1: <?php
  2: /*
  3:  You may not change or alter any portion of this comment or credits
  4:  of supporting developers from this source code or any supporting source code
  5:  which is considered copyrighted (c) material of the original comment or credit authors.
  6: 
  7:  This program is distributed in the hope that it will be useful,
  8:  but WITHOUT ANY WARRANTY; without even the implied warranty of
  9:  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 10: */
 11: 
 12: /**
 13:  * Protector
 14:  *
 15:  * @copyright       XOOPS Project (http://xoops.org)
 16:  * @license         GNU GPL 2 or later (http://www.gnu.org/licenses/gpl-2.0.html)
 17:  * @package         protector
 18:  * @author          trabis <lusopoemas@gmail.com>
 19:  * @version         $Id$
 20:  */
 21: 
 22: /**
 23:  * @return boolean|null
 24:  */
 25: function protector_postcheck()
 26: {
 27: 
 28:     $xoops = Xoops::getInstance();
 29:     $xoops->db();
 30:     global $xoopsDB;
 31:     // patch for 2.2.x from xoops.org (I know this is not so beautiful...)
 32:     if (substr(@XOOPS_VERSION, 6, 3) > 2.0 && stristr(@$_SERVER['REQUEST_URI'], 'modules/system/admin.php?fct=preferences')) {
 33:         $module_handler = $xoops->getHandlerModule();
 34:         /* @var $module XoopsModule */
 35:         $module = $module_handler->get((int)(@$_GET['mod']));
 36:         if (is_object($module)) {
 37:             $module->getInfo();
 38:         }
 39:     }
 40: 
 41:     // configs writable check
 42:     if (@$_SERVER['REQUEST_URI'] === '/admin.php' && !is_writable(dirname(__DIR__) . '/configs')) {
 43:         trigger_error('You should turn the directory ' . dirname(__DIR__) . '/configs writable', E_USER_WARNING);
 44:     }
 45: 
 46:     // Protector object
 47:     require_once dirname(__DIR__) . '/class/protector.php';
 48:     $protector = Protector::getInstance();
 49: 
 50:     $protector->setConn($xoopsDB->conn);
 51:     $protector->updateConfFromDb();
 52:     $conf = $protector->getConf();
 53:     if (empty($conf)) {
 54:         return true;
 55:     } // not installed yet
 56: 
 57:     // phpmailer vulnerability
 58:     // http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/
 59:     if (in_array(substr(XOOPS_VERSION, 0, 12), array('XOOPS 2.0.16', 'XOOPS 2.0.13', 'XOOPS 2.2.4'))) {
 60:         $xoopsMailerConfig = $xoops->getConfigs();
 61:         if ($xoopsMailerConfig['mailmethod'] === 'sendmail' && md5_file(\XoopsBaseConfig::get('root-path') . '/class/mail/phpmailer/class.phpmailer.php') === 'ee1c09a8e579631f0511972f929fe36a') {
 62:             echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>';
 63:         }
 64:     }
 65: 
 66:     // global enabled or disabled
 67:     if (!empty($conf['global_disabled'])) {
 68:         return true;
 69:     }
 70: 
 71:     // group1_ips (groupid=1)
 72:     if ($xoops->isUser() && in_array(1, $xoops->user->getGroups())) {
 73:         $group1_ips = $protector->get_group1_ips(true);
 74:         if (implode('', array_keys($group1_ips))) {
 75:             $group1_allow = $protector->ip_match($group1_ips);
 76:             if (empty($group1_allow)) {
 77:                 die('This account is disabled for your IP by Protector.<br />Clear cookie if you want to access this site as a guest.');
 78:             }
 79:         }
 80:     }
 81: 
 82:     // reliable ips
 83:     $reliable_ips = @unserialize(@$conf['reliable_ips']);
 84:     if (is_array($reliable_ips)) {
 85:         foreach ($reliable_ips as $reliable_ip) {
 86:             if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) {
 87:                 return true;
 88:             }
 89:         }
 90:     }
 91: 
 92:     // user information (uid and can be banned)
 93:     if ($xoops->isUser()) {
 94:         $uid = $xoops->user->getVar('uid');
 95:         $can_ban = count(@array_intersect($xoops->user->getGroups(), @unserialize(@$conf['bip_except']))) ? false : true;
 96:     } else {
 97:         // login failed check
 98:         if ((!empty($_POST['uname']) && !empty($_POST['pass'])) || (!empty($_COOKIE['autologin_uname']) && !empty($_COOKIE['autologin_pass']))) {
 99:             $protector->check_brute_force();
100:         }
101:         $uid = 0;
102:         $can_ban = true;
103:     }
104:     // CHECK for spammers IPS/EMAILS during POST Actions
105:     if (@$conf['stopforumspam_action'] !== 'none') {
106:         $protector->stopforumspam($uid);
107:     }
108: 
109:     // If precheck has already judged that he should be banned
110:     if ($can_ban && $protector->_should_be_banned) {
111:         $protector->register_bad_ips();
112:     } else {
113:         if ($can_ban && $protector->_should_be_banned_time0) {
114:             $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
115:         }
116:     }
117: 
118:     // DOS/CRAWLER skipping based on 'dirname' or getcwd()
119:     $dos_skipping = false;
120:     $skip_dirnames = explode('|', @$conf['dos_skipmodules']);
121:     if (!is_array($skip_dirnames)) {
122:         $skip_dirnames = array();
123:     }
124:     if ($xoops->isModule()) {
125:         if (in_array($xoops->module->getVar('dirname'), $skip_dirnames)) {
126:             $dos_skipping = true;
127:         }
128:     } else {
129:         foreach ($skip_dirnames as $skip_dirname) {
130:             if ($skip_dirname && strstr(getcwd(), $skip_dirname)) {
131:                 $dos_skipping = true;
132:                 break;
133:             }
134:         }
135:     }
136: 
137:     // module can controll DoS skipping
138:     if (defined('PROTECTOR_SKIP_DOS_CHECK')) {
139:         $dos_skipping = true;
140:     }
141: 
142:     // DoS Attack
143:     if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) {
144:         $protector->output_log($protector->last_error_type, $uid, true, 16);
145:     }
146: 
147:     // check session hi-jacking
148:     $ips = explode('.', @$_SESSION['protector_last_ip']);
149:     $protector_last_numip = @$ips[0] * 0x1000000 + @$ips[1] * 0x10000 + @$ips[2] * 0x100 + @$ips[3];
150:     $ips = explode('.', $_SERVER['REMOTE_ADDR']);
151:     $remote_numip = @$ips[0] * 0x1000000 + @$ips[1] * 0x10000 + @$ips[2] * 0x100 + @$ips[3];
152:     $shift = 32 - @$conf['session_fixed_topbit'];
153:     if ($shift < 32 && $shift >= 0 && !empty($_SESSION['protector_last_ip']) && $protector_last_numip >> $shift != $remote_numip >> $shift) {
154:         if ($xoops->isUser() && count(array_intersect($xoops->user->getGroups(), unserialize($conf['groups_denyipmove'])))) {
155:             $protector->purge(true);
156:         }
157:     }
158:     $_SESSION['protector_last_ip'] = $_SERVER['REMOTE_ADDR'];
159: 
160:     // SQL Injection "Isolated /*"
161:     if (!$protector->check_sql_isolatedcommentin(@$conf['isocom_action'] & 1)) {
162:         if (($conf['isocom_action'] & 8) && $can_ban) {
163:             $protector->register_bad_ips();
164:         } else {
165:             if (($conf['isocom_action'] & 4) && $can_ban) {
166:                 $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
167:             }
168:         }
169:         $protector->output_log('ISOCOM', $uid, true, 32);
170:         if ($conf['isocom_action'] & 2) {
171:             $protector->purge();
172:         }
173:     }
174: 
175:     // SQL Injection "UNION"
176:     if (!$protector->check_sql_union(@$conf['union_action'] & 1)) {
177:         if (($conf['union_action'] & 8) && $can_ban) {
178:             $protector->register_bad_ips();
179:         } else {
180:             if (($conf['union_action'] & 4) && $can_ban) {
181:                 $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
182:             }
183:         }
184:         $protector->output_log('UNION', $uid, true, 32);
185:         if ($conf['union_action'] & 2) {
186:             $protector->purge();
187:         }
188:     }
189: 
190:     if (!empty($_POST)) {
191:         // SPAM Check
192:         if ($xoops->isUser()) {
193:             if (!$xoops->user->isAdmin() && $conf['spamcount_uri4user']) {
194:                 $protector->spam_check((int)($conf['spamcount_uri4user']), $xoops->user->getVar('uid'));
195:             }
196:         } else {
197:             if ($conf['spamcount_uri4guest']) {
198: 
199:                 $protector->spam_check((int)($conf['spamcount_uri4guest']), 0);
200:             }
201:         }
202: 
203:         // filter plugins for POST on postcommon stage
204:         $protector->call_filter('postcommon_post');
205:     }
206: 
207:     // register.php Protection
208:     if ($_SERVER['SCRIPT_FILENAME'] == \XoopsBaseConfig::get('root-path') . '/register.php') {
209:         $protector->call_filter('postcommon_register');
210:     }
211: 
212:     return true;
213: }
214: