Namespaces

Classes

Interfaces

Exceptions

Functions

1: <?php
2:
3: use Xmf\Request;
4:
5: /**
6: * @return bool
7: */
8: function protector_postcommon()
9: {
10: global $xoopsUser, $xoopsModule;
11:
12: $uname = Request::getString('uname', '', 'POST');
13: $pass = Request::getString('pass', '', 'POST');
14: $autologin_uname = Request::getString('autologin_uname', '', 'COOKIE');
15: $autologin_pass = Request::getString('autologin_pass', '', 'COOKIE');
16:
17: // patch for 2.2.x from xoops.org (I know this is not so beautiful...)
18: if (defined('XOOPS_VERSION') && substr(XOOPS_VERSION, 6, 3) > 2.0) {
19: $requestUri = Request::getString('REQUEST_URI', '', 'SERVER'); // Fetch the REQUEST_URI from the server superglobal
20: if (false !== stripos($requestUri, 'modules/system/admin.php?fct=preferences')) {
21: /** @var XoopsModuleHandler $module_handler */
22: $module_handler = xoops_getHandler('module');
23:
24: // Fetch the 'mod' parameter from the GET request and cast it to an integer
25: $mod = Request::getInt('mod', 0, 'GET');
26:
27: /** @var XoopsModule $module */
28: $module = 0 !== $mod ? $module_handler->get($mod) : null;
29:
30: if (is_object($module)) {
31: $module->getInfo();
32: }
33: }
34: }
35:
36: // configs writable check
37: $requestUriForWritableCheck = Request::getString('REQUEST_URI', '', 'SERVER');
38: if ($requestUriForWritableCheck === '/admin.php' && !is_writable(dirname(__DIR__) . '/configs')) {
39: trigger_error('You should turn the directory ' . dirname(__DIR__) . '/configs writable', E_USER_WARNING);
40: }
41:
42: // Protector object
43: require_once dirname(__DIR__) . '/class/protector.php';
44: $db = XoopsDatabaseFactory::getDatabaseConnection();
45: $protector = Protector::getInstance();
46: $protector->setConn($db->conn);
47: $protector->updateConfFromDb();
48: $conf = $protector->getConf();
49: if (empty($conf)) {
50: return true;
51: } // not installed yet
52:
53: // phpmailer vulnerability
54: // http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/
55: if (in_array(substr(XOOPS_VERSION, 0, 12), array('XOOPS 2.0.16', 'XOOPS 2.0.13', 'XOOPS 2.2.4'))) {
56: /** @var XoopsConfigHandler $config_handler */
57: $config_handler = xoops_getHandler('config');
58: $xoopsMailerConfig = $config_handler->getConfigsByCat(XOOPS_CONF_MAILER);
59: if ($xoopsMailerConfig['mailmethod'] === 'sendmail' && md5_file(XOOPS_ROOT_PATH . '/class/mail/phpmailer/class.phpmailer.php') === 'ee1c09a8e579631f0511972f929fe36a') {
60: echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>';
61: }
62: }
63:
64: // global enabled or disabled
65: if (!empty($conf['global_disabled'])) {
66: return true;
67: }
68:
69: // group1_ips (groupid=1)
70: if (is_object($xoopsUser) && in_array(1, $xoopsUser->getGroups())) {
71: $group1_ips = $protector->get_group1_ips(true);
72: if (implode('', array_keys($group1_ips))) {
73: $group1_allow = $protector->ip_match($group1_ips);
74: if (empty($group1_allow)) {
75: die('This account is disabled for your IP by Protector.<br>Clear cookie if you want to access this site as a guest.');
76: }
77: }
78: }
79:
80: // reliable ips
81: $remoteAddr = Request::getString('REMOTE_ADDR', '', 'SERVER');
82: $reliable_ips = isset($conf['reliable_ips']) ? unserialize($conf['reliable_ips'], array('allowed_classes' => false)) : null;
83:
84: if (is_array($reliable_ips)) {
85: foreach ($reliable_ips as $reliable_ip) {
86: if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $remoteAddr)) {
87: return true;
88: }
89: }
90: }
91:
92: // user information (uid and can be banned)
93: $can_ban = true;
94: $uid = 0;
95:
96: if (isset($xoopsUser) && is_object($xoopsUser)) {
97: $uid = $xoopsUser->getVar('uid');
98: $userGroups = $xoopsUser->getGroups();
99: $bip_except = isset($conf['bip_except']) ? unserialize($conf['bip_except'], array('allowed_classes' => false)) : [];
100:
101: $can_ban = (!empty($userGroups) && !empty($bip_except)) ? (count(array_intersect($userGroups, $bip_except)) ? false : true) : true;
102: } else {
103: // login failed check
104: if ((!empty($uname) && !empty($pass)) || (!empty($autologin_uname) && !empty($autologin_pass))) {
105: $protector->check_brute_force();
106: }
107: }
108:
109: // CHECK for spammers IPS/EMAILS during POST Actions
110: if (isset($conf['stopforumspam_action']) && $conf['stopforumspam_action'] !== 'none') {
111: $protector->stopforumspam($uid);
112: }
113:
114: // If precheck has already judged that they should be banned
115: if ($can_ban && $protector->_should_be_banned) {
116: $protector->register_bad_ips();
117: } elseif ($can_ban && $protector->_should_be_banned_time0) {
118: $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
119: }
120:
121: // DOS/CRAWLER skipping based on 'dirname' or getcwd()
122: $dos_skipping = false;
123: $skip_dirnames = isset($conf['dos_skipmodules']) ? explode('|', $conf['dos_skipmodules']) : array();
124: if (!is_array($skip_dirnames)) {
125: $skip_dirnames = array();
126: }
127: if (isset($xoopsModule) && is_object($xoopsModule)) {
128: if (in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) {
129: $dos_skipping = true;
130: }
131: } else {
132: foreach ($skip_dirnames as $skip_dirname) {
133: if ($skip_dirname && false !== strpos(getcwd(), $skip_dirname)) {
134: $dos_skipping = true;
135: break;
136: }
137: }
138: }
139:
140: // module can control DoS skipping
141: if (defined('PROTECTOR_SKIP_DOS_CHECK')) {
142: $dos_skipping = true;
143: }
144:
145: // DoS Attack
146: if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) {
147: $protector->output_log($protector->last_error_type, $uid, true, 16);
148: }
149:
150: // check session hi-jacking
151: $masks = isset($conf['session_fixed_topbit']) ? $conf['session_fixed_topbit'] : null;
152: if (is_string($masks)) {
153: $maskArray = explode('/', $masks);
154: } else {
155: $maskArray = array(); // Or some default value that makes sense for your application
156: }
157: $ipv4Mask = empty($maskArray[0]) ? 24 : $maskArray[0];
158: $ipv6Mask = (!isset($maskArray[1])) ? 56 : $maskArray[1];
159: $ip = \Xmf\IPAddress::fromRequest();
160: $maskCheck = true;
161: if (isset($_SESSION['protector_last_ip'])) {
162: $maskCheck = $ip->sameSubnet($_SESSION['protector_last_ip'], $ipv4Mask, $ipv6Mask);
163: }
164: if (!$maskCheck) {
165: if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'], array('allowed_classes' => false))))) {
166: $protector->purge(true);
167: }
168: }
169: $_SESSION['protector_last_ip'] = $ip->asReadable();
170:
171: // SQL Injection "Isolated /*"
172: if (!$protector->check_sql_isolatedcommentin((bool)(isset($conf['isocom_action']) ? $conf['isocom_action'] & 1 : 0))) {
173: if (($conf['isocom_action'] & 8) && $can_ban) {
174: $protector->register_bad_ips();
175: } elseif (($conf['isocom_action'] & 4) && $can_ban) {
176: $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
177: }
178: $protector->output_log('ISOCOM', $uid, true, 32);
179: if ($conf['isocom_action'] & 2) {
180: $protector->purge();
181: }
182: }
183:
184: // SQL Injection "UNION"
185: if (!$protector->check_sql_union((bool)(isset($conf['union_action']) ? $conf['union_action'] & 1 : 0))) {
186: if (($conf['union_action'] & 8) && $can_ban) {
187: $protector->register_bad_ips();
188: } elseif (($conf['union_action'] & 4) && $can_ban) {
189: $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
190: }
191: $protector->output_log('UNION', $uid, true, 32);
192: if ($conf['union_action'] & 2) {
193: $protector->purge();
194: }
195: }
196:
197: if (!empty($_POST)) {
198: // SPAM Check
199: if (is_object($xoopsUser)) {
200: if (!$xoopsUser->isAdmin() && $conf['spamcount_uri4user']) {
201: $protector->spam_check((int)$conf['spamcount_uri4user'], $xoopsUser->getVar('uid'));
202: }
203: } elseif ($conf['spamcount_uri4guest']) {
204: $protector->spam_check((int)$conf['spamcount_uri4guest'], 0);
205: }
206:
207: // filter plugins for POST on postcommon stage
208: $protector->call_filter('postcommon_post');
209: }
210:
211: // register.php Protection - both core and profile module have a register.php
212: // There should be an event to trigger this check instead of filename sniffing.
213: $scriptFilename = Request::getString('SCRIPT_FILENAME', '', 'SERVER');
214: if (basename($scriptFilename) == 'register.php') {
215: $protector->call_filter('postcommon_register');
216: }
217:
218: return null;
219: }
220:
API documentation generated by ApiGen v7.0.0-alpha.6