X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=inc%2Fmodules%2Fadmin.php;h=1017c5b164705944c20cd1611f67304cbe962214;hb=497d9d8fcda61391c149af3747118bb2772c7c26;hp=5219de274b1d2cf4119e17aceca4bb63da30c592;hpb=61bddb167e29e7275f5a1c9fa8cb80431fa5ee6f;p=mailer.git diff --git a/inc/modules/admin.php b/inc/modules/admin.php index 5219de274b..1017c5b164 100644 --- a/inc/modules/admin.php +++ b/inc/modules/admin.php @@ -32,7 +32,7 @@ ************************************************************************/ // Some security stuff... -if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) { +if (!defined('__SECURITY')) { $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php"; require($INC); } @@ -41,7 +41,7 @@ if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) { if ((empty($GLOBALS['action'])) && ($check == "admin_only")) { // Redirect to right URL LOAD_URL("modules.php?module=admin&action=login"); -} +} // END - if // Load include file require_once(PATH."inc/modules/admin/admin-inc.php"); @@ -150,7 +150,7 @@ if (!isBooleanConstantAndTrue('admin_registered')) { LOAD_TEMPLATE("admin_settings_saved", false, $OUT); } elseif (!empty($_GET['hash'])) { // Output form for hash validation - LOAD_TEMPLATE("admin_validate_reset_hash_form", false, SQL_ESCAPE($_GET['hash'])); + LOAD_TEMPLATE("admin_validate_reset_hash_form", false, $_GET['hash']); } elseif ((isset($_POST['validate_hash'])) && (!empty($_POST['login'])) && (!empty($_POST['hash']))) { // Validate the login data and hash $valid = ADMIN_VALIDATE_RESET_LINK_HASH_LOGIN($_POST['hash'], $_POST['login']); @@ -203,6 +203,8 @@ if (!isBooleanConstantAndTrue('admin_registered')) { if ((isset($_POST['ok'])) && ($_POST['ok'] != "***")) { // All required data was entered so we check his account $ret = CHECK_ADMIN_LOGIN($_POST['login'], $_POST['pass']); + + // Which status do we have? switch ($ret) { case "done": // Admin and password are okay, so we log in now @@ -226,11 +228,13 @@ if (!isBooleanConstantAndTrue('admin_registered')) { case "404": // Administrator login not found $_POST['ok'] = $ret; $ret = ADMIN_NOT_FOUND; + DESTROY_ADMIN_SESSION(); break; case "pass": // Wrong password $_POST['ok'] = $ret; $ret = WRONG_PASS." [".ADMIN_RESET_PASS."]\n"; + DESTROY_ADMIN_SESSION(); break; } } @@ -297,26 +301,17 @@ if (!isBooleanConstantAndTrue('admin_registered')) { } } elseif (isset($_GET['logout'])) { // Only try to remove cookies - if (set_session("admin_login", "") && set_session("admin_md5", "") && set_session("admin_last", "") && set_session("admin_to", "")) { - // Also remove array elements - set_session('admin_login', ""); - set_session('admin_md5' , ""); - set_session('admin_last' , ""); - set_session('admin_to' , ""); - - // Destroy session - @session_destroy(); - + if (DESTROY_ADMIN_SESSION()) { // Load logout template - if (isset($_GET['install'])) { + if (isset($_GET['register'])) { // Secure input - $install = secureString(SQL_ESCAPE($_GET['install'])); + $register = SQL_ESCAPE($_GET['register']); // Special logout redirect for installation of given extension - LOAD_TEMPLATE(sprintf("admin_logout_%s_install", $install)); + LOAD_TEMPLATE(sprintf("admin_logout_%s_install", $register)); } elseif (isset($_GET['remove'])) { // Secure input - $remove = secureString(SQL_ESCAPE($_GET['remove'])); + $remove = SQL_ESCAPE($_GET['remove']); // Special logout redirect for removal of given extension LOAD_TEMPLATE(sprintf("admin_logout_%s_remove", $remove)); @@ -333,12 +328,12 @@ if (!isBooleanConstantAndTrue('admin_registered')) { } } else { // Maybe an Admin want's to login? - $ret = CHECK_ADMIN_COOKIES(SQL_ESCAPE(get_session('admin_login')), SQL_ESCAPE(get_session('admin_md5'))); + $ret = CHECK_ADMIN_COOKIES(get_session('admin_login'), get_session('admin_md5')); switch ($ret) { case "done": // Cookie-Data accepted - if ((set_session("admin_md5", SQL_ESCAPE(get_session('admin_md5')))) && (set_session("admin_login", SQL_ESCAPE(get_session('admin_login')))) && (set_session("admin_last", time())) && (set_session("admin_to", bigintval(get_session('admin_to'))))) { + if ((set_session("admin_md5", get_session('admin_md5'))) && (set_session("admin_login", get_session('admin_login'))) && (set_session("admin_last", time())) && (set_session("admin_to", bigintval(get_session('admin_to'))))) { // Ok, Cookie-Update done if ((EXT_IS_ACTIVE("admins")) && (GET_EXT_VERSION("admins") > "0.2")) { // Check if action GET variable was set @@ -359,15 +354,15 @@ if (!isBooleanConstantAndTrue('admin_registered')) { if (empty($_CONFIG['admin_menu'])) $_CONFIG['admin_menu'] = "OLD"; // Check for version and switch between old menu system and new "intelligent menu system" - if ((ADMIN_CHECK_MENU_MODE() == "NEW") && (file_exists(PATH."inc/modules/admin/la_sys-inc.php"))) { + if ((ADMIN_CHECK_MENU_MODE() == "NEW") && (FILE_READABLE(PATH."inc/modules/admin/lasys-inc.php"))) { // Default area is the entrance, of course $area = "entrance"; // Check for similar URL variable - if (!empty($_GET['area'])) $area = $_GET['area']; + if (!empty($_GET['area'])) $area = SQL_ESCAPE($_GET['area']); // Load "logical-area menu-system" file - require_once(PATH."inc/modules/admin/la_sys-inc.php"); + require_once(PATH."inc/modules/admin/lasys-inc.php"); // Create new-style menu system will "logical areas" ADMIN_LOGICAL_AREA_SYSTEM($area, $act, $GLOBALS['what']); @@ -385,21 +380,17 @@ if (!isBooleanConstantAndTrue('admin_registered')) { case "404": // Administrator login not found $_POST['ok'] = $ret; + DESTROY_ADMIN_SESSION(); ADD_FATAL(ADMIN_NOT_FOUND); break; case "pass": // Wrong password $_POST['ok'] = $ret; + DESTROY_ADMIN_SESSION(); ADD_FATAL(WRONG_PASS); break; } } -if (isBooleanConstantAndTrue('admin_registered')) -{ - // Check config.php and inc directory for right access rights - if (is_INCWritable("config")) ADD_FATAL(FATAL_CONFIG_WRITABLE); - if (is_INCWritable("dummy")) ADD_FATAL(FATAL_INC_WRITABLE); -} // ?>