// getting converted (e.g. \r\n to \n).
$val = base64_encode(serialize($message[$var]));
if ($spec[pf_SIGNED]) {
$signval = $val;
}
} else {
$val = htmlspecialchars($message[$var], ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]);
if ($spec[pf_SIGNED]) {
$signval = $message[$var];
}
}
if ($spec[pf_READONLY] || $spec[pf_HIDDEN]) {
$hidden .= '<input type="hidden" name="' . $var . '" ' . 'value="' . $val . "\" />\n";
}
if ($signval !== NULL) {
$signature = phorum_generate_data_signature($signval);
$hidden .= '<input type="hidden" name="' . $var . ':signature" ' . 'value="' . htmlspecialchars($signature, ENT_COMPAT, $PHORUM["DATA"]["HCHARSET"]) . "\" />\n";
}
}
$PHORUM["DATA"]["POST_VARS"] .= $hidden;
// Process data for XSS prevention.
foreach ($message as $var => $val) {
// The meta information should not be used in templates, because
// nothing is escaped here. But we might want to use the data in
// mods which are run after this code. We continue here, so the
// data won't be stripped from the message data later on.
if ($var == "meta") {
continue;
}
// This one is filled from the language file, so there's no need
// to run htmlspecialchars on this one.
phorum_redirect_by_url($PHORUM['http_path']);
} elseif (!empty($_POST['continue'])) {
if (!empty($_POST['target'])) {
$url = phorum_admin_build_url($_POST['target']);
} else {
$url = phorum_admin_build_url('');
}
phorum_redirect_by_url($url);
}
exit;
}
}
// We have no token or our token expired.
// Generate a fresh token.
$admin_token_time = time();
$admin_token = phorum_generate_data_signature($PHORUM['user']['user_id'] . microtime() . $PHORUM['user']['username'] . $PHORUM['user']['sessid_st']);
phorum_api_user_save_settings(array('admin_token_time' => $admin_token_time, 'admin_token' => $admin_token));
$PHORUM['admin_token'] = $admin_token;
// If there are no POST or GET variables in the request, besides
// "module" and/or "phorum_admin_token", then we can safely load
// the requested admin page, without bugging the admin about the
// token timeout.
$post = $_POST;
unset($post['module']);
unset($post['phorum_admin_token']);
$get = $_GET;
unset($get['module']);
unset($get['phorum_admin_token']);
if (empty($post) && empty($get)) {
$module = '';
if (isset($_POST['module'])) {
// You should have received a copy of the Phorum License //
// along with this program. //
////////////////////////////////////////////////////////////////////////////////
// don't allow this page to be loaded directly
if (!defined("PHORUM_ADMIN")) {
exit;
}
include_once "./include/api/base.php";
include_once "./include/api/user.php";
if (isset($_POST["username"]) && isset($_POST["password"])) {
$user_id = phorum_api_user_authenticate(PHORUM_ADMIN_SESSION, trim($_POST["username"]), trim($_POST["password"]));
if ($user_id && phorum_api_user_set_active_user(PHORUM_ADMIN_SESSION, $user_id) && phorum_api_user_session_create(PHORUM_ADMIN_SESSION)) {
// update the token and time
$GLOBALS["PHORUM"]["user"]['settings_data']['admin_token_time'] = time();
$sig_data = $GLOBALS["PHORUM"]["user"]['user_id'] . time() . $GLOBALS["PHORUM"]["user"]['username'];
$GLOBALS["PHORUM"]["user"]['settings_data']['admin_token'] = phorum_generate_data_signature($sig_data);
$GLOBALS["PHORUM"]['admin_token'] = $GLOBALS["PHORUM"]["user"]['settings_data']['admin_token'];
$tmp_user = array('user_id' => $GLOBALS["PHORUM"]["user"]['user_id'], 'settings_data' => $GLOBALS["PHORUM"]["user"]['settings_data']);
phorum_api_user_save($tmp_user);
if (!empty($_POST["target"])) {
$target_url = phorum_admin_build_url($_POST['target']);
phorum_redirect_by_url($target_url);
} else {
$redir_url = phorum_admin_build_url('');
phorum_redirect_by_url($redir_url);
}
exit;
} else {
phorum_hook("failed_login", array("username" => $_POST["username"], "password" => $_POST["password"], "location" => "admin"));
}
}
