X-Git-Url: https://git.mxchange.org/?p=mailer.git;a=blobdiff_plain;f=inc%2Fmodules%2Fadmin.php;h=367a96cbe9fb14fc0f3d641005974a85ecdab340;hp=ed6f004ddf4a0686d74f1f198e6699be1270491d;hb=e521a48cf5d2a3090bd8d7a9cb21dfbc2dfda257;hpb=307a4e11763f0914e73dc756b219356e1c29ab25 diff --git a/inc/modules/admin.php b/inc/modules/admin.php index ed6f004ddf..367a96cbe9 100644 --- a/inc/modules/admin.php +++ b/inc/modules/admin.php @@ -32,7 +32,7 @@ ************************************************************************/ // Some security stuff... -if (ereg(basename(__FILE__), $_SERVER['PHP_SELF'])) { +if (!defined('__SECURITY')) { $INC = substr(dirname(__FILE__), 0, strpos(dirname(__FILE__), "/inc") + 4) . "/security.php"; require($INC); } @@ -150,7 +150,7 @@ if (!isBooleanConstantAndTrue('admin_registered')) { LOAD_TEMPLATE("admin_settings_saved", false, $OUT); } elseif (!empty($_GET['hash'])) { // Output form for hash validation - LOAD_TEMPLATE("admin_validate_reset_hash_form", false, SQL_ESCAPE($_GET['hash'])); + LOAD_TEMPLATE("admin_validate_reset_hash_form", false, $_GET['hash']); } elseif ((isset($_POST['validate_hash'])) && (!empty($_POST['login'])) && (!empty($_POST['hash']))) { // Validate the login data and hash $valid = ADMIN_VALIDATE_RESET_LINK_HASH_LOGIN($_POST['hash'], $_POST['login']); @@ -299,18 +299,27 @@ if (!isBooleanConstantAndTrue('admin_registered')) { // Only try to remove cookies if (set_session("admin_login", "") && set_session("admin_md5", "") && set_session("admin_last", "") && set_session("admin_to", "")) { // Also remove array elements - set_session('admin_login' , ""); - set_session('admin_md5' , ""); - set_session('admin_last' , ""); - set_session('admin_to' , ""); + set_session('admin_login', ""); + set_session('admin_md5' , ""); + set_session('admin_last' , ""); + set_session('admin_to' , ""); // Destroy session @session_destroy(); // Load logout template - if (isset($_GET['sql_patches'])) { - // Special logout redirect for sql_patchrs - LOAD_TEMPLATE("admin_logout_sql_patches"); + if (isset($_GET['register'])) { + // Secure input + $register = SQL_ESCAPE($_GET['register']); + + // Special logout redirect for installation of given extension + LOAD_TEMPLATE(sprintf("admin_logout_%s_install", $register)); + } elseif (isset($_GET['remove'])) { + // Secure input + $remove = SQL_ESCAPE($_GET['remove']); + + // Special logout redirect for removal of given extension + LOAD_TEMPLATE(sprintf("admin_logout_%s_remove", $remove)); } else { // Logged out normally LOAD_TEMPLATE("admin_logout"); @@ -324,12 +333,12 @@ if (!isBooleanConstantAndTrue('admin_registered')) { } } else { // Maybe an Admin want's to login? - $ret = CHECK_ADMIN_COOKIES(SQL_ESCAPE(get_session('admin_login')), SQL_ESCAPE(get_session('admin_md5'))); + $ret = CHECK_ADMIN_COOKIES(get_session('admin_login'), get_session('admin_md5')); switch ($ret) { case "done": // Cookie-Data accepted - if ((set_session("admin_md5", SQL_ESCAPE(get_session('admin_md5')))) && (set_session("admin_login", SQL_ESCAPE(get_session('admin_login')))) && (set_session("admin_last", time())) && (set_session("admin_to", bigintval(get_session('admin_to'))))) { + if ((set_session("admin_md5", get_session('admin_md5'))) && (set_session("admin_login", get_session('admin_login'))) && (set_session("admin_last", time())) && (set_session("admin_to", bigintval(get_session('admin_to'))))) { // Ok, Cookie-Update done if ((EXT_IS_ACTIVE("admins")) && (GET_EXT_VERSION("admins") > "0.2")) { // Check if action GET variable was set @@ -350,7 +359,7 @@ if (!isBooleanConstantAndTrue('admin_registered')) { if (empty($_CONFIG['admin_menu'])) $_CONFIG['admin_menu'] = "OLD"; // Check for version and switch between old menu system and new "intelligent menu system" - if ((ADMIN_CHECK_MENU_MODE() == "NEW") && (file_exists(PATH."inc/modules/admin/la_sys-inc.php"))) { + if ((ADMIN_CHECK_MENU_MODE() == "NEW") && (FILE_READABLE(PATH."inc/modules/admin/la_sys-inc.php"))) { // Default area is the entrance, of course $area = "entrance"; @@ -386,8 +395,7 @@ if (!isBooleanConstantAndTrue('admin_registered')) { } } -if (isBooleanConstantAndTrue('admin_registered')) -{ +if (isBooleanConstantAndTrue('admin_registered')) { // Check config.php and inc directory for right access rights if (is_INCWritable("config")) ADD_FATAL(FATAL_CONFIG_WRITABLE); if (is_INCWritable("dummy")) ADD_FATAL(FATAL_INC_WRITABLE);