</td> </tr> <?php $configuration = $db->Execute("select configuration_id, configuration_title, configuration_value, configuration_key,\r\n use_function from " . TABLE_CONFIGURATION . "\r\n where configuration_group_id = '" . (int) $gID . "'\r\n order by sort_order"); while (!$configuration->EOF) { if (zen_not_null($configuration->fields['use_function'])) { $use_function = $configuration->fields['use_function']; if (ereg('->', $use_function)) { $class_method = explode('->', $use_function); if (!is_object(${$class_method[0]})) { include DIR_WS_CLASSES . $class_method[0] . '.php'; ${$class_method[0]} = new $class_method[0](); } $cfgValue = zen_call_function($class_method[1], $configuration->fields['configuration_value'], ${$class_method[0]}); } else { $cfgValue = zen_call_function($use_function, $configuration->fields['configuration_value']); } } else { $cfgValue = $configuration->fields['configuration_value']; } if ((!isset($_GET['cID']) || isset($_GET['cID']) && $_GET['cID'] == $configuration->fields['configuration_id']) && !isset($cInfo) && substr($action, 0, 3) != 'new') { $cfg_extra = $db->Execute("select configuration_key, configuration_description, date_added,\r\n last_modified, use_function, set_function\r\n from " . TABLE_CONFIGURATION . "\r\n where configuration_id = '" . (int) $configuration->fields['configuration_id'] . "'"); $cInfo_array = array_merge($configuration->fields, $cfg_extra->fields); $cInfo = new objectInfo($cInfo_array); } if (isset($cInfo) && is_object($cInfo) && $configuration->fields['configuration_id'] == $cInfo->configuration_id) { echo ' <tr id="defaultSelected" class="dataTableRowSelected" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href=\'' . zen_href_link(FILENAME_CONFIGURATION, 'gID=' . $_GET['gID'] . '&cID=' . $cInfo->configuration_id . '&action=edit') . '\'">' . "\n"; } else { echo ' <tr class="dataTableRow" onmouseover="rowOverEffect(this)" onmouseout="rowOutEffect(this)" onclick="document.location.href=\'' . zen_href_link(FILENAME_CONFIGURATION, 'gID=' . $_GET['gID'] . '&cID=' . $configuration->fields['configuration_id'] . '&action=edit') . '\'">' . "\n"; } ?>
if ($mInfo->status == '1') { $keys = ''; reset($mInfo->keys); while (list(, $value) = each($mInfo->keys)) { $keys .= '<b>' . $value['title'] . '</b><br>'; if ($value['use_function']) { $use_function = $value['use_function']; if (preg_match('/->/', $use_function)) { $class_method = explode('->', $use_function); if (!is_object(${$class_method[0]})) { include DIR_WS_CLASSES . $class_method[0] . '.php'; ${$class_method[0]} = new $class_method[0](); } $keys .= zen_call_function($class_method[1], $value['value'], ${$class_method[0]}); } else { $keys .= zen_call_function($use_function, $value['value']); } } else { $keys .= $value['value']; } $keys .= '<br><br>'; } if (ADMIN_CONFIGURATION_KEY_ON == 1) { $contents[] = array('text' => '<strong>Key: ' . $mInfo->code . '</strong><br />'); } $keys = substr($keys, 0, strrpos($keys, '<br><br>')); if (!(!$is_ssl_protected && in_array($mInfo->code, array('paypaldp', 'linkpoint_api', 'authorizenet_aim', 'authorizenet_echeck')))) { $contents[] = array('align' => 'center', 'text' => '<a href="' . zen_href_link(FILENAME_MODULES, 'set=' . $set . (isset($_GET['module']) ? '&module=' . $_GET['module'] : '') . '&action=edit', 'NONSSL') . '">' . zen_image_button('button_edit.gif', IMAGE_EDIT, 'name="editButton"') . '</a>'); } else { $contents[] = array('align' => 'center', 'text' => TEXT_WARNING_SSL_EDIT); }
/** * Verify login according to security requirements * @param $admin_name * @param $admin_pass */ function zen_validate_user_login($admin_name, $admin_pass) { global $db; $camefrom = isset($_GET['camefrom']) ? $_GET['camefrom'] : FILENAME_DEFAULT; $error = $expired = false; $message = $redirect = ''; $expired_token = 0; $result = zen_read_user($admin_name); if (!isset($result) || $result == FALSE || $admin_name != $result['admin_name']) { // invalid login $error = true; $message = ERROR_WRONG_LOGIN; zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning'); } else { if ($result['lockout_expires'] > time()) { // account locked $error = true; $message = ERROR_SECURITY_ERROR; // account locked. Simply give generic error, since otherwise we alert that the account name is correct zen_record_admin_activity(TEXT_ERROR_ATTEMPTED_TO_LOG_IN_TO_LOCKED_ACCOUNT . ' ' . $admin_name, 'warning'); } if ($result['reset_token'] != '') { list($expired_token, $token) = explode('}', $result['reset_token']); if ($expired_token > 0) { if ($expired_token <= time() && $result['admin_pass'] != '') { // reset the reset_token field to blank, since token has expired $sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: "; $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); $db->Execute($sql); $expired = false; } else { if (!zen_validate_password($admin_pass, $token)) { $error = true; $message = ERROR_WRONG_LOGIN; zen_record_admin_activity(sprintf(TEXT_ERROR_INCORRECT_PASSWORD_DURING_RESET_FOR_USER) . ' ' . $admin_name, 'warning'); } else { $error = true; $expired = true; $message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED; } } } } if ($result['admin_pass'] == '') { $error = true; $expired = true; $message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED; } else { $token = $result['admin_pass']; if (!zen_validate_password($admin_pass, $token)) { $error = true; if (!$expired) { $message = ERROR_WRONG_LOGIN; zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning'); } } } if (password_needs_rehash($token, PASSWORD_DEFAULT)) { $token = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInAdminPassword($admin_pass, $admin_name); } // BEGIN 2-factor authentication if ($error == FALSE && defined('ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE') && ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE != '') { if (function_exists(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE)) { $response = zen_call_function(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE, array($result['admin_id'], $result['admin_email'], $result['admin_name'])); if ($response !== TRUE) { $error = TRUE; $message = ERROR_WRONG_LOGIN; zen_record_admin_activity('TFA Failure - Two-factor authentication failed', 'warning'); } elseif ($response === TRUE) { zen_record_admin_activity('TFA Passed - Two-factor authentication passed', 'warning'); } } } } // BEGIN LOGIN SLAM PREVENTION if ($error == TRUE) { if (!isset($_SESSION['login_attempt'])) { $_SESSION['login_attempt'] = 0; } $_SESSION['login_attempt']++; $sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = failed_logins + 1, last_failed_attempt = now(), last_failed_ip = :ip: WHERE admin_name = :adminname: "; $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); $sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string'); $db->Execute($sql); if (($_SESSION['login_attempt'] > 3 || $result['failed_logins'] > 3) && isset($result['admin_email']) && $result['admin_email'] != '' && ADMIN_SWITCH_SEND_LOGIN_FAILURE_EMAILS == 'Yes') { $html_msg['EMAIL_CUSTOMERS_NAME'] = $result['admin_name']; $html_msg['EMAIL_MESSAGE_HTML'] = sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']); zen_record_admin_activity(sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), 'warning'); zen_mail($result['admin_name'], $result['admin_email'], TEXT_EMAIL_SUBJECT_LOGIN_FAILURES, sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), STORE_NAME, EMAIL_FROM, $html_msg, 'no_archive'); } if ($expired_token < 10000) { if ($_SESSION['login_attempt'] > 6 || $result['failed_logins'] > 6) { $sql = "UPDATE " . TABLE_ADMIN . " SET lockout_expires = " . (time() + ADMIN_LOGIN_LOCKOUT_TIMER) . " WHERE admin_name = :adminname: "; $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); $db->Execute($sql); zen_session_destroy(); zen_record_admin_activity('Too many login failures. Account locked for ' . ADMIN_LOGIN_LOCKOUT_TIMER / 60 . ' minutes', 'warning'); sleep(15); $redirect = zen_href_link(FILENAME_DEFAULT, '', 'SSL'); return array($error, $expired, $message, $redirect); } else { sleep(4); } } } // END LOGIN SLAM PREVENTION // deal with expireds for SSL change if ($error == FALSE && $result['pwd_last_change_date'] == '1990-01-01 14:02:22') { $expired = true; $error = true; $message = ($message == '' ? '' : $message . '<br /><br />') . EXPIRED_DUE_TO_SSL; } // deal with expireds for PA-DSS if ($error == FALSE && PADSS_PWD_EXPIRY_ENFORCED == 1 && $result['pwd_last_change_date'] < date('Y-m-d H:i:s', ADMIN_PASSWORD_EXPIRES_INTERVAL)) { $expired = true; $error = true; } if ($error == false) { unset($_SESSION['login_attempt']); $sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = 0, lockout_expires = 0, last_login_date = now(), last_login_ip = :ip: WHERE admin_name = :adminname: "; $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string'); $sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string'); $db->Execute($sql); $_SESSION['admin_id'] = $result['admin_id']; if (SESSION_RECREATE == 'True') { zen_session_recreate(); } $redirect = zen_href_link($camefrom, zen_get_all_get_params(array('camefrom')), 'SSL'); } return array($error, $expired, $message, $redirect); }