cmp, customer AS cs, costcenter AS csc, employee AS emp"
. " WHERE emp.emp_id = $emp_id AND"
. " emp.csc_id = csc.csc_id AND"
. " csc.cs_id = cs.cs_id AND"
. " cs.cmp_id = cmp.cmp_id", "cmp_authenticated");
if ($db->connect_errno) :
$statusMessage = getLngt("$PHP_SELF: authenticate: Fehler bei Abfrage von Datenbank.");
else:
if ($cmp_authenticated != "1") :
// Customer has no access
$retArray = array("","","");
$statusMessage = getLngt("Leider haben Sie keine Zugangsberechtigung.");
endif;
endif;
endif;
return $retArray;
}
$title = getLngt("Herzlich willkommen!");
?>
<?php echo $pageTitel; ?>
';
else :
?>
$clientId,
'response_type' => 'code',
'redirect_uri' => $redirectUri,
'response_mode' => 'query',
'scope' => $scope,
'state' => $_SESSION['state']
]);
echo '';
// echo "". getLngt("Mit Microsoft anmelden") . "";
echo htmlDivLineSpacer("50px");
}
?>
Klassisches Login
';
echo ' Mit Microsoft anmelden';
echo ' ';
echo '