diff --git a/forgot.cgi b/forgot.cgi index 104ee90f5..98aefbacf 100755 --- a/forgot.cgi +++ b/forgot.cgi @@ -14,10 +14,12 @@ $trust_unknown_referers = 1; $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'}); my $timeout = $gconfig{'passreset_timeout'} || 15; $remote_user && &error($text{'forgot_elogin'}); -$ENV{'HTTPS'} eq 'ON' || &error($text{'forgot_essl'}); +$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 || + &error($text{'forgot_essl'}); $ENV{'SSL_HOST_CERT'} == 1 || &error(&text('forgot_esslhost', - &html_escape($ENV{'SSL_HOST'} || $ENV{'HTTP_HOST'}))); + &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'}))) + if ($ENV{'HTTPS'} eq 'ON'); # Check that the random ID is valid $in{'id'} =~ /^[a-f0-9]+$/i || &error($text{'forgot_eid'}); diff --git a/forgot_form.cgi b/forgot_form.cgi index a7757f98a..12015ae3c 100755 --- a/forgot_form.cgi +++ b/forgot_form.cgi @@ -13,13 +13,16 @@ $trust_unknown_referers = 1; &error_setup($text{'forgot_err'}); $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'}); $remote_user && &error($text{'forgot_elogin'}); -$ENV{'HTTPS'} eq 'ON' || &error($text{'forgot_essl'}); +$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 || + &error($text{'forgot_essl'}); $ENV{'SSL_HOST_CERT'} == 1 || &error(&text('forgot_esslhost', - &html_escape($ENV{'SSL_HOST'} || $ENV{'HTTP_HOST'}))); + &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'}))) + if ($ENV{'HTTPS'} eq 'ON'); &ui_print_header(undef, $text{'forgot_title'}, "", undef, undef, 1, 1); - +print &ui_alert_box(" ⚠ ".$text{'forgot_nossl_warn'}, 'warn') + if ($gconfig{'forgot_pass'} == 2 && $ENV{'HTTPS'} ne 'ON'); print "
\n"; print $text{'forgot_desc'},"

\n"; print &ui_form_start("forgot_send.cgi", "post"); diff --git a/forgot_send.cgi b/forgot_send.cgi index caa2b8b69..3db41c484 100755 --- a/forgot_send.cgi +++ b/forgot_send.cgi @@ -12,10 +12,12 @@ $no_acl_check++; &error_setup($text{'forgot_err'}); $gconfig{'forgot_pass'} || &error($text{'forgot_ecannot'}); $remote_user && &error($text{'forgot_elogin'}); -$ENV{'HTTPS'} eq 'ON' || &error($text{'forgot_essl'}); +$ENV{'HTTPS'} eq 'ON' || $gconfig{'forgot_pass'} == 2 || + &error($text{'forgot_essl'}); $ENV{'SSL_HOST_CERT'} == 1 || &error(&text('forgot_esslhost', - &html_escape($ENV{'SSL_HOST'} || $ENV{'HTTP_HOST'}))); + &html_escape($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'}))) + if ($ENV{'HTTPS'} eq 'ON'); # Lookup the Webmin user &foreign_require("acl"); diff --git a/lang/en b/lang/en index 50959fa2d..228458057 100644 --- a/lang/en +++ b/lang/en @@ -183,8 +183,10 @@ forgot_eunixlock=User user's password is locked! forgot_elogin=Forgotten password pages cannot be used when you are already logged in to Webmin! forgot_erate=Too many password reset attempts for $1! Please try again later. forgot_eremote=Webmin server on this system is not running or is not configured to allow forgotten password recovery. -forgot_essl=Forgotten password recovery can only be used over an SSL connection +forgot_essl=Forgotten password recovery can only be used over an SSL connection unless explicitly allowed +forgot_nossl=Yes, and allow over insecure connection forgot_esslhost=Forgotten password recovery cannot be used with invalid SSL hostname $1 +forgot_nossl_warn=Warning: This password reset is being sent over an insecure, not-encrypted connection and is vulnerable to man-in-the-middle (MITM) and header-injection attacks. pam_header=Login to Webmin pam_mesg=You must respond to the question below to login to Webmin server on $1. diff --git a/usermin/edit_session.cgi b/usermin/edit_session.cgi index 1269a6e99..798fa5d81 100755 --- a/usermin/edit_session.cgi +++ b/usermin/edit_session.cgi @@ -39,7 +39,10 @@ print &ui_table_row("", # Enable forgotten password recovery print &ui_table_row($text{'session_forgot'}, - &ui_yesno_radio("forgot", $uconfig{'forgot_pass'})); + &ui_radio("forgot", $uconfig{'forgot_pass'}, + [ [ 0, $text{'no'}."
" ], + [ 1, $text{'yes'}."
" ], + [ 2, $text{'forgot_nossl'} ] ])); # Log to syslog eval "use Sys::Syslog qw(:DEFAULT setlogsock)"; diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl index ccc765ebf..bcc8853ca 100755 --- a/web-lib-funcs.pl +++ b/web-lib-funcs.pl @@ -13261,10 +13261,12 @@ if (!$def && $gconfig{'webmin_email_url'}) { # From a config option $url = $gconfig{'webmin_email_url'}; } -elsif ($ENV{'HTTP_HOST'}) { +elsif ($ENV{'HTTP_HOST'} || $ENV{'SSL_HOST'}) { # From this HTTP request - my $host = $ENV{'HTTP_HOST'}; my $port = $ENV{'SERVER_PORT'} || 80; + my $host = $ENV{'SSL_HOST'} + ? "$ENV{'SSL_HOST'}:$port" + : $ENV{'HTTP_HOST'}; if ($host =~ s/:(\d+)$//) { $port = $1; } diff --git a/webmin/edit_session.cgi b/webmin/edit_session.cgi index bc6645e30..3a54c2490 100755 --- a/webmin/edit_session.cgi +++ b/webmin/edit_session.cgi @@ -42,7 +42,10 @@ print &ui_table_row("", # Enable forgotten password recovery print &ui_table_row($text{'session_forgot'}, - &ui_yesno_radio("forgot", $gconfig{'forgot_pass'})); + &ui_radio("forgot", $gconfig{'forgot_pass'}, + [ [ 0, $text{'no'}."
" ], + [ 1, $text{'yes'}."
" ], + [ 2, $text{'forgot_nossl'} ] ])); # Block bad password requests $gconfig{'passreset_failures'} //= 3;