From 6979627c87c27be48643a7e674221de530caa5d4 Mon Sep 17 00:00:00 2001
From: ja <ja@verag.ag>
Date: Thu, 7 Oct 2021 17:02:01 +0200
Subject: [PATCH] =?UTF-8?q?Sicherheitsmechnanismus=20zum=20nicht=20zu=20of?=
 =?UTF-8?q?t=20senden=20versuchen=20einer=20mail=20sowie=20einer=20Linkzuf?=
 =?UTF-8?q?=C3=BCgung=20welche=20noch=20auf=20die=20Seite=20hinzeigen=20mu?=
 =?UTF-8?q?ss?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 login/ChangePW.aspx.vb   |  2 ++
 login/ForgotPW.aspx.vb   | 25 ++++++++++++++++---------
 login/login_FLEX.aspx    |  3 ++-
 login/login_FLEX.aspx.vb |  5 ++++-
 4 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/login/ChangePW.aspx.vb b/login/ChangePW.aspx.vb
index 2b54fd2..cfe5443 100644
--- a/login/ChangePW.aspx.vb
+++ b/login/ChangePW.aspx.vb
@@ -3,12 +3,14 @@ Partial Class login_ChangePW
     Inherits System.Web.UI.Page
 
     Protected Sub Page_Load(sender As Object, e As EventArgs)
+
         btn_submitpw.Enabled = False
         txt_Pw_WH.Enabled = False
         regexval_txt_Pw_WH.Enabled = False
         If IsPostBack Then
             reqPasswtxt.Validate()
             reqPassw1txt.Validate()
+            Session.Add("urltochangepw", Request.Url.AbsoluteUri)
         End If
     End Sub
 
diff --git a/login/ForgotPW.aspx.vb b/login/ForgotPW.aspx.vb
index ca83f87..7e32d86 100644
--- a/login/ForgotPW.aspx.vb
+++ b/login/ForgotPW.aspx.vb
@@ -10,7 +10,7 @@ Partial Class login_ForgotPW
     Protected Sub Page_Load(sender As Object, e As EventArgs)
         If txt_Username.Text = "" Then
             Try
-                txt_Username.Text = Request.QueryString.Item("Par1")
+                txt_Username.Text = Request.QueryString.Item("urlofchangepwpage")
             Catch ex As Exception
                 MsgBox(ex.Message)
             End Try
@@ -74,7 +74,6 @@ Partial Class login_ForgotPW
         tokenname = genToken(username, password, email)
         If SendEmail(username, password, email) = True Then
             'password = RandomString(New Random, 10)
-
             If (getDateoftoken(tokenname) = True) Then
                 Dim msgboxstyle = vbDefaultButton1 + vbOK
 
@@ -106,20 +105,28 @@ Partial Class login_ForgotPW
     End Function
 
     Function SendEmail(username As String, password As String, email As String) As Boolean
-        Dim lkb As LinkButton = New LinkButton()
-        lkb.PostBackUrl = "ChangePW.aspx"
+        Dim mailto As String = email
+        Dim Betreff As String = "Passwort reset"
+        Dim htmlbody = String.Format("Sehr geehrte/r {0},<br /><br /> Der Link zum Zurücksetzen des Passwortes lautet:<br /><br /><br />.<br />" + Environment.NewLine + "<a href=" + "" + "/ChangePW.aspx" + ">This is default.aspx</a>" + Environment.NewLine + "<br />Mit freundlichen Grüßen,", username, password)
         Try
             Dim tokennametemp = genToken(username, password, email)
+            'Dim Strtemp = Session.Keys.Item("urltochangepw")
             If getDateoftoken(tokennametemp) = True Then
-                Dim mailto As String = email
-                Dim Betreff As String = "Passwort reset"
-                Dim htmlbody = String.Format("Sehr geehrte/r {0},<br /><br /> Der Link zum Zurücksetzen des Passwortes lautet:<br /><br /><br />.<br />" + Environment.NewLine + lkb.PostBackUrl + Environment.NewLine + "<br />Mit freundlichen Grüßen,", username, password)
                 '     Dim attachment As Attachment = New Attachment(File.OpenRead(excel), "Kundenliste.xlsx")
                 '     Msg.Attachments.Add(attachment)
-                VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody)
-                MsgBox("SENT")
+                Dim count = 0
+                Do
+                    VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody)
+                Loop
+                While count = 2
+                    End While
+
+                    MsgBox("SENT")
                 Return True
             Else
+
+                tokennametemp = genToken(username, password, email)
+                VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody)
                 Return False
             End If
         Catch ex As Exception
diff --git a/login/login_FLEX.aspx b/login/login_FLEX.aspx
index f9b7a2a..8e9fc0f 100644
--- a/login/login_FLEX.aspx
+++ b/login/login_FLEX.aspx
@@ -145,7 +145,8 @@
                                     </tr>
                                <tr style="color:#003680; height:50px;">                                  
                                     <td align="left" colspan="2">                                  
-                                       <a ID="LinkButton2" runat="server" target="_top" href="ForgotPW.aspx">Passwort Vergessen</a> 
+                                       <%Dim url As String = Session.Keys.Item("urltochangepw") %>
+                                       <a ID="LinkButton2" runat="server" target="_top" href="ForgotPW.aspx?urlofchangepwpage=<%=url%>">Passwort Vergessen</a> 
                                    </td>
                                    </td>
                                </tr>
diff --git a/login/login_FLEX.aspx.vb b/login/login_FLEX.aspx.vb
index 25b6375..b1a0e33 100644
--- a/login/login_FLEX.aspx.vb
+++ b/login/login_FLEX.aspx.vb
@@ -5,7 +5,10 @@ Partial Class login_login_TEST
     Inherits System.Web.UI.Page
     Dim CustomerIDTextBox As TextBox
     Protected Sub Page_Load(sender As Object, e As EventArgs)
-
+        If Not IsPostBack Then
+            Dim varlink As String = Request.Url.ToString
+            Response.Redirect(varlink, False)
+        End If
     End Sub
     Protected Sub ValidateUser(sender As Object, e As EventArgs)
         Dim userId As Integer = 0