| | |
| | | $salt.="$"; |
| | | return crypt($cleartext_password, $salt); |
| | | } |
| | | |
| | | public function csrf_token_get($form_name) { |
| | | /* CSRF PROTECTION */ |
| | | // generate csrf protection id and key |
| | | $_csrf_id = uniqid($form_name . '_'); // form id |
| | | $_csrf_key = sha1(uniqid(microtime(true), true)); // the key |
| | | if(!isset($_SESSION['_csrf'])) $_SESSION['_csrf'] = array(); |
| | | if(!isset($_SESSION['_csrf_timeout'])) $_SESSION['_csrf_timeout'] = array(); |
| | | $_SESSION['_csrf'][$_csrf_id] = $_csrf_key; |
| | | $_SESSION['_csrf_timeout'][$_csrf_id] = time() + 3600; // timeout hash in 1 hour |
| | | |
| | | return array('csrf_id' => $_csrf_id,'csrf_key' => $_csrf_key); |
| | | } |
| | | |
| | | public function csrf_token_check() { |
| | | global $app; |
| | | |
| | | if(isset($_POST) && is_array($_POST)) { |
| | | $_csrf_valid = false; |
| | | if(isset($_POST['_csrf_id']) && isset($_POST['_csrf_key'])) { |
| | | $_csrf_id = trim($_POST['_csrf_id']); |
| | | $_csrf_key = trim($_POST['_csrf_key']); |
| | | if(isset($_SESSION['_csrf']) && isset($_SESSION['_csrf'][$_csrf_id]) && isset($_SESSION['_csrf_timeout']) && isset($_SESSION['_csrf_timeout'][$_csrf_id])) { |
| | | if($_SESSION['_csrf'][$_csrf_id] === $_csrf_key && $_SESSION['_csrf_timeout'] >= time()) $_csrf_valid = true; |
| | | } |
| | | } |
| | | if($_csrf_valid !== true) { |
| | | $app->log('CSRF attempt blocked. Referer: ' . (isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : 'unknown'), LOGLEVEL_WARN); |
| | | $app->error($app->lng('err_csrf_attempt_blocked')); |
| | | } |
| | | $_SESSION['_csrf'][$_csrf_id] = null; |
| | | $_SESSION['_csrf_timeout'][$_csrf_id] = null; |
| | | unset($_SESSION['_csrf'][$_csrf_id]); |
| | | unset($_SESSION['_csrf_timeout'][$_csrf_id]); |
| | | |
| | | if(isset($_SESSION['_csrf_timeout']) && is_array($_SESSION['_csrf_timeout'])) { |
| | | $to_unset = array(); |
| | | foreach($_SESSION['_csrf_timeout'] as $_csrf_id => $timeout) { |
| | | if($timeout < time()) $to_unset[] = $_csrf_id; |
| | | } |
| | | foreach($to_unset as $_csrf_id) { |
| | | $_SESSION['_csrf'][$_csrf_id] = null; |
| | | $_SESSION['_csrf_timeout'][$_csrf_id] = null; |
| | | unset($_SESSION['_csrf'][$_csrf_id]); |
| | | unset($_SESSION['_csrf_timeout'][$_csrf_id]); |
| | | } |
| | | unset($to_unset); |
| | | } |
| | | } |
| | | } |
| | | |
| | | } |
| | | |
| | |
| | | |
| | | /* CSRF PROTECTION */ |
| | | // generate csrf protection id and key |
| | | $_csrf_id = uniqid($this->formDef['name'] . '_'); |
| | | /*$_csrf_id = uniqid($this->formDef['name'] . '_'); |
| | | $_csrf_value = sha1(uniqid(microtime(true), true)); |
| | | if(!isset($_SESSION['_csrf'])) $_SESSION['_csrf'] = array(); |
| | | if(!isset($_SESSION['_csrf_timeout'])) $_SESSION['_csrf_timeout'] = array(); |
| | | $_SESSION['_csrf'][$_csrf_id] = $_csrf_value; |
| | | $_SESSION['_csrf_timeout'][$_csrf_id] = time() + 3600; // timeout hash in 1 hour |
| | | */ |
| | | $csrf_token = $app->auth->csrf_token_get($this->formDef['name']); |
| | | $_csrf_id = $csrf_token['csrf_id']; |
| | | $_csrf_value = $csrf_token['csrf_key']; |
| | | |
| | | $this->formDef['tabs'][$tab]['fields']['_csrf_id'] = array( |
| | | 'datatype' => 'VARCHAR', |
| | | 'formtype' => 'TEXT', |
| | |
| | | //$this->errorMessage = ''; |
| | | |
| | | /* CSRF PROTECTION */ |
| | | |
| | | if(isset($_POST) && is_array($_POST)) { |
| | | $_csrf_valid = false; |
| | | if(isset($_POST['_csrf_id']) && isset($_POST['_csrf_key'])) { |
| | |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | | if(isset($_POST['lng_new']) && strlen($_POST['lng_new']) == 2 && $error == '') { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $lng_new = $_POST['lng_new']; |
| | | if(!preg_match("/^[a-z]{2}$/i", $lng_new)) die('unallowed characters in language name.'); |
| | | |
| | |
| | | |
| | | $app->tpl->setVar('msg', $msg); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('language_add'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | //* load language file |
| | | $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_add.lng'; |
| | | include $lng_file; |
| | |
| | | // Export the language file |
| | | if(isset($_POST['lng_select']) && $error == '') { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | // complete the global langauge file |
| | | merge_langfile(ISPC_LIB_PATH."/lang/".$selected_language.".lng", ISPC_LIB_PATH."/lang/en.lng"); |
| | | |
| | |
| | | |
| | | $app->tpl->setVar('msg', $msg); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('language_merge'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | //* load language file |
| | | $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_complete.lng'; |
| | | include $lng_file; |
| | |
| | | |
| | | //* Save data |
| | | if(isset($_POST['records']) && is_array($_POST['records'])) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $file_content = "<?php\n"; |
| | | foreach($_POST['records'] as $key => $val) { |
| | | $val = stripslashes($val); |
| | |
| | | unset($wb); |
| | | } |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('language_edit'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | |
| | | //* load language file |
| | | $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_edit.lng'; |
| | |
| | | |
| | | // Export the language file |
| | | if(isset($_FILES['file']['name']) && is_uploaded_file($_FILES['file']['tmp_name'])) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $lines = file($_FILES['file']['tmp_name']); |
| | | // initial check |
| | | $parts = explode('|', $lines[0]); |
| | |
| | | $app->tpl->setVar('msg', $msg); |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('language_import'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | //* load language file |
| | | $lng_file = 'lib/lang/'.$_SESSION['s']['language'].'_language_import.lng'; |
| | | include $lng_file; |
| | |
| | | |
| | | //* Note: Disabled post action |
| | | if (1 == 0 && isset($_POST['server_select'])) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $server = $_POST['server_select']; |
| | | $servers = array(); |
| | | if ($server == '*') { |
| | |
| | | |
| | | $app->tpl->setVar('msg', $msg); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('ispupdate'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl->setVar($wb); |
| | | |
| | | $app->tpl_defaults(); |
| | |
| | | * If the user wants to do the action, write this to our db |
| | | */ |
| | | if (isset($_POST['server_select'])) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $server = $_POST['server_select']; |
| | | $servers = array(); |
| | | if ($server == '*') { |
| | |
| | | |
| | | $app->tpl->setVar('msg', $msg); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('osupdate'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl->setVar($wb); |
| | | |
| | | $app->tpl_defaults(); |
| | |
| | | //* Save data |
| | | if(isset($_POST) && count($_POST) > 1) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | //* Check values |
| | | if(!preg_match("/^\w+[\w\.\-\+]*\w{0,}@\w+[\w.-]*\w+\.[a-zA-Z0-9\-]{2,30}$/i", $_POST['sender'])) $error .= $wb['sender_invalid_error'].'<br />'; |
| | | if(empty($_POST['subject'])) $error .= $wb['subject_invalid_error'].'<br />'; |
| | |
| | | } |
| | | $app->tpl->setVar('message_variables', trim($message_variables)); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('client_message'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl->setVar('okmsg', $msg); |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | |
| | | <tmpl_dyninclude name="content_tpl"> |
| | | <input type="hidden" name="_csrf_id" value="{tmpl_var name='_csrf_id'}" /> |
| | | <input type="hidden" name="_csrf_key" value="{tmpl_var name='_csrf_key'}" /> |
| | |
| | | // Resyncing dns zones |
| | | if(isset($_POST['start']) && $_POST['start'] == 1) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | //* Set variable sin template |
| | | $app->tpl->setVar('dbhost', $_POST['dbhost']); |
| | | $app->tpl->setVar('dbname', $_POST['dbname']); |
| | |
| | | $app->tpl->setVar('msg', $msg); |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('dns_import'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl_defaults(); |
| | | $app->tpl->pparse(); |
| | |
| | | $app->tpl->setVar($wb); |
| | | |
| | | if(isset($_POST['connected'])) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | $connected = $app->functions->intval($_POST['connected']); |
| | | if($connected == 0) { |
| | | |
| | |
| | | $app->tpl->setVar('msg', $msg); |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('ispconfig_import'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl_defaults(); |
| | | $app->tpl->pparse(); |
| | | |
| | |
| | | // Start migrating plesk data |
| | | if(isset($_POST['start']) && $_POST['start'] == 1) { |
| | | |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | |
| | | //* Set variable sin template |
| | | $app->tpl->setVar('dbhost', $_POST['dbhost']); |
| | | $app->tpl->setVar('dbname', $_POST['dbname']); |
| | |
| | | $app->tpl->setVar('msg', $msg); |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('plesk_import'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl_defaults(); |
| | | $app->tpl->pparse(); |
| | |
| | | include $lng_file; |
| | | $app->tpl->setVar($wb); |
| | | |
| | | if(isset($_POST) && count($_POST) > 1) { |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | } |
| | | |
| | | //* Resyncing websites |
| | | if(isset($_POST['resync_sites']) && $_POST['resync_sites'] == 1) { |
| | | $db_table = 'web_domain'; |
| | |
| | | $app->tpl->setVar('msg', $msg); |
| | | $app->tpl->setVar('error', $error); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('tools_resync'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl_defaults(); |
| | | $app->tpl->pparse(); |
| | | |
| | |
| | | |
| | | if($vm_id == 0) die('Invalid VM ID'); |
| | | |
| | | if(isset($_POST) && count($_POST) > 1) { |
| | | //* CSRF Check |
| | | $app->auth->csrf_token_check(); |
| | | } |
| | | |
| | | $vm = $app->db->queryOneRecord("SELECT server_id, veid FROM openvz_vm WHERE vm_id = $vm_id"); |
| | | $veid = $app->functions->intval($vm['veid']); |
| | | $server_id = $app->functions->intval($vm['server_id']); |
| | |
| | | $app->tpl->setVar($options); |
| | | $app->tpl->setVar('error', $error_msg); |
| | | |
| | | //* SET csrf token |
| | | $csrf_token = $app->auth->csrf_token_get('openvz_action'); |
| | | $app->tpl->setVar('_csrf_id',$csrf_token['csrf_id']); |
| | | $app->tpl->setVar('_csrf_key',$csrf_token['csrf_key']); |
| | | |
| | | $app->tpl_defaults(); |
| | | $app->tpl->pparse(); |
| | | |