XOOPS 2.5.6  Final
 All Classes Namespaces Files Functions Variables Pages
postcheck_functions.php
Go to the documentation of this file.
1 <?php
2 
4 {
5  global $xoopsUser , $xoopsModule ;
6 
7  // patch for 2.2.x from xoops.org (I know this is not so beautiful...)
8  if( substr( @XOOPS_VERSION , 6 , 3 ) > 2.0 && stristr( @$_SERVER['REQUEST_URI'] , 'modules/system/admin.php?fct=preferences' ) ) {
9  $module_handler =& xoops_gethandler( 'module' ) ;
10  $module =& $module_handler->get( intval( @$_GET['mod'] ) ) ;
11  if( is_object( $module ) ) {
12  $module->getInfo() ;
13  }
14  }
15 
16  // configs writable check
17  if( @$_SERVER['REQUEST_URI'] == '/admin.php' && ! is_writable( dirname(dirname(__FILE__)).'/configs' ) ) {
18  trigger_error( 'You should turn the directory ' . dirname(dirname(__FILE__)).'/configs writable' , E_USER_WARNING ) ;
19  }
20 
21  // Protector object
22  require_once dirname(dirname(__FILE__)).'/class/protector.php' ;
25  $protector->setConn( $db->conn ) ;
26  $protector->updateConfFromDb() ;
27  $conf = $protector->getConf() ;
28  if( empty( $conf ) ) return true ; // not installed yet
29 
30  // phpmailer vulnerability
31  // http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/
32  if( in_array( substr( XOOPS_VERSION , 0 , 12 ) , array( 'XOOPS 2.0.16' , 'XOOPS 2.0.13' , 'XOOPS 2.2.4' ) ) ) {
33  $config_handler =& xoops_gethandler('config');
34  $xoopsMailerConfig =& $config_handler->getConfigsByCat(XOOPS_CONF_MAILER);
35  if( $xoopsMailerConfig['mailmethod'] == 'sendmail' && md5_file( XOOPS_ROOT_PATH.'/class/mail/phpmailer/class.phpmailer.php' ) == 'ee1c09a8e579631f0511972f929fe36a' ) {
36  echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>' ;
37  }
38  }
39 
40  // global enabled or disabled
41  if( ! empty( $conf['global_disabled'] ) ) return true ;
42 
43  // group1_ips (groupid=1)
44  if( is_object( $xoopsUser ) && in_array( 1 , $xoopsUser->getGroups() ) ) {
45  $group1_ips = $protector->get_group1_ips( true ) ;
46  if( implode( '' , array_keys( $group1_ips ) ) ) {
47  $group1_allow = $protector->ip_match( $group1_ips ) ;
48  if( empty( $group1_allow ) ) die( 'This account is disabled for your IP by Protector.<br />Clear cookie if you want to access this site as a guest.' ) ;
49  }
50  }
51 
52  // reliable ips
53  $reliable_ips = @unserialize( @$conf['reliable_ips'] ) ;
54  if( is_array( $reliable_ips ) ) foreach( $reliable_ips as $reliable_ip ) {
55  if( ! empty( $reliable_ip ) && preg_match( '/'.$reliable_ip.'/' , $_SERVER['REMOTE_ADDR'] ) ) {
56  return true ;
57  }
58  }
59 
60  // user information (uid and can be banned)
61  if( is_object( @$xoopsUser ) ) {
62  $uid = $xoopsUser->getVar('uid') ;
63  $can_ban = count( @array_intersect( $xoopsUser->getGroups() , @unserialize( @$conf['bip_except'] ) ) ) ? false : true ;
64  } else {
65  // login failed check
66  if( ( ! empty( $_POST['uname'] ) && ! empty( $_POST['pass'] ) ) || ( ! empty( $_COOKIE['autologin_uname'] ) && ! empty( $_COOKIE['autologin_pass'] ) ) ) {
67  $protector->check_brute_force() ;
68  }
69  $uid = 0 ;
70  $can_ban = true ;
71  }
72  // CHECK for spammers IPS/EMAILS during POST Actions
73  if(@$conf['stopforumspam_action'] != 'none') {
74  $protector->stopforumspam($uid);
75  }
76 
77  // If precheck has already judged that he should be banned
78  if( $can_ban && $protector->_should_be_banned ) {
79  $protector->register_bad_ips() ;
80  } else if( $can_ban && $protector->_should_be_banned_time0 ) {
81  $protector->register_bad_ips( time() + $protector->_conf['banip_time0'] ) ;
82  }
83 
84  // DOS/CRAWLER skipping based on 'dirname' or getcwd()
85  $dos_skipping = false ;
86  $skip_dirnames = explode( '|' , @$conf['dos_skipmodules'] ) ;
87  if( ! is_array( $skip_dirnames ) ) $skip_dirnames = array() ;
88  if( is_object( @$xoopsModule ) ) {
89  if( in_array( $xoopsModule->getVar('dirname') , $skip_dirnames ) ) {
90  $dos_skipping = true ;
91  }
92  } else {
93  foreach( $skip_dirnames as $skip_dirname ) {
94  if( $skip_dirname && strstr( getcwd() , $skip_dirname ) ) {
95  $dos_skipping = true ;
96  break ;
97  }
98  }
99  }
100 
101  // module can controll DoS skipping
102  if( defined( 'PROTECTOR_SKIP_DOS_CHECK' ) ) $dos_skipping = true ;
103 
104  // DoS Attack
105  if( empty( $dos_skipping ) && ! $protector->check_dos_attack( $uid , $can_ban ) ) {
106  $protector->output_log( $protector->last_error_type , $uid , true , 16 ) ;
107  }
108 
109 
110  // check session hi-jacking
111  $ips = explode( '.' , @$_SESSION['protector_last_ip'] ) ;
112  $protector_last_numip = @$ips[0] * 0x1000000 + @$ips[1] * 0x10000 + @$ips[2] * 0x100 + @$ips[3] ;
113  $ips = explode( '.' , $_SERVER['REMOTE_ADDR'] ) ;
114  $remote_numip = @$ips[0] * 0x1000000 + @$ips[1] * 0x10000 + @$ips[2] * 0x100 + @$ips[3] ;
115  $shift = 32 - @$conf['session_fixed_topbit'] ;
116  if( $shift < 32 && $shift >= 0 && ! empty( $_SESSION['protector_last_ip'] ) && $protector_last_numip >> $shift != $remote_numip >> $shift ) {
117  if( is_object( $xoopsUser ) && count( array_intersect( $xoopsUser->getGroups() , unserialize( $conf['groups_denyipmove'] ) ) ) ) {
118  $protector->purge( true ) ;
119  }
120  }
121  $_SESSION['protector_last_ip'] = $_SERVER['REMOTE_ADDR'] ;
122 
123  // SQL Injection "Isolated /*"
124  if( ! $protector->check_sql_isolatedcommentin( @$conf['isocom_action'] & 1 ) ) {
125  if( ( $conf['isocom_action'] & 8 ) && $can_ban ) $protector->register_bad_ips() ;
126  else if( ( $conf['isocom_action'] & 4 ) && $can_ban ) $protector->register_bad_ips( time() + $protector->_conf['banip_time0'] ) ;
127  $protector->output_log( 'ISOCOM' , $uid , true , 32 ) ;
128  if( $conf['isocom_action'] & 2 ) $protector->purge() ;
129  }
130 
131  // SQL Injection "UNION"
132  if( ! $protector->check_sql_union( @$conf['union_action'] & 1 ) ) {
133  if( ( $conf['union_action'] & 8 ) && $can_ban ) $protector->register_bad_ips() ;
134  else if( ( $conf['union_action'] & 4 ) && $can_ban ) $protector->register_bad_ips( time() + $protector->_conf['banip_time0'] ) ;
135  $protector->output_log( 'UNION' , $uid , true , 32 ) ;
136  if( $conf['union_action'] & 2 ) $protector->purge() ;
137  }
138 
139  if( ! empty( $_POST ) ) {
140  // SPAM Check
141  if( is_object( $xoopsUser ) ) {
142  if( ! $xoopsUser->isAdmin() && $conf['spamcount_uri4user'] ) {
143  $protector->spam_check( intval( $conf['spamcount_uri4user'] ) , $xoopsUser->getVar('uid') ) ;
144  }
145  } else if( $conf['spamcount_uri4guest'] ) {
146 
147  $protector->spam_check( intval( $conf['spamcount_uri4guest'] ) , 0 ) ;
148  }
149 
150  // filter plugins for POST on postcommon stage
151  $protector->call_filter( 'postcommon_post' ) ;
152  }
153 
154  // register.php Protection
155  if( $_SERVER['SCRIPT_FILENAME'] == XOOPS_ROOT_PATH.'/register.php' ) {
156  $protector->call_filter( 'postcommon_register' ) ;
157  }
158 
159 }
160 
161 ?>