From 130a8ce62065ba402ceab731ebe1bb4331b39b26 Mon Sep 17 00:00:00 2001
From: ja <ja@verag.ag>
Date: Tue, 16 Nov 2021 11:59:05 +0100
Subject: [PATCH] =?UTF-8?q?=C3=84nderung=20Sicherheit=20erh=C3=B6ht?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Global.asax             |  1 +
 login/Change_PW.aspx.vb | 70 ++++++++++++++++++-----------------------
 login/login_FLEX.aspx   |  4 +--
 3 files changed, 33 insertions(+), 42 deletions(-)

diff --git a/Global.asax b/Global.asax
index 58b6820..f41803d 100644
--- a/Global.asax
+++ b/Global.asax
@@ -24,6 +24,7 @@
     void Application_Error(object sender, EventArgs e)
     {
         // Code, der ausgeführt wird, wenn ein nicht behandelter Fehler auftritt
+        Response.Redirect("../login/Error.aspx");
 
     }
 
diff --git a/login/Change_PW.aspx.vb b/login/Change_PW.aspx.vb
index 8d1028d..2697722 100644
--- a/login/Change_PW.aspx.vb
+++ b/login/Change_PW.aspx.vb
@@ -34,52 +34,42 @@ Partial Class login_Change_PW
                 Dim dr As SqlDataReader = cmd.ExecuteReader()
                 If dr.HasRows Then
                     dr.Read()
-                    If String.IsNullOrEmpty(usrname) = False Then
-                        If getDateoftoken(Request.QueryString("Par1")) = True AndAlso usrname = dr("Username") AndAlso String.Equals(KundenNr, dr("KundenNr")) = True Then
-                            Try
-                                If IsPostBack Then
-                                    If String.IsNullOrEmpty(txt_Pw.Text) = False AndAlso String.IsNullOrEmpty(txt_Pw_WH.Text) = False Then
-                                        txt_Pw_WH.Enabled = False
-                                        reqPassw1txt_M.Enabled = False
-                                        reqPasswtxt_M.Enabled = False
-                                        reqPasswtxt.Enabled = True
-                                        reqPassw1txt.Enabled = True
-                                        reqPasswtxt.Validate()
-                                        If reqPasswtxt.IsValid = True Then
-                                            txt_Pw_WH.Enabled = True
-                                            reqPassw1txt.Validate()
-                                        End If
-                                    ElseIf String.IsNullOrEmpty(txt_Pw_M.Text) = False AndAlso String.IsNullOrEmpty(txt_Pw_WH_M.Text) = False Then
-                                        txt_Pw_WH_M.Enabled = False
-                                        reqPasswtxt.Enabled = False
-                                        reqPassw1txt.Enabled = False
-                                        reqPassw1txt_M.Enabled = True
-                                        reqPasswtxt_M.Enabled = True
-                                        reqPasswtxt_M.Validate()
-                                        If reqPasswtxt_M.IsValid = True Then
-                                            txt_Pw_WH_M.Enabled = True
-                                            reqPassw1txt_M.Validate()
-                                        End If
+
+                    If getDateoftoken(Request.QueryString("Par1")) = True AndAlso usrname = dr("Username") AndAlso KundenNr = dr("KundenNr") AndAlso UsrID = dr("UserId") Then
+                        Try
+                            If IsPostBack Then
+                                If String.IsNullOrEmpty(txt_Pw.Text) = False AndAlso String.IsNullOrEmpty(txt_Pw_WH.Text) = False Then
+                                    txt_Pw_WH.Enabled = False
+                                    reqPassw1txt_M.Enabled = False
+                                    reqPasswtxt_M.Enabled = False
+                                    reqPasswtxt.Enabled = True
+                                    reqPassw1txt.Enabled = True
+                                    reqPasswtxt.Validate()
+                                    If reqPasswtxt.IsValid = True Then
+                                        txt_Pw_WH.Enabled = True
+                                        reqPassw1txt.Validate()
+                                    End If
+                                ElseIf String.IsNullOrEmpty(txt_Pw_M.Text) = False AndAlso String.IsNullOrEmpty(txt_Pw_WH_M.Text) = False Then
+                                    txt_Pw_WH_M.Enabled = False
+                                    reqPasswtxt.Enabled = False
+                                    reqPassw1txt.Enabled = False
+                                    reqPassw1txt_M.Enabled = True
+                                    reqPasswtxt_M.Enabled = True
+                                    reqPasswtxt_M.Validate()
+                                    If reqPasswtxt_M.IsValid = True Then
+                                        txt_Pw_WH_M.Enabled = True
+                                        reqPassw1txt_M.Validate()
                                     End If
                                 End If
-                            Catch exc As Exception
-                                lbl_messagetext.Text = exc.Message
-                            End Try
-                        Else
-                            'btn_submitpw.Enabled = False
-                            txt_Pw.BackColor = Drawing.Color.Gray
-                            txt_Pw.ForeColor = Drawing.Color.DarkGray
-                            txt_Pw_WH.Enabled = False
-                            txt_Pw_WH.BackColor = Drawing.Color.Gray
-                            txt_Pw_WH.ForeColor = Drawing.Color.DarkGray
-                            txt_Pw.Enabled = False
-                            regexval_txt_Pw_WH.Enabled = False
-                        End If
+                            End If
+                        Catch exc As Exception
+                            lbl_messagetext.Text = exc.Message
+                        End Try
                     Else
                         VERAG_VARIABLES.initerrorcount()
                         VERAG_VARIABLES.seterrorcount(1)
                         lbl_messagetext.Text = VERAG_VARIABLES.geterrornumb + "Link ist abgelaufen. Bitte neue E-Mail senden."
-                        Response.Redirect("ForgotPW.aspx")
+                        'Response.Redirect("ForgotPW.aspx")
                     End If
                     dr.Close()
                 End If
diff --git a/login/login_FLEX.aspx b/login/login_FLEX.aspx
index 45c6916..2fd1ef7 100644
--- a/login/login_FLEX.aspx
+++ b/login/login_FLEX.aspx
@@ -295,7 +295,7 @@
                                           <asp:RequiredFieldValidator ID="Passwordrequired" ForeColor="Red" runat="server" ControlToValidate="Password" Font-Size="17px"  ValidationGroup="Login" SetFocusOnError="true" ErrorMessage=""></asp:RequiredFieldValidator>                                                                                                           
                                      </td>
                                  </tr>       
-                         <tr style="color:#003680; height:55px;">
+                            <tr style="color:#003680; height:55px;">
                                       <td align="left" colspan="2">
                                          <asp:LinkButton ID="LoginButton" runat="server" CommandName="Login" BorderStyle="None" Text="Login" ValidationGroup="Login" CssClass="btn btn-primary" target="_top" OnClientClick="bust2()" Width="320px" Font-Size="20px" style="margin-left:22px; padding:0px 0px 0px 0px;background-color:#003680"></asp:LinkButton>
                                       </td>
@@ -340,7 +340,7 @@
                                 <tr style="color:#003680; height:86px;">  
                                      <td align="left" colspan="2">                                        
                                         <asp:TextBox id="Username" runat="server" CssClass="bg-user-icon" TextMode="SingleLine" Width = "325"  ValidationGroup="Login_M" Placeholder="Username" required="true" Font-Size="2.025em"  style="margin-left:22px;color:#003680;border-radius: 8px 8px 8px 8px;-webkit-border-radius: 8px;-moz-border-radius: 8px;"></asp:TextBox>                                                                                     
-                                        <asp:RequiredFieldValidator ID="UserName_M_required" runat="server" ControlToValidate="Username" ErrorMessage="" ForeColor="Red" style="margin-left:22px;font-size:19px" ValidationGroup="Login_M" SetFocusOnError="true"></asp:RequiredFieldValidator>                                   
+                                        <asp:RequiredFieldValidator ID="UserName_M_required" runat="server" ControlToValidate="Username" ErrorMessage="" ForeColor="Red" style="margin-left:22px;font-size:19px" ValidationGroup="Login_M" SetFocusOnError="false"></asp:RequiredFieldValidator>                                   
                                      </td>
                                 </tr>
                                <tr style="color:#003680; height:86px;">