if ( isset($_POST['prenom'])) $prenom=$purifier->purify($_POST['prenom']); if ( isset($_POST['naissance'])) $naissance=$purifier->purify($_POST['naissance']); if ( isset($_POST['sexe'])) $sexe=$purifier->purify($_POST['sexe']); if ( isset($_POST['categorie'])) $categorie=$purifier->purify($_POST['categorie']); if ( isset($_POST['add_user'])) $add_user=$purifier->purify($_POST['add_user']); $string_auth=( isset($_POST['string_auth'])) ? $purifier->purify($_POST['string_auth']) :""; $string_auth1=( isset($_POST['string_auth1'])) ? $purifier->purify($_POST['string_auth1']) :""; if ( isset($_POST['dummy'])) $dummy=$purifier->purify($_POST['dummy']); if ( isset($_POST['dummy1'])) $dummy1=$purifier->purify($_POST['dummy1']); } if (is_admin("Annu_is_admin",$login)=="Y") { // Decryptage des champs cryptes if ( isset($add_user) && (isset($string_auth) || isset($string_auth1)) ) { if ($string_auth !="") $naissance = decodekey($string_auth); if ($string_auth1!="") $userpwd = decodekey($string_auth1); } // Ajout d'un utilisateur if ( ( !$nom || !$prenom ) // absence de nom ou de prenom || ( !$naissance && ( !$userpwd || ( $userpwd && !verifPwd($userpwd) ) ) ) // pas de date de naissance et mot de passe absent ou invalide || ( $naissance && !verifDateNaissance($naissance) ) // date de naissance invalide || ( ($naissance && verifDateNaissance($naissance)) && ($userpwd && !verifPwd($userpwd)) ) // date de naissance mais password invalide ) { ?> <form name="auth" action="add_user.php" method="post" onSubmit="encrypt(document.auth)"> <table border="0"> <tbody> <tr> <td>Nom :</td> <td colspan="2" valign="top"><input type="sn" name="nom" value="<? echo $nom ?>" size="20"></td>
// Link form account ENT LCS echo "<script type='text/javascript'> // <![CDATA[ setTimeout(function(){ $( '#dialog-form' ).dialog('open' ); },1000); //]]> </script>\n"; } elseif (mysqli_num_rows($result)==1) { //Open LCS session $retour= mysqli_fetch_array($result); $login=$retour[0]; $login_escp=((isset($GLOBALS["___mysqli_ston"]) && is_object($GLOBALS["___mysqli_ston"])) ? mysqli_real_escape_string($GLOBALS["___mysqli_ston"], $login) : ((trigger_error("[MySQLConverterToo] Fix the mysql_escape_string() call! This code does not work.", E_USER_ERROR)) ? "" : "")); $new_password = decodekey($_POST['string_new_mdp']); // Open session and write in sessions table of lcs_db $query="SELECT id, stat FROM personne WHERE login='******'"; $result=@mysqli_query($authlink, $query); if ($result && mysqli_num_rows($result)) { $idpers=mysql_result($result,0,0); $stat=mysql_result($result,0,1)+1; ((mysqli_free_result($result) || (is_object($result) && (get_class($result) == "mysqli_result"))) ? true : false); } else { // The login is not in the base... Create entry $query="INSERT INTO personne VALUES ('', '', '', '$login_escp', '')"; $result=@mysqli_query($authlink, $query); $query="SELECT id, stat FROM personne WHERE login='******'";
echo "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">\n"; echo "<html>\n"; ?> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title>...::: Sauvegarde du nouveau jeu de clés d'authentification :::...</title> <link href='../Annu/style.css' rel='StyleSheet' type='text/css'> </head> <body> <div align="center"> <h2>Sauvegarde du nouveau jeu de clés d'authentification</h2> </div> <?php if ( is_admin("Lcs_is_admin",$login) == "Y" ) { // Decodage de la chaine d'authentification cote serveur avec une cle privee $tmp = preg_split ("/[\|]/",decodekey($keys),5); $p = $tmp[0]; $q = $tmp[1]; $pq = $tmp[2]; $d = $tmp[3]; $e = $tmp[4]; if ( $p && $q && $pq && $d && $e ) { // sauvegarde de la cle publique // open acces for keys exec ("/usr/bin/sudo /usr/share/lcs/scripts/gestkeys.sh 'open'", $AllOutput, $ReturnValue); // put keys $public_key="var public_key_e=[".$e."];\n"; $public_key.="var public_key_pq=[".$pq."];\n"; $fp=@fopen("/usr/share/lcs/privatekey/public_key.js","w"); if($fp) { fputs($fp,$public_key."\n");
$purifier = new HTMLPurifier($config); //purification des variables $string_auth=$purifier->purify($_POST['string_auth']); $dummy=$purifier->purify($_POST['dummy']); $string_auth1=$purifier->purify($_POST['string_auth1']); $dummy1=$purifier->purify($_POST['dummy1']); $string_auth2=$purifier->purify($_POST['string_auth2']); $dummy2=$purifier->purify($_POST['dummy2']); $mod_pwd=$purifier->purify($_POST['mod_pwd']); } if ($mod_pwd) { // decryptage des mdp $old_password = decodekey($string_auth); $new_password = decodekey($string_auth1); $verif_password = decodekey($string_auth2); #DEBUG if ($DEBUG) { echo "crypto old pass : $string_auth<br />crypto new pass : $string_auth1<br />crypto verif pass : $string_auth2<br />"; echo "old_mdp : $old_password new mdp : $new_password verif mdp : $verif_password<br/>"; } } // teste si il faut resservir le formulaire de saisie if ( (!$mod_pwd) || (($mod_pwd)&&(!verifPwd($new_password))) || (($mod_pwd)&&($new_password != $verif_password)) || (($mod_pwd)&&(!user_valid_passwd ( $login, $old_password ))) || (($mod_pwd)&&($new_password==$old_password)) ) { header_crypto_html("Modification mot de passe"); ?>
$description=$purifier->purify($_POST['description']); $userpwd=@$purifier->purify($_POST['userpwd']); $shell=$purifier->purify($_POST['shell']); $password=@$purifier->purify($_POST['password']); $string_auth=$purifier->purify($_POST['string_auth']); $pseudo=$purifier->purify($_POST['pseudo']); } } $isadmin=is_admin("Annu_is_admin",$login); if (($isadmin=="Y") or ((tstclass($login,$uid)==1) and (ldap_get_right("sovajon_is_admin",$login)=="Y"))) { // Recuperation des entrees de l'utilisateur a modifier $user=people_get_variables ($uid, false); // Decryptage du mot de passe if ( $user_entry && $string_auth) $userpwd = decodekey($string_auth); // Modification des entrees if ( !$user_entry || ($user_entry && (!verifPseudo($pseudo) || !verifTel($telephone) || !verifEntree($nom) || !verifEntree($prenom) || !verifDescription($description) || ($userpwd && !verifPwd($userpwd)) ) ) ) { header_crypto_html("Modification fiche utilisateur"); aff_trailer ("4"); ?> <form name = "auth" action="mod_user_entry.php" onSubmit = "encrypt(document.auth)" method="post"> <table align="center" border="0" width="90%"> <tbody> <tr> <td width="27%">Login : </td> <td width="73%" colspan="2"><tt><strong><?php echo $user[0]["uid"]?></strong></tt></td> </tr> <tr> <td width="27%">Prénom : </td> <td width="73%" colspan="2"><input type="text" name="prenom" value="<?php echo $user[0]['prenom'];?>" size="20"></td>
$config = HTMLPurifier_Config::createDefault(); $purifier = new HTMLPurifier($config); //purification des variables if (isset($_POST['login'])) $login=$purifier->purify(trim($_POST['login'])); else $login="" ; if (isset($_POST['dummy'])) $dummy=$purifier->purify($_POST['dummy']); else $dummy="" ; if (isset($_POST['string_auth'])) $string_auth=$purifier->purify($_POST['string_auth']); else $string_auth="" ; if (isset($_POST['time'])) $time=$purifier->purify($_POST['time']); else $time="" ; if (isset($_POST['client_ip'])) $client_ip=$purifier->purify($_POST['client_ip']); else $client_ip="" ; if (isset($_POST['timestamp'])) $timestamp=$purifier->purify($_POST['timestamp']); else $timestamp="" ; if (isset($_GET['error'])) $error=$purifier->purify($_GET['error']); } if ($login) { // Decodage de la chaine d'authentification cote serveur avec une cle privee extraction des parametres $tmp = preg_split ("/[\|]/",decodekey($string_auth),4); $pass = $tmp[0]; $ip_src = $tmp[1]; $timestamp = $tmp[2]; $timewait = $tmp[3]; $timetotal= $timewait+$timestamp+$MaxLifeTime; // Verification de la validite de la source IP et du du TimeStamp if ( $ip_src != remote_ip() && time() < $timetotal ) { $error = 1; } elseif ( time() > $timetotal && $ip_src == remote_ip() ) { $error = 2; } elseif ( $ip_src != remote_ip() && time() > $timetotal ) { $error = 3; } elseif ( !open_session( mb_strtolower($login), $pass, $string_auth) ) { $error = 4; }
} else $cr='NOK'; // Post CR report echo $cr; exit; } //check password account if ( isset($_POST['string_old_mdp']) && (isset($_POST['string_new_mdp'])) && (isset($_POST['string_renew_mdp'])) && (isset($string_login)) ) { // Must return "OK" if succes, "NOK" if unsucces and "ERROR" if system error $login = $string_login; // Decode crypt string $old_password = decodekey($string_old_mdp); $new_password = decodekey($string_new_mdp); $verif_password = decodekey($string_renew_mdp); if ( verifPwd($new_password) && ($new_password == $verif_password) && (user_valid_passwd ( $string_login, $old_password )) && ($new_password!=$old_password) ) { if ( userChangedPwd($string_login, $new_password, $old_password ) ) { $cr1='OK'; // verify if password data base of the user must change @((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); @($GLOBALS["___mysqli_ston"] = mysqli_connect("localhost", $login, $new_password )); if ( ((is_object($GLOBALS["___mysqli_ston"])) ? mysqli_error($GLOBALS["___mysqli_ston"]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : false)) ) exec ( escapeshellarg("$scriptsbinpath/mysqlPasswInit.pl")." ". escapeshellarg($login) ." ". escapeshellarg($passwd) ); @((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res); } else $cr1='NOK'; } else $cr1='NOK';