Sicherheitslücke geschlossen bei der man ohne ANgabe von Email und oder Benutzername eine Token generieren lassen konnte. If-Abgfrage wurde hinzugefügt vor Generierung des Tokens.
This commit is contained in:
ja
@@ -148,38 +148,42 @@ Partial Class login_ForgotPW
|
||||
Dim time() As Byte = BitConverter.GetBytes(DateTime.UtcNow.ToBinary())
|
||||
Dim Key() As Byte = Guid.NewGuid().ToByteArray()
|
||||
Dim token As String
|
||||
If username = Not Nothing And email = Not Nothing Then
|
||||
Try
|
||||
token = Convert.ToBase64String(time.Concat(Key).ToArray())
|
||||
Return token
|
||||
Catch Ex As Exception
|
||||
Dim Msg, Style, Title As String
|
||||
Msg = "Tokengenerierung fehlgeschlagen!" & vbCrLf & "Eine E-Mail wurde erneut an " + email + " zugesedet."
|
||||
Style = vbRetry + vbExclamation + vbDefaultButton1
|
||||
Title = "Fehler bei Token-Generierung"
|
||||
MsgBox(Msg, Style, Title)
|
||||
|
||||
Try
|
||||
token = Convert.ToBase64String(time.Concat(Key).ToArray())
|
||||
Return token
|
||||
Catch Ex As Exception
|
||||
Dim Msg, Style, Title As String
|
||||
Msg = "Tokengenerierung fehlgeschlagen!" & vbCrLf & "Eine E-Mail wurde erneut an " + email + " zugesedet."
|
||||
Style = vbRetry + vbExclamation + vbDefaultButton1
|
||||
Title = "Fehler bei Token-Generierung"
|
||||
MsgBox(Msg, Style, Title)
|
||||
|
||||
If MsgBox(Msg, Style, Title).Retry Then
|
||||
genToken(username, password, email)
|
||||
If SendEmail(username, password, email, token) = False Then
|
||||
MsgBox("Email konnte wegen eines internen Verschlüsselungsfehlers nicht gesendet werden.", vbOK + vbInformation + vbDefaultButton1, "TokengenerierungsFehler")
|
||||
If MsgBox(Msg, Style, Title).Retry Then
|
||||
genToken(username, password, email)
|
||||
If SendEmail(username, password, email, token) = False Then
|
||||
MsgBox("Email konnte wegen eines internen Verschlüsselungsfehlers nicht gesendet werden.", vbOK + vbInformation + vbDefaultButton1, "TokengenerierungsFehler")
|
||||
Else
|
||||
MsgBox("Email wurde erfolgreich gesendet." & vbCr & "Bitte Postfach überprüfen!", vbOK + vbInformation + vbDefaultButton1, "Tokengenerierungs erfolgreich!")
|
||||
End If
|
||||
Else
|
||||
MsgBox("Email wurde erfolgreich gesendet." & vbCr & "Bitte Postfach überprüfen!", vbOK + vbInformation + vbDefaultButton1, "Tokengenerierungs erfolgreich!")
|
||||
End If
|
||||
Else
|
||||
MsgBox("Tokengenerierung nicht erfolgreich." & vbCrLf & "In 5 Sekunden nochmal versuchen!")
|
||||
Dim jetzt As DateTime = DateTime.UtcNow
|
||||
Dim wenn As DateTime = DateTime.UtcNow.AddSeconds(-5)
|
||||
Dim jetzt As DateTime = DateTime.UtcNow
|
||||
Dim wenn As DateTime = DateTime.UtcNow.AddSeconds(-5)
|
||||
|
||||
|
||||
If jetzt < wenn Then
|
||||
Return "NotYet"
|
||||
Else
|
||||
token = Convert.ToBase64String(time.Concat(Key).ToArray())
|
||||
Return token
|
||||
If jetzt < wenn Then
|
||||
Return "NotYet"
|
||||
Else
|
||||
token = Convert.ToBase64String(time.Concat(Key).ToArray())
|
||||
Return token
|
||||
End If
|
||||
End If
|
||||
End If
|
||||
End Try
|
||||
End Try
|
||||
Else
|
||||
MsgBox("Bitte alle Fleder ausfüllen!")
|
||||
Return "Error04"
|
||||
End If
|
||||
End Function
|
||||
|
||||
|
||||
@@ -193,6 +197,8 @@ Partial Class login_ForgotPW
|
||||
Return False
|
||||
ElseIf tokenname = "NotYet" Then
|
||||
Return False
|
||||
ElseIf tokenname = "Error04" Then
|
||||
Return False
|
||||
Else
|
||||
Return True
|
||||
End If
|
||||
|
||||
@@ -79,7 +79,7 @@
|
||||
<asp:Login ID = "Login1" runat = "server" OnAuthenticate= "ValidateUser" DestinationPageUrl="../Customers/CustomsAviso.aspx" >
|
||||
<LayoutTemplate>
|
||||
<center>
|
||||
<table cellpadding="0">
|
||||
<table cellpadding="0" style="margin: 6px 0px 6px 6px;">
|
||||
<tr style="color:#003680; height:30px;">
|
||||
<td align="left" style="color:#fff;font-kerning:auto;">
|
||||
<asp:Label ID="lbl_login" runat="server" style="color:#003680; font-size:20px;font-weight:700;" Text="Login"></asp:Label>
|
||||
@@ -87,7 +87,7 @@
|
||||
</tr>
|
||||
<tr style="color:#003680; height:46px;">
|
||||
<td align="left">
|
||||
<asp:Label ID="CustomerIDLabel" runat="server" AssociatedControlID="CustomerID" CssClass="txt_design2">Kundennummer:</asp:Label>
|
||||
<asp:Label ID="CustomerIDLabel" runat="server" AssociatedControlID="CustomerID" CssClass="txt_design2">Kundennummer</asp:Label>
|
||||
<asp:TextBox ID="CustomerID" runat="server" required="true" Width = "220" ValidationGroup="txt_checkUID" OnTextChanged="CustomerID_TextChanged1" Font-Size="1.125em"></asp:TextBox>
|
||||
</td>
|
||||
</tr>
|
||||
@@ -102,22 +102,22 @@
|
||||
</tr>
|
||||
<tr style="color:#003680; height:46px;">
|
||||
<td align="left" colspan="2">
|
||||
<asp:Label ID="UserNameLabel" runat="server" AssociatedControlID="UserName" CssClass="txt_design2">Benutzername:</asp:Label>
|
||||
<asp:Label ID="UserNameLabel" runat="server" AssociatedControlID="UserName" CssClass="txt_design2">Benutzername</asp:Label>
|
||||
<asp:TextBox ID="UserName" runat="server" TextMode="SingleLine" Width = "220" ValidationGroup="txt_Username" required="true" Font-Size="1.125em"></asp:TextBox>
|
||||
</td>
|
||||
</tr>
|
||||
<tr style="color:#003680; height:46px;">
|
||||
<tr style="color:#003680; height:15px;">
|
||||
<td align="left" colspan="4">
|
||||
<asp:RequiredFieldValidator ID="UserNamerequired" runat="server" ControlToValidate="UserName" ErrorMessage="Der Benutzername ist erforderlich." ToolTip="Der Benutzername ist erforderlich." ValidationGroup="txt_Username">Der Benutzername ist erforderlich.</asp:RequiredFieldValidator>
|
||||
</td>
|
||||
</tr>
|
||||
<tr style="color:#003680; height:46px;">
|
||||
<td align="left" colspan="2">
|
||||
<asp:Label ID="PasswordLabel" runat="server" AssociatedControlID="Password" CssClass="txt_design2">Kennwort:</asp:Label>
|
||||
<tr style="color:#003680; height:46px;">
|
||||
<td align="left" colspan="2">
|
||||
<asp:Label ID="PasswordLabel" runat="server" AssociatedControlID="Password" CssClass="txt_design2">Kennwort</asp:Label>
|
||||
<asp:TextBox ID="Password" runat="server" TextMode="Password" required="true" Width = "220" Font-Size="1.125em" ValidationGroup="chk_PWField" MaxLength="30"></asp:TextBox>
|
||||
</td>
|
||||
</tr>
|
||||
<tr style="color:#003680; height:46px;">
|
||||
<tr style="color:#003680; height:15px;">
|
||||
<td align="left" colspan="2">
|
||||
<asp:RequiredFieldValidator ID="Passwordrequired" runat="server" ControlToValidate="Password" ErrorMessage="Das Kennwort ist erforderlich." ToolTip="Das Kennwort ist erforderlich." ValidationGroup="chk_PWField">Bitte Passwort angeben.</asp:RequiredFieldValidator>
|
||||
<asp:RegularExpressionValidator ID="checkpwdREGEX" ControlToValidate="Password" ValidationGroup="chk_PWField" runat="server" Display="Dynamic" SetFocusOnError="true" ValidationExpression="<%=regexPWVal %>"></asp:RegularExpressionValidator>
|
||||
|
||||
Reference in New Issue
Block a user