edv/VERAG_Homepage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fixed Fehler bei Email token problem wo unbefugter zugriff mithilfe der generierten aber nicht explizit gelöschten Tokens möglich war.

Browse Source
This commit is contained in:
ja
2021-10-14 10:01:46 +02:00
parent c4fb20d4a2
commit e2f55563f1
1 changed files with 61 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
login/ForgotPW.aspx.vb
View File

@@ -55,27 +55,28 @@ Partial Class login_ForgotPW
If dr.Read() Then If dr.Read() Then
username = dr("Username").ToString() username = dr("Username").ToString()
password = dr("Password").ToString() password = dr("Password").ToString()
email = dr("Email").ToString()
Try Try
If txt_Username.Text = dr("Username").ToString() Then If txt_Username.Text = dr("Username").ToString() Then
check_UserName_regex.IsValid = True check_UserName_regex.IsValid = True
username = txt_Username.Text
Else Else
check_UserName_regex.MatchTimeout = 3000 check_UserName_regex.MatchTimeout = 3000
check_UserName_regex.ErrorMessage = "No valid Username found in out database!" check_UserName_regex.ErrorMessage = "No valid Username found in out database!"
check_UserName_regex.IsValid = False check_UserName_regex.IsValid = False
End If End If
If txtEmail.Text = dr("Email").ToString() Then If txtEmail.Text = dr("Email").ToString() Then
regexval_txt_Email.IsValid = True regexval_txt_Email.Validate()
regexval_txt_Email_2.IsValid = True email = txtEmail.Text
lblMessage.ForeColor = Color.Green lblMessage.ForeColor = Color.Green
lblMessage.Text = "The given e-mail exists in our database." lblMessage.Text = "The given e-mail exists in our database."
Else Else
regexval_txt_Email.IsValid = False
regexval_txt_Email_2.IsValid = False
lblMessage.ForeColor = Color.Red lblMessage.ForeColor = Color.Red
lblMessage.Text = "The given e-mail does not exist in our database." lblMessage.Text = "The given e-mail does not exist in our database."
End If End If
regexval_txt_Email.Validate()
Catch ex As Exception Catch ex As Exception
Dim Msg, Style, Title As String Dim Msg, Style, Title As String
Msg = "E-Mail validation failed!" & vbCrLf + "Please try again!" Msg = "E-Mail validation failed!" & vbCrLf + "Please try again!"
@@ -92,42 +93,51 @@ Partial Class login_ForgotPW
End Using End Using
con.Close() con.Close()
End Using End Using
If Session.Item("TokenforEmail") = Nothing Then
tokenname = genToken(username, password, email)
Session.Add("TokenforEmail", tokenname)
Else
tokenname = Session.Item("TokenforEmail").ToString()
End If
tokenname = genToken(username, password, email)
Session.Add("TokenforEmail", tokenname)
If SendEmail(username, password, email, tokenname) = True Then If SendEmail(username, password, email, tokenname) = True Then
'password = RandomString(New Random, 10) 'password = RandomString(New Random, 10)
If (getDateoftoken(tokenname) = True) Then If (getDateoftoken(tokenname) = True) Then
'Dim msgboxstyle = vbDefaultButton1 + vbOK 'Dim msgboxstyle = vbDefaultButton1 + vbOK
'MsgBox(tokenname, msgboxstyle) 'MsgBox(tokenname, msgboxstyle)
lblMessage.ForeColor = Color.Green lblMessage.ForeColor = Color.Green
lblMessage.Text = "Token generated successfully." lblMessage.Text = "Token generated successfully."
'MsgBox("Token generated successfully.") 'MsgBox("Token generated successfully.")
Else Else
lblMessage.ForeColor = Color.Red lblMessage.ForeColor = Color.Red
lblMessage.Text = "Token is not valid anymore. Please generate a new one by sending a new e-mail!" lblMessage.Text = "Token is not valid anymore. Please generate a new one by sending a new e-mail!"
'MsgBox("Token is not valid anymore. Please generate a new one by sending a new e-mail!") 'MsgBox("Token is not valid anymore. Please generate a new one by sending a new e-mail!")
tokenname = genToken(username, password, email) If Session.Item("TokenforEmail") = Nothing Then
tokenname = genToken(username, password, email)
Session.Add("TokenforEmail", tokenname)
Else
tokenname = Session.Item("TokenforEmail").ToString()
End If
End If End If
'SendEmail(username, password, email) 'SendEmail(username, password, email)
'MsgBox("Mail would be sent successfully!") 'MsgBox("Mail would be sent successfully!")
lblMessage.ForeColor = Color.Green lblMessage.ForeColor = Color.Green
lblMessage.Text = "The password has been sent sucessfully on the given valid e-mail address." lblMessage.Text = "The password has been sent sucessfully on the given valid e-mail address."
ElseIf SendEmail(username, password, email, tokenname) = False Then ElseIf SendEmail(username, password, email, tokenname) = False Then
'MsgBox("Mail would not be sent successfully!") 'MsgBox("Mail would not be sent successfully!")
lblMessage.ForeColor = Color.Red
If String.IsNullOrWhiteSpace(username) = True Then
lblMessage.Text = "Error10: Username not recognized Error!"
ElseIf String.IsNullOrWhiteSpace(email) = True Then
lblMessage.Text = "Error11: Email not recognized Error!"
ElseIf String.IsNullOrWhiteSpace(password) = True Then
lblMessage.Text = "An internal password searching error occured in our systems ."
End If
End If
Else
'MsgBox("The form has not been filled completeley.", MsgBoxStyle.Critical, "Error08")
lblMessage.ForeColor = Color.Red lblMessage.ForeColor = Color.Red
If String.IsNullOrWhiteSpace(username) = True Then
lblMessage.Text = "Error10: Username not recognized Error!"
ElseIf String.IsNullOrWhiteSpace(email) = True Then
lblMessage.Text = "Error11: Email not recognized Error!"
ElseIf String.IsNullOrWhiteSpace(password) = True Then
lblMessage.Text = "An internal password searching error occured in our systems ."
End If
End If
Else
'MsgBox("The form has not been filled completeley.", MsgBoxStyle.Critical, "Error08")
lblMessage.ForeColor = Color.Red
lblMessage.Text = "The form has not been filled completeley." lblMessage.Text = "The form has not been filled completeley."
End If End If
End Sub End Sub
@@ -174,9 +184,14 @@ Partial Class login_ForgotPW
'MsgBox("/" + ServPort + Request.ServerVariables("URL")) 'MsgBox("/" + ServPort + Request.ServerVariables("URL"))
Try Try
Dim tokennametemp = genToken(username, password, email) If Session.Item("TokenforEmail") = Nothing Then
tokenname = genToken(username, password, email)
Session.Add("TokenforEmail", tokenname)
Else
tokenname = Session.Item("TokenforEmail").ToString()
End If
'Dim Strtemp = Session.Keys.Item("urltochangepw") 'Dim Strtemp = Session.Keys.Item("urltochangepw")
If getDateoftoken(tokennametemp) = True Then If getDateoftoken(tokenname) = True Then
' Dim attachment As Attachment = New Attachment(File.OpenRead(excel), "Kundenliste.xlsx") ' Dim attachment As Attachment = New Attachment(File.OpenRead(excel), "Kundenliste.xlsx")
' Msg.Attachments.Add(attachment) ' Msg.Attachments.Add(attachment)
If String.IsNullOrEmpty(mailto) = False AndAlso String.IsNullOrEmpty(Betreff) = False AndAlso String.IsNullOrEmpty(htmlbody) = False Then If String.IsNullOrEmpty(mailto) = False AndAlso String.IsNullOrEmpty(Betreff) = False AndAlso String.IsNullOrEmpty(htmlbody) = False Then
@@ -186,7 +201,7 @@ Partial Class login_ForgotPW
lblMessage.ForeColor = Color.OrangeRed lblMessage.ForeColor = Color.OrangeRed
lblMessage.Text = "Error07: Die Paramter wurden nicht alle gesetzt. Bitte Felder überprüfen!" lblMessage.Text = "Error07: Die Paramter wurden nicht alle gesetzt. Bitte Felder überprüfen!"
End If End If
lblMessage.ForeColor = Color.OrangeRed lblMessage.ForeColor = Color.Green
lblMessage.Text = "Success" + Environment.NewLine + " Mail sent. Please check your inbox." lblMessage.Text = "Success" + Environment.NewLine + " Mail sent. Please check your inbox."
'MsgBox("SENT") 'MsgBox("SENT")
Return True Return True
@@ -194,7 +209,12 @@ Partial Class login_ForgotPW
lblMessage.ForeColor = Color.Red lblMessage.ForeColor = Color.Red
lblMessage.Text = "Error02: Mail not delivered!" lblMessage.Text = "Error02: Mail not delivered!"
'MsgBox("Error02: Mail not delivered!" & vbCrLf & "New Token has been generated.") 'MsgBox("Error02: Mail not delivered!" & vbCrLf & "New Token has been generated.")
tokennametemp = genToken(username, password, email) If Session.Item("TokenforEmail") = Nothing Then
tokenname = genToken(username, password, email)
Session.Add("TokenforEmail", tokenname)
Else
tokenname = Session.Item("TokenforEmail").ToString()
End If
VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody, tokenname) VERAG_PROG_ALLGEMEIN.cProgramFunctions.sendMail(mailto, Betreff, htmlbody, tokenname)
Return False Return False
End If End If
@@ -243,7 +263,7 @@ Partial Class login_ForgotPW
Function getDateoftoken(tokenname As String) As Boolean Function getDateoftoken(tokenname As String) As Boolean
Dim data() As Byte = Convert.FromBase64String(tokenname) Dim data() As Byte = Convert.FromBase64String(tokenname)
Dim wenn As DateTime = DateTime.FromBinary(BitConverter.ToInt64(data, 0)) Dim wenn As DateTime = DateTime.FromBinary(BitConverter.ToInt64(data, 0))
If wenn > DateTime.UtcNow.AddMinutes(-30) Then If wenn < DateTime.UtcNow.AddMinutes(-30) Then
tokenname = String.Empty tokenname = String.Empty
'MsgBox("Token has not been found or is too old!" + Environment.NewLine + "Please send a new E-mail!") 'MsgBox("Token has not been found or is too old!" + Environment.NewLine + "Please send a new E-mail!")
Session.Remove("TokenforEmail") Session.Remove("TokenforEmail")