Merge pull request #736 from wrongecho/ir-agent-force-pw-reset

Add function to reset all user/agent passwords in case of IR
2023-10-08 19:55:30 -04:00 · 2023-10-08 19:55:30 -04:00 · fac9f9502a
parent dcd17c7556 45b3311f54
commit fac9f9502a
3 changed files with 80 additions and 0 deletions
--- a/post/user.php
+++ b/post/user.php
@ -280,3 +280,47 @@ if (isset($_POST['export_users_csv'])) {
    exit;

 }
+
+if (isset($_POST['ir_reset_user_password'])) {
+
+    // Incident response: allow mass reset of agent passwords
+
+    validateAdminRole();
+
+    validateCSRFToken($_POST['csrf_token']);
+
+    // Confirm logged-in user password, for security
+    $admin_password = $_POST['admin_password'];
+    $sql = mysqli_query($mysqli, "SELECT * FROM users WHERE user_id = $session_user_id");
+    $userRow = mysqli_fetch_array($sql);
+    if (!password_verify($admin_password, $userRow['user_password'])) {
+        $_SESSION['alert_type'] = "error";
+        $_SESSION['alert_message'] = "Incorrect password.";
+        header("Location: " . $_SERVER["HTTP_REFERER"]);
+        exit;
+    }
+
+    // Get agents/users, other than the current user
+    $sql_users = mysqli_query($mysqli, "SELECT * FROM users WHERE (user_archived_at IS NULL AND user_id != $session_user_id)");
+
+    // Reset passwords
+    while ($row = mysqli_fetch_array($sql_users)) {
+        $user_id = intval($row['user_id']);
+        $user_email = sanitizeInput($row['user_email']);
+        $new_password = randomString();
+        $user_specific_encryption_ciphertext = encryptUserSpecificKey(trim($new_password));
+
+        echo $user_email . " -- " . $new_password; // Show
+        $new_password = password_hash($new_password, PASSWORD_DEFAULT);
+
+        mysqli_query($mysqli, "UPDATE users SET user_password = '$new_password', user_specific_encryption_ciphertext = '$user_specific_encryption_ciphertext' WHERE user_id = $user_id");
+
+        echo "<br><br>";
+    }
+
+    // Logging
+    mysqli_query($mysqli, "INSERT INTO logs SET log_type = 'User', log_action = 'Modify', log_description = '$session_name reset ALL user passwords', log_ip = '$session_ip', log_user_agent = '$session_user_agent',  log_user_id = $session_user_id");
+
+    exit; // Stay on the plain text password page
+
+}
--- a/user_all_reset_password_modal.php
+++ b/user_all_reset_password_modal.php
@ -0,0 +1,31 @@
+<div class="modal" id="resetAllUserPassModal" tabindex="-1">
+    <div class="modal-dialog modal-lg">
+        <div class="modal-content">
+            <div class="modal-body">
+                <div class="mb-4" style="text-align: center;">
+                    <i class="far fas fa-10x fa-skull-crossbones text-danger mb-3 mt-3"></i>
+                    <h2>Incident Response: Agent Password Reset</h2>
+                    <br>
+                    <div class="alert alert-danger" role="alert">
+                        <b>This is a potentially destructive function.<br>It is intended to be used as part of a potential security incident.</b>
+                    </div>
+                    <h6 class="mb-4 text-secondary"><b>All ITFlow agent passwords will be reset and shown to you </b><i>(except yours - change yours first!)</i>.<br/><br/>You should communicate temporary passwords to agents out of band (e.g. via a phone call) and require they are changed ASAP.</h6>
+                    <form action="post.php" method="POST">
+                        <input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token'] ?>">
+                        <div class="row col-7 offset-4">
+                            <div class="input-group">
+                                <div class="input-group-prepend">
+                                    <input type="password" class="form-control" placeholder="Enter your account password to continue" name="admin_password" autocomplete="new-password" required>
+                                </div>
+                            </div>
+                        </div>
+                        <br>
+                        <button class="btn btn-danger" type="submit" name="ir_reset_user_password"><i class="fas fa-fw fa-key mr-2"></i>Reset passwords</button>
+                    </form>
+                </div>
+                <button type="button" class="btn btn-outline-secondary btn-lg px-5 mr-4" data-dismiss="modal">Cancel</button>
+
+            </div>
+        </div>
+    </div>
+</div>
--- a/users.php
+++ b/users.php
@ -33,6 +33,10 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                <button type="button" class="btn btn-primary dropdown-toggle dropdown-toggle-split" data-toggle="dropdown"></button>
                <div class="dropdown-menu">
                    <!--<a class="dropdown-item text-dark" href="#" data-toggle="modal" data-target="#userInviteModal"><i class="fas fa-paper-plane mr-2"></i>Invite User</a>-->
+                    <?php if ($num_rows[0] > 1) { ?>
+                        <div class="dropdown-divider"></div>
+                        <a class="dropdown-item text-danger" href="#" data-toggle="modal" data-target="#resetAllUserPassModal"><i class="fas fa-skull-crossbones mr-2"></i>IR</a>
+                    <?php } ?>
                </div>
            </div>
        </div>
@ -197,4 +201,5 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
 require_once("user_add_modal.php");
 require_once("user_invite_modal.php");
 require_once("user_export_modal.php");
+require_once("user_all_reset_password_modal.php");
 require_once("footer.php");