Fix MFA Enforcement

agent/user/mfa_enforcement.php

@@ -1,8 +1,8 @@
 <?php
-require_once "../config.php";
-require_once "../functions.php";
-require_once "../includes/check_login.php";
-require_once '../plugins/totp/totp.php'; //TOTP MFA Lib
+require_once "../../config.php";
+require_once "../../functions.php";
+require_once "../../includes/check_login.php";
+require_once '../../plugins/totp/totp.php'; //TOTP MFA Lib
 
 // Get Company Logo
 $sql = mysqli_query($mysqli, "SELECT company_logo FROM companies");
@@ -36,28 +36,28 @@ $data = "otpauth://totp/ITFlow:$session_email?secret=$token";
     Favicon
     If Fav Icon exists else use the default one 
     -->
-    <?php if(file_exists('../uploads/favicon.ico')) { ?>
-        <link rel="icon" type="image/x-icon" href="/uploads/favicon.ico">
+    <?php if(file_exists('../../uploads/favicon.ico')) { ?>
+        <link rel="icon" type="image/x-icon" href="../../uploads/favicon.ico">
     <?php } ?>
     
     <!-- Font Awesome Icons -->
-    <link rel="stylesheet" href="../plugins/fontawesome-free/css/all.min.css">
+    <link rel="stylesheet" href="../../plugins/fontawesome-free/css/all.min.css">
 
     <!-- Theme style -->
-    <link rel="stylesheet" href="../plugins/adminlte/css/adminlte.min.css">
-    <link href="../plugins/toastr/toastr.min.css" rel="stylesheet">
+    <link rel="stylesheet" href="../../plugins/adminlte/css/adminlte.min.css">
+    <link href="../../plugins/toastr/toastr.min.css" rel="stylesheet">
 
     <!-- jQuery -->
-    <script src="../plugins/jquery/jquery.min.js"></script>
-    <script src="../plugins/toastr/toastr.min.js"></script>
+    <script src="../../plugins/jquery/jquery.min.js"></script>
+    <script src="../../plugins/toastr/toastr.min.js"></script>
 
 </head>
 <body class="hold-transition login-page">
-    <?php require_once "../includes/inc_alert_feedback.php"; ?>
+    <?php require_once "../../includes/inc_alert_feedback.php"; ?>
     <div class="login-box">
         <div class="login-logo">
             <?php if (!empty($company_logo)) { ?>
-                <img alt="<?= nullable_htmlentities($company_name)?> logo" height="110" width="380" class="img-fluid" src="<?php echo "../uploads/settings/$company_logo"; ?>">
+                <img alt="<?= nullable_htmlentities($company_name)?> logo" height="110" width="380" class="img-fluid" src="<?php echo "../../uploads/settings/$company_logo"; ?>">
             <?php } else { ?>
                 <span class="text-primary text-bold"><i class="fas fa-paper-plane mr-2"></i>IT</span>Flow
             <?php } ?>
@@ -72,7 +72,7 @@ $data = "otpauth://totp/ITFlow:$session_email?secret=$token";
                 <form action="post.php" method="post" autocomplete="off">
                     <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
                     
-                    <img src='../plugins/barcode/barcode.php?f=png&s=qr&d=<?php echo $data; ?>' data-toggle="tooltip" title="Scan QR code into your MFA App">
+                    <img src='../../plugins/barcode/barcode.php?f=png&s=qr&d=<?php echo $data; ?>' data-toggle="tooltip" title="Scan QR code into your MFA App">
                    
                     <p>
                         <small data-toggle="tooltip" title="Can't Scan? Copy and paste this code into your app"><?php echo $token; ?></small>
@@ -100,10 +100,10 @@ $data = "otpauth://totp/ITFlow:$session_email?secret=$token";
     <!-- REQUIRED SCRIPTS -->
 
     <!-- Bootstrap 4 -->
-    <script src="../plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
+    <script src="../../plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
 
     <!-- Custom js-->
-    <script src="../plugins/clipboardjs/clipboard.min.js"></script>
+    <script src="../../plugins/clipboardjs/clipboard.min.js"></script>
 
     <script>
 

agent/user/post/profile.php

@@ -60,7 +60,7 @@ if (isset($_POST['edit_your_user_details'])) {
             move_uploaded_file($file_tmp_path, $dest_path);
 
             // Delete old file
-            unlink("../uploads/users/$session_user_id/$existing_file_name");
+            unlink("../../uploads/users/$session_user_id/$existing_file_name");
 
             // Set Avatar
             mysqli_query($mysqli,"UPDATE users SET user_avatar = '$new_file_name' WHERE user_id = $session_user_id");
@@ -193,7 +193,7 @@ if (isset($_POST['enable_mfa'])) {
 
     validateCSRFToken($_POST['csrf_token']);
 
-    require_once "../plugins/totp/totp.php";
+    require_once "../../plugins/totp/totp.php";
 
     // Grab the code from the user
     $verify_code = trim($_POST['verify_code']); 
@@ -226,7 +226,7 @@ if (isset($_POST['enable_mfa'])) {
             $previousPage = basename(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_PATH));
             if ($previousPage === 'mfa_enforcement.php') {
                 // Redirect back to mfa_enforcement.php
-                redirect("$config_start_page");
+                redirect("../$config_start_page");
                 
             }
         }    

login.php

@@ -195,7 +195,7 @@ if (isset($_POST['login'])) {
 
             // Forcing MFA
             if ($force_mfa == 1 && $token == NULL) {
-                $config_start_page = "mfa_enforcement.php";
+                $config_start_page = "user/mfa_enforcement.php";
             }
 
             // Setup encryption session key

post/logout.php

@@ -24,9 +24,9 @@ if (isset($_GET['logout'])) {
     session_destroy();
 
     if ($config_login_key_required == 1) {
-        header('Location: ../login.php?key=' . $config_login_key_secret);
+        header('Location: ../../login.php?key=' . $config_login_key_secret);
     } else {
-        header('Location: ../login.php');
+        header('Location: ../../login.php');
     }
 }