diff --git a/forgot.cgi b/forgot.cgi index 21cfdd498..98aefbacf 100755 --- a/forgot.cgi +++ b/forgot.cgi @@ -16,6 +16,10 @@ my $timeout = $gconfig{'passreset_timeout'} || 15; $remote_user && &error($text{'forgot_elogin'}); $ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 || &error($text{'forgot_essl'}); +$ENV{'SSL_HOST_CERT'} == 1 || + &error(&text('forgot_esslhost', + &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'}))) + if ($ENV{'HTTPS'} eq 'ON'); # Check that the random ID is valid $in{'id'} =~ /^[a-f0-9]+$/i || &error($text{'forgot_eid'}); diff --git a/forgot_form.cgi b/forgot_form.cgi index 118f490d7..12015ae3c 100755 --- a/forgot_form.cgi +++ b/forgot_form.cgi @@ -15,6 +15,10 @@ $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'}); $remote_user && &error($text{'forgot_elogin'}); $ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 || &error($text{'forgot_essl'}); +$ENV{'SSL_HOST_CERT'} == 1 || + &error(&text('forgot_esslhost', + &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'}))) + if ($ENV{'HTTPS'} eq 'ON'); &ui_print_header(undef, $text{'forgot_title'}, "", undef, undef, 1, 1); print &ui_alert_box(" ⚠ ".$text{'forgot_nossl_warn'}, 'warn') diff --git a/forgot_send.cgi b/forgot_send.cgi index c45be3184..3db41c484 100755 --- a/forgot_send.cgi +++ b/forgot_send.cgi @@ -14,6 +14,10 @@ $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'}); $remote_user && &error($text{'forgot_elogin'}); $ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 || &error($text{'forgot_essl'}); +$ENV{'SSL_HOST_CERT'} == 1 || + &error(&text('forgot_esslhost', + &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'}))) + if ($ENV{'HTTPS'} eq 'ON'); # Lookup the Webmin user &foreign_require("acl"); diff --git a/lang/en b/lang/en index 4385e8d71..228458057 100644 --- a/lang/en +++ b/lang/en @@ -185,6 +185,7 @@ forgot_erate=Too many password reset attempts for $1! Please try again later. forgot_eremote=Webmin server on this system is not running or is not configured to allow forgotten password recovery. forgot_essl=Forgotten password recovery can only be used over an SSL connection unless explicitly allowed forgot_nossl=Yes, and allow over insecure connection +forgot_esslhost=Forgotten password recovery cannot be used with invalid SSL hostname $1 forgot_nossl_warn=Warning: This password reset is being sent over an insecure, not-encrypted connection and is vulnerable to man-in-the-middle (MITM) and header-injection attacks. pam_header=Login to Webmin