From 760e9d4323dce69901ea8b8dbd96ef5172734614 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Tue, 2 May 2017 19:19:27 -0600
Subject: [PATCH] Improve logging, fix bug allowing login with only username
 and 2fa code

---
 index.php | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/index.php b/index.php
index 1d9d55a..57a752c 100644
--- a/index.php
+++ b/index.php
@@ -27,6 +27,7 @@ if ($VARS['progress'] == "1") {
                     break;
             }
             if ($userpass_ok) {
+                $_SESSION['passok'] = true; // stop logins using only username and authcode
                 if (userHasTOTP($VARS['username'])) {
                     $multiauth = true;
                 } else {
@@ -38,13 +39,17 @@ if ($VARS['progress'] == "1") {
             }
         } else {
             $alert = lang("login incorrect", false);
-            insertAuthLog(2, null, "Username: ".$VARS['username']);
+            insertAuthLog(2, null, "Username: " . $VARS['username']);
         }
     } else {
         $alert = lang("captcha error", false);
-        insertAuthLog(8, null, "Username: ".$VARS['username']);
+        insertAuthLog(8, null, "Username: " . $VARS['username']);
     }
 } else if ($VARS['progress'] == "2") {
+    if ($_SESSION['passok'] !== true) {
+        // stop logins using only username and authcode
+        sendError("Password integrity check failed!");
+    }
     if (verifyTOTP($VARS['username'], $VARS['authcode'])) {
         doLoginUser($VARS['username'], $VARS['password']);
         insertAuthLog(1, $_SESSION['uid']);
@@ -52,7 +57,7 @@ if ($VARS['progress'] == "1") {
         die("Logged in, go to home.php");
     } else {
         $alert = lang("2fa incorrect", false);
-        insertAuthLog(6, null, "Username: ".$VARS['username']);
+        insertAuthLog(6, null, "Username: " . $VARS['username']);
     }
 }
 ?>