function mystery_process_authentication() { // this function processes a user's authentication, displaying login forms, // error messages, etc. global $_MYSTERY; if (@$_SESSION['is_logged_in'] == 'yes') { return; } mystery_setup_default_session(); if (@$_REQUEST['username'] == '' || @$_REQUEST['password'] == '') { // the user didn't send a password / username, so just display the form mystery_header(); mystery_display_authentication_form(); mystery_footer(); } else { // user provided some authentication information, attempt to authenticate if (!mystery_auth($_REQUEST['username'], $_REQUEST['password'])) { // user couldn't be authenticated, display error message and login box again mystery_header(); mystery_display_user_error('You entered an invalid username or password, or cannot login from your current location. Please try again.'); mystery_display_authentication_form(); mystery_footer(); } } }
function mystery_log_violation($code, $message = '') { // This function process a serious error/violation global $_MYSTERY; $types['Red'] = 'Spoofed User'; $types['Orange'] = 'Spoofed File'; $types['Yellow'] = 'Spoofed Action'; $types['Green'] = 'Illegal Query'; $types['Blue'] = 'Virus Upload'; $types['Purple'] = 'Spoofed Table'; $types['Brown'] = 'Illegal Many To Many Addition'; ob_start(); echo "SERVER: "; print_r($_SERVER); echo "SESSION: "; print_r($_SESSION); echo "REQUEST: "; print_r($_REQUEST); $context = ob_get_contents(); ob_end_clean(); $table = $_MYSTERY['table_prefix'] . 'security_log'; $data['exception_type'] = $types[$code] . ' - ' . $message; $data['exception_code'] = $code; $data['user_id'] = $_SESSION['user_id']; $data['user_ip_address'] = $_SERVER['REMOTE_ADDR']; $data['user_action'] = $_REQUEST['action']; $data['user_time'] = date('Y-m-d h:i:s'); $data['user_request'] = $_SERVER['REQUEST_URI']; $data['user_variables'] = $context; $log_id = mystery_insert_query($table, $data, 'record_id'); // Prepare error string $error_parts = array(); while (list($key, $value) = each($data)) { $error_parts[] .= ucwords(str_replace('_', ' ', $key)) . ': ' . $value; } $error_string = implode("\n", $error_parts) . "\n\n"; mystery_log_error_to_file('security_log', $error_string); // make them wait a couple seconds so they won't automate the attack sleep(2); mystery_header(); echo ' <h1>Access Denied</h1> <p>Sorry, but the account you arelogged in as cannot perform the requested action. (<em>Code: ', $code, '</em>)</p> '; mystery_display_admin_contact_info(); if ($code == 'Blue') { echo '<p>The file you tried to upload is infected with a <strong>virus</strong>. Please <strong>disinfect the file</strong> and try again.</p> <p><code>', $_MYSTERY['virus_feedback'], '</code></p>'; } mystery_footer(); }
// mystery_db_connect(); // use our custom session handlers instead of the PHP defaults session_set_save_handler('mystery_session_open', 'mystery_session_close', 'mystery_session_read', 'mystery_session_write', 'mystery_session_destroy', 'mystery_session_gc'); // start the session session_name($portal_config['session_name']); session_start(); // allow the users to use the back button header('Cache-control: private'); // use our custom error handler instead of the PHP default set_error_handler('mystery_error_handler'); // catch all possible errors ini_set('error_reporting', E_ALL); // start the timer mystery_time_results('start'); // configure the application if (!mystery_configure()) { if (mystery_check_installation_status()) { mystery_header(); mystery_display_user_error('Configuration Problem'); echo ' <p>Could not load the main system configuration. The system Administrator should verify that the system is correctly installed and configured.</p> '; mystery_footer(); } else { mystery_header(); mystery_display_installation_options(); mystery_footer(); } }