/** * Grab post data, but only if the CSRF token is valid * * @param InputFilterContainer $filterContainer - Type filter for POST data * @param bool $ignoreCSRFToken - Don't validate CSRF tokens * * @return array|bool * @throws SecurityAlert */ protected function post(InputFilterContainer $filterContainer = null, bool $ignoreCSRFToken = false) { if ($this->airship_http_method !== 'POST' || empty($_POST)) { return false; } if ($ignoreCSRFToken) { if ($filterContainer) { try { return $filterContainer($_POST); } catch (\TypeError $ex) { $this->log('Input validation threw a TypeError', LogLevel::ALERT, \Airship\throwableToArray($ex)); return false; } } return $_POST; } if ($this->airship_csrf->check()) { if ($filterContainer) { try { return $filterContainer($_POST); } catch (\TypeError $ex) { $this->log('Input validation threw a TypeError', LogLevel::ALERT, \Airship\throwableToArray($ex)); return false; } } return $_POST; } $state = State::instance(); if ($state->universal['debug']) { // This is only thrown during development, to be noisy. throw new SecurityAlert(\__('CSRF validation failed')); } $this->log('CSRF validation failed', LogLevel::ALERT); return false; }
public function before() { parent::before(); if (!CSRF::check()) { throw new ApplicationException("Cross site request forgery.", 403); } // Set base title $this->template->title = array('Hacker Tees'); $this->template->section = NULL; }
<div class="contents"> <h1>Indi</h1> <p>Make a standalone Lobby app.</p> <h2>Config</h2> <?php $appID = Request::postParam("appID"); if ($appID !== null && CSRF::check()) { if ($appID === "") { $this->removeData("appID"); } else { $this->saveData("appID", $appID); } echo sss("Saved", "Settings has been saved."); } $appID = $this->getData("appID"); ?> <form action="<?php echo Lobby::u("/admin/app/indi"); ?> " method="POST"> <label> <span>App ID</span> <select name="appID"> <option value="">Choose App:</option> <?php foreach (Lobby\Apps::getEnabledApps() as $app) { echo "<option value='{$app}' " . ($appID === $app ? "selected='selected'" : "") . ">{$app}</option>"; } ?> </select> </label>
$some_name = session_name("JBIMSAdmission"); session_start(); } include dirname(__FILE__) . '/config/config.php'; include dirname(__FILE__) . '/config/functions.php'; $language = array('en' => 'en', 'pt' => 'pt'); if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) { include dirname(__FILE__) . '/language/' . $language[$_GET['lang']] . '.php'; } else { include dirname(__FILE__) . '/language/en.php'; } $useremail = strip_tags(trim($_POST["useremail"])); $verification = strip_tags(trim($_POST["captcha"])); $finaluseremail = htmlspecialchars($useremail, ENT_QUOTES, 'UTF-8'); $finalverification = htmlspecialchars($verification, ENT_QUOTES, 'UTF-8'); if (!CSRF::check('resend-form')) { echo $lang['resend_activation_token_wrong_security_token']; } else { $datetime = date("Y-m-d H:i:s"); $searchblock = mysql_query("SELECT login_system_email_activation_status, login_system_email_activation_attempts, login_system_email_activation_blocked_time FROM " . $mysqltable_name_4 . " WHERE login_system_email_activation_useremail = '" . mysql_real_escape_string($finaluseremail) . "'"); $resultblock = mysql_num_rows($searchblock); $blockResult = mysql_fetch_array($searchblock); if ($SMTP == true) { if ($mysql == true) { if ($blockResult['login_system_email_activation_status'] == 0) { if ($datetime > $blockResult['login_system_email_activation_blocked_time']) { $search = mysql_query("SELECT * FROM " . $mysqltable_name_4 . " WHERE login_system_email_activation_useremail = '" . mysql_real_escape_string($finaluseremail) . "'"); $result = mysql_num_rows($search); $searchuser = mysql_query("SELECT f_name, l_name, application_id FROM " . $mysqltable_name_1 . " WHERE email_id = '" . mysql_real_escape_string($finaluseremail) . "'"); $resultusercount = mysql_num_rows($searchuser); $resultuser = mysql_fetch_array($searchuser);
<?php require "../../../../load.php"; $file = \Request::postParam('cx74e9c6a45', ''); $appID = \Request::postParam('s7c8csw91', ''); if ($file != "" && CSRF::check()) { if ($appID !== "") { $App = new \Lobby\Apps($appID); if ($App->exists && $App->enabled) { $AppClass = $App->run(); $html = $AppClass->page("/ajax/{$file}"); if ($html === "auto") { $html = $AppClass->inc("/src/ajax/{$file}"); } echo $html; } } else { if (\Lobby\FS::exists($file)) { require_once \Lobby\FS::loc($file); } else { echo "fileNotFound"; } } }
include '../csrf_protection/csrf-class.php'; if (!isset($_SESSION)) { $some_name = session_name("VedicaAdmission"); session_start(); } include '../config/config.php'; include '../config/functions.php'; $language = array('en' => 'en', 'pt' => 'pt'); if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) { include '../language/' . $language[$_GET['lang']] . '.php'; } else { include '../language/en.php'; } $update_username = strip_tags(trim_awesome($_POST["update_username"])); $update_finalusername = htmlspecialchars($update_username, ENT_QUOTES, 'UTF-8'); if (!CSRF::check('update-username-form')) { echo $lang['update_username_wrong_security_token']; } else { $usersearch = mysql_query("SELECT * FROM " . $admission_users . " WHERE application_id = " . mysql_real_escape_string_awesome($update_finalusername) . ""); $userresult = mysql_num_rows($usersearch); $userquery = mysql_fetch_array($usersearch); if ($userquery && $userquery['login_system_registrations_user_id'] != $_SESSION['userLogin']) { echo $lang['update_username_already_taken']; } else { $update1 = "UPDATE " . $admission_users . " SET application_id = " . mysql_real_escape_string_awesome($update_finalusername) . " WHERE login_system_registrations_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . ""; $updatequery1 = mysql_query($update1); $update2 = "UPDATE " . $mysqltable_name_2 . " SET login_system_login_attempts_username = "******" WHERE login_system_login_attempts_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . ""; $updatequery2 = mysql_query($update2); $update3 = "UPDATE " . $mysqltable_name_3 . " SET login_system_forgot_password_username = "******" WHERE login_system_forgot_password_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . ""; $updatequery3 = mysql_query($update3); $update4 = "UPDATE " . $mysqltable_name_4 . " SET login_system_email_activation_username = "******" WHERE login_system_email_activation_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . "";
<?php $this->setTitle("New App"); ?> <div class="contents"> <h1>Add App</h1> <?php $app_info = array("id" => \Request::get("app_id"), "name" => \Request::get("app_name"), "git_url" => \Request::get("app_download"), "requires" => \Request::get("app_requires"), "short_description" => \Request::get("app_short_description"), "description" => \Request::get("app_description"), "category" => \Request::get("app_category"), "sub_category" => \Request::get("app_sub_category"), "version" => \Request::get("app_version"), "page" => \Request::get("app_page"), "author_id" => \Request::get("author_id")); if (isset($_POST['app_id']) && array_search(null, $app_info) === false && CSRF::check()) { $apps_sql = \Lobby\DB::getDBH()->prepare("SELECT COUNT(1) FROM `apps` WHERE `id` = ?"); $apps_sql->execute(array($app_info['id'])); if ($apps_sql->fetchColumn() != 0) { ser("App Exists", "Hmmm... Looks like the App ID you submitted already exists either on App Center Or in the App Queue. " . \Lobby::l("/apps/{$app_info['id']}", "See Existing App")); } else { $app_info["logo"] = isset($_POST["app_logo"]) ? "1" : "0"; $lobby_web = isset($_POST['app_lobby_web']) ? 1 : 0; $sql = \Lobby\DB::getDBH()->prepare("INSERT INTO `apps` (`id`, `name`, `version`, `logo`, `requires`, `git_url`, `description`, `short_description`, `category`, `sub_category`, `app_page`, `author`, `lobby_web`, `updated`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW());"); $sql->execute(array($app_info['id'], $app_info['name'], $app_info['version'], $app_info['logo'], $app_info['requires'], $app_info['git_url'], $app_info['description'], $app_info['short_description'], $app_info['category'], $app_info['sub_category'], $app_info['page'], $app_info['author_id'], $lobby_web)); require_once __DIR__ . "/../../inc/LobbyGit.php"; $LG = new LobbyGit($app_info["id"], $app_info["git_url"]); $LG->register(); sss("App Added", "App was added to the repository"); } } ?> <form action="<?php echo \Lobby::u(); ?> " method="POST"> <label> <span>App ID</span>
} include dirname(__FILE__) . '/config/config.php'; include dirname(__FILE__) . '/config/functions.php'; $language = array('en' => 'en', 'pt' => 'pt'); if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) { include dirname(__FILE__) . '/language/' . $language[$_GET['lang']] . '.php'; } else { include dirname(__FILE__) . '/language/en.php'; } $user_name = strip_tags(trim_awesome($_POST["username"])); $password = strip_tags(trim_awesome($_POST["password"])); $verification = strip_tags(trim_awesome($_POST["captcha"])); $finalusername = htmlspecialchars($user_name, ENT_QUOTES, 'UTF-8'); $finalpassword = htmlspecialchars($password, ENT_QUOTES, 'UTF-8'); $finalverification = htmlspecialchars($verification, ENT_QUOTES, 'UTF-8'); if (!CSRF::check('login-form')) { echo $lang['login_wrong_security_token']; } else { $datetime = date("Y-m-d H:i:s"); $userInfo = mysql_query("SELECT login_system_registrations_user_id, application_id, password, salt FROM " . $admission_users . " WHERE application_id = " . mysql_real_escape_string_awesome($finalusername) . ""); $userQuery = mysql_num_rows($userInfo); $userSql = mysql_fetch_array($userInfo); $userstatus = mysql_query("SELECT login_system_email_activation_status FROM " . $mysqltable_name_4 . " WHERE login_system_email_activation_username = "******""); $userselect = mysql_num_rows($userstatus); $userresult = mysql_fetch_array($userstatus); $infoUser = mysql_query("SELECT login_system_login_attempts_attempts, login_system_login_attempts_blocked_time FROM " . $mysqltable_name_2 . " WHERE login_system_login_attempts_username = "******""); $queryUser = mysql_num_rows($infoUser); $sqlUser = mysql_fetch_array($infoUser); if ($userQuery == 1) { if ($userresult['login_system_email_activation_status'] == 1) { if ($datetime > $sqlUser['login_system_login_attempts_blocked_time']) {
include '../csrf_protection/csrf-class.php'; if (!isset($_SESSION)) { $some_name = session_name("VedicaAdmission"); session_start(); } include '../config/config.php'; include '../config/functions.php'; $language = array('en' => 'en', 'pt' => 'pt'); if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) { include '../language/' . $language[$_GET['lang']] . '.php'; } else { include '../language/en.php'; } $update_email = strip_tags(trim_awesome($_POST["update_email"])); $update_finalemail = htmlspecialchars($update_email, ENT_QUOTES, 'UTF-8'); if (!CSRF::check('update-email-form')) { echo $lang['update_email_wrong_security_token']; } else { $emailsearch = mysql_query("SELECT * FROM " . $admission_users . " WHERE email_id = " . mysql_real_escape_string_awesome($update_finalemail) . ""); $emailresult = mysql_num_rows($emailsearch); $emailquery = mysql_fetch_array($emailsearch); if ($emailquery && $emailquery['login_system_registrations_user_id'] != $_SESSION['userLogin']) { echo $lang['update_email_already_taken']; } else { $update1 = "UPDATE " . $admission_users . " SET email_id = " . mysql_real_escape_string_awesome($update_finalemail) . " WHERE login_system_registrations_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . ""; $updatequery1 = mysql_query($update1); $update2 = "UPDATE " . $mysqltable_name_3 . " SET login_system_forgot_password_useremail = " . mysql_real_escape_string_awesome($update_finalemail) . " WHERE login_system_forgot_password_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . ""; $updatequery2 = mysql_query($update2); $update3 = "UPDATE " . $mysqltable_name_4 . " SET login_system_email_activation_useremail = " . mysql_real_escape_string_awesome($update_finalemail) . " WHERE login_system_email_activation_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . ""; $updatequery3 = mysql_query($update3); if ($updatequery1 && $updatequery2 && $updatequery3) {
echo sss("Removed", "The App <b>{$displayID}</b> was successfully removed."); } else { if ($action === "clear-data" && CSRF::check()) { if ($App->clearData()) { echo sss("Cleared Data", "The data of <b>{$displayID}</b> was successfully cleared from the database."); } } else { if ($appID != null && $action == null && CSRF::check()) { ?> <h1>Install App</h1> <p>The install progress will be displayed below. If this doesn't work, try the <?php echo \Lobby::l("/admin/install-app.php?app={$appID}&do=alternate-install" . CSRF::getParam(), "alternate install"); ?> .</p> <?php if (isset($_GET["do"]) && $_GET["do"] === "alternate-install" && CSRF::check()) { ?> <iframe src="<?php echo L_URL . "/admin/download.php?type=app&app={$appID}" . CSRF::getParam(); ?> " style="border: 0;width: 100%;height: 300px;"></iframe> <?php } else { ?> <ul id="appInstallationProgress" class="collection"></ul> <script> lobby.load(function(){ lobby.installApp("<?php echo $appID; ?> ", $("#appInstallationProgress"));
<?php require "../../../../load.php"; if (isset($_POST['key']) && isset($_POST['value']) && CSRF::check()) { $key = urldecode($_POST['key']); $val = urldecode($_POST['value']); if (!saveOption($key, $val)) { echo "bad"; } else { echo "good"; } } else { echo "fieldsMissing"; }
header('Cache-Control: no-cache'); $appID = Request::get("app"); $type = Request::get("type"); $isUpdate = Request::get("isUpdate") !== null; // Turn off output buffering ini_set('output_buffering', 'off'); // Turn off PHP output compression ini_set('zlib.output_compression', false); //Flush (send) the output buffer and turn off output buffering //ob_end_flush(); while (@ob_end_flush()) { } // Implicitly flush the buffer(s) ini_set('implicit_flush', true); ob_implicit_flush(true); if (CSRF::check() === false) { exit; } if ($type == "app") { $app = \Lobby\Server::store(array("get" => "app", "id" => $appID)); if ($app == "false") { echo "Error - App '<b>{$appID}</b>' does not exist in Lobby."; exit; } $name = $app['name']; } else { $name = "Lobby {$appID}"; } $GLOBALS['name'] = $name; ?> <p>
<?php \Hooks::doAction("admin.head.begin"); \Response::head("Change Settings"); ?> </head> <body> <?php \Hooks::doAction("admin.body.begin"); ?> <div id="workspace"> <div class="contents"> <?php if (isset($_GET['updated']) && CSRF::check()) { echo sss("Updated", "Lobby was successfully updated to Version <b>" . \Lobby::$version . "</b> from the old " . htmlspecialchars($_GET['oldver']) . " version."); } if (isset($_POST['update_settings']) && \CSRF::check()) { /** * Sadly, PHP supports GMT+ and not UTC+ */ $time_zone = $_POST['timezone']; if ($time_zone === "") { Lobby\DB::saveOption("lobby_timezone", "UTC"); \Lobby\Time::loadConfig(); } else { if (@date_default_timezone_set($time_zone)) { Lobby\DB::saveOption("lobby_timezone", $time_zone); \Lobby\Time::loadConfig(); } else { echo ser("Invalid Timezone", "Your PHP server doesn't support the timezone " . htmlspecialchars($time_zone)); } }
<?php include '../csrf_protection/csrf-token.php'; include '../csrf_protection/csrf-class.php'; if (!isset($_SESSION)) { $some_name = session_name("VedicaAdmission"); session_start(); } include '../config/config.php'; include '../config/functions.php'; $language = array('en' => 'en', 'pt' => 'pt'); if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) { include '../language/' . $language[$_GET['lang']] . '.php'; } else { include '../language/en.php'; } $update_firstname = strip_tags(trim_awesome($_POST["update_firstname"])); $update_lastname = strip_tags(trim_awesome($_POST["update_lastname"])); $update_finalfirstname = htmlspecialchars($update_firstname, ENT_QUOTES, 'UTF-8'); $update_finallastname = htmlspecialchars($update_lastname, ENT_QUOTES, 'UTF-8'); if (!CSRF::check('update-account-form')) { echo $lang['update_account_wrong_security_token']; } else { $update1 = "UPDATE " . $admission_users . " SET f_name = " . mysql_real_escape_string_awesome($update_finalfirstname) . ", l_name = " . mysql_real_escape_string_awesome($update_finallastname) . " WHERE login_system_registrations_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . ""; $updatequery1 = mysql_query($update1); if ($updatequery1) { echo $lang['update_account_successful']; } else { echo $lang['update_account_unsuccessful']; } }
/** * Give warning when using SQLite on a web server */ echo "<a class='btn red' href='?step=3&db_type=sqlite" . CSRF::getParam() . "'>SQLite</a><p style='color:red;'>WARNING<br/>It is very unsafe to use SQLite on a non localhost server</p>"; } } else { echo "<a class='btn disabled'>SQLite Not Available</a><p>Lobby Requires SQLite version atleast 3.8</p>"; } ?> </td> </tr> </tbody> </table> <?php } else { if ($install_step === "3" && CSRF::check()) { $db_type = Request::get("db_type"); /** * We call it again, so that the user had already went through the First Step */ if (\Lobby\Install::step1() === false) { // The stuff mentioned in step 1 hasn't been done } else { if (isset($_POST['submit'])) { if ($db_type === "mysql") { $dbhost = \Request::postParam('dbhost', ""); $dbport = \Request::postParam('dbport', ""); $dbname = \Request::postParam('dbname', ""); $username = \Request::postParam('dbusername', ""); $password = \Request::postParam('dbpassword', ""); $prefix = \Request::postParam('prefix', "");
?> <div class="contents"> <?php if ($app_edit && isset($_GET['update']) && !isset($_GET['app-updated'])) { require_once $this->dir . "/src/inc/LobbyGit.php"; $lg = new \LobbyGit($AppID, $app_info['git_url']); $lg->update(); Response::redirect("/me/app/{$AppID}?app-updated"); } if (isset($_POST['app_name'])) { $app_info_required = array("id" => $app_edit ? $path[3] : \Request::get("app_id"), "name" => \Request::get("app_name"), "git_url" => \Request::get("app_src"), "description" => \Request::get("app_description"), "category" => \Request::get("app_category"), "sub_category" => \Request::get("app_sub_category"), "app_page" => \Request::get("app_page")); $app_info = array_merge($app_info, $app_info_required); $app_info["lobby_web"] = isset($_POST["app_lobby_web"]) ? "1" : "0"; $app_info["logo"] = isset($_POST["app_logo"]) ? "1" : "0"; } if (isset($_POST['app_name']) && CSRF::check() && array_search(null, $app_info_required) === false) { $apps_sql = \Lobby\DB::getDBH()->prepare("SELECT COUNT(1) FROM `apps` WHERE `id` = ?"); $apps_sql->execute(array($app_info['id'])); $queue_sql = \Lobby\DB::getDBH()->prepare("SELECT COUNT(1) FROM `apps_queue` WHERE `id` = ?"); $queue_sql->execute(array($app_info['id'])); if ($app_edit != true && ($queue_sql->fetchColumn() != 0 || $apps_sql->fetchColumn() != 0)) { ser("App Exists", "Hmmm... Looks like the App ID you submitted already exists either on App Center Or in the App Queue. " . \Lobby::l("/apps/{$app_info['id']}", "See Existing App")); } else { if ($app_edit != true && preg_match("/\\b(?:(?:https?|ftp):\\/\\/|www\\.)[-a-z0-9+&@#\\/%?=~_|!:,.;]*[-a-z0-9+&@#\\/%=~_|]/i", $app_info['git_url']) == 0) { ser("Invalid URL", "The app's source code URL you provided was invalid."); } else { if ($app_edit != true) { $sql = \Lobby\DB::getDBH()->prepare("INSERT INTO `apps_queue` (`id`, `name`, `src`, `description`, `category`, `sub_category`, `app_page`, `author`, `updated`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, NOW());"); $sql->execute(array($app_info['id'], $app_info['name'], $app_info['git_url'], $app_info['description'], $app_info['category'], $app_info['sub_category'], $app_info['app_page'], \Fr\LS2::$user)); $admin_access_token = \Fr\LS2::getUser("username", 1); require_once $this->dir . "/src/inc/open.auth.php";
switch ($action) { case "disable": echo sss("Disabled", "The App <strong>{$appIDEscaped}</strong> has been disabled."); break; case "disable-fail": echo ser("Error", "The App <strong>{$appIDEscaped}</strong> couldn't be disabled. Try again."); break; case "enable": echo sss("Enabled", "The App <strong>{$appIDEscaped}</strong> has been enabled."); break; case "enable-fail": echo ser("Error", "The App couldn't be enabled. Try again.", false); break; } } else { if ($action !== null && CSRF::check()) { if ($action === "remove") { /** * Do not show app info during confirmation */ $showAppInfo = false; echo sme("Confirm", "<p>Are you sure you want to remove the app <b>{$appIDEscaped}</b> ? This cannot be undone.</p>" . Lobby::l("/admin/install-app.php?action=remove&app={$appID}" . CSRF::getParam(), "Yes, I'm sure", "class='btn red'") . Lobby::l("/admin/apps.php?app={$appID}" . CSRF::getParam(), "No, I'm not", "class='btn blue' id='cancel'")); } else { if ($action === "clear-data") { $showAppInfo = false; echo sme("Confirm", "<p>Are you sure you want to clear the data of app <b>{$appIDEscaped}</b> ? This cannot be undone.</p>" . Lobby::l("/admin/install-app.php?action=clear-data&app={$appID}" . CSRF::getParam(), "Yes, I'm sure", "class='btn red'") . Lobby::l("/admin/apps.php?app={$appID}" . CSRF::getParam(), "No, I'm not", "class='btn blue' id='cancel'")); } } } } if ($showAppInfo) {
include dirname(__FILE__) . '/csrf_protection/csrf-class.php'; if (!isset($_SESSION)) { $some_name = session_name("VedicaAdmission"); session_start(); } include dirname(__FILE__) . '/config/config.php'; include dirname(__FILE__) . '/config/functions.php'; $language = array('en' => 'en', 'pt' => 'pt'); if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) { include dirname(__FILE__) . '/language/' . $language[$_GET['lang']] . '.php'; } else { include dirname(__FILE__) . '/language/en.php'; } $useremail = strip_tags(trim_awesome($_POST["useremail"])); $finaluseremail = htmlspecialchars($useremail, ENT_QUOTES, 'UTF-8'); if (!CSRF::check('complete-social-register-form')) { echo $lang['complete_registration_wrong_security_token']; } else { if ($_SESSION['loginProviderID'] && $_SESSION['loginProviderDisplayName']) { $config = dirname(__FILE__) . '/hybridauth/config.php'; include dirname(__FILE__) . '/hybridauth/Hybrid/Auth.php'; try { $hybridauth = new Hybrid_Auth($config); $provider = @trim(strip_tags($_GET["provider"])); $adapter = $hybridauth->getAdapter($provider); $finalemailtoken = md5(uniqid(rand(), true)); $datetime = date("Y-m-d H:i:s"); $expiretokenemail = date("Y-m-d H:i:s", strtotime('+1 hour')); $duplicate = mysql_query("SELECT * FROM " . $mysqltable_name_5 . " WHERE login_system_register_social_networks_email = " . mysql_real_escape_string_awesome($finaluseremail) . ""); $result = mysql_num_rows($duplicate); if ($result == 0) {
$some_name = session_name("VedicaAdmission"); session_start(); } include dirname(__FILE__) . '/config/config.php'; include dirname(__FILE__) . '/config/functions.php'; $language = array('en' => 'en', 'pt' => 'pt'); if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) { include dirname(__FILE__) . '/language/' . $language[$_GET['lang']] . '.php'; } else { include dirname(__FILE__) . '/language/en.php'; } $useremail = strip_tags(trim_awesome($_POST["useremail"])); $verification = strip_tags(trim_awesome($_POST["captcha"])); $finaluseremail = htmlspecialchars($useremail, ENT_QUOTES, 'UTF-8'); $finalverification = htmlspecialchars($verification, ENT_QUOTES, 'UTF-8'); if (!CSRF::check('forgot-form')) { echo $lang['forgot_wrong_security_token']; } else { $datetime = date("Y-m-d H:i:s"); $searchblock = mysql_query("SELECT login_system_forgot_password_attempts, login_system_forgot_password_blocked_time FROM " . $mysqltable_name_3 . " WHERE login_system_forgot_password_useremail = " . mysql_real_escape_string_awesome($finaluseremail) . ""); $resultblock = mysql_num_rows($searchblock); $blockResult = mysql_fetch_array($searchblock); $searchid = mysql_query("SELECT login_system_registrations_user_id FROM " . $admission_users . " WHERE email_id = " . mysql_real_escape_string_awesome($finaluseremail) . ""); $resultid = mysql_num_rows($searchid); $queryid = mysql_fetch_array($searchid); if ($SMTP == true) { if ($mysql == true) { if ($datetime > $blockResult['login_system_forgot_password_blocked_time']) { $search = mysql_query("SELECT application_id, f_name, l_name FROM " . $admission_users . " WHERE email_id = " . mysql_real_escape_string_awesome($finaluseremail) . ""); $result = mysql_num_rows($search); $resultInfo = mysql_fetch_array($search);
$useremail = strip_tags(trim($_GET["email"])); $passtoken = strip_tags(trim($_GET["token"])); $finaluseremail = htmlspecialchars($useremail, ENT_QUOTES, 'UTF-8'); $finalpasstoken = htmlspecialchars($passtoken, ENT_QUOTES, 'UTF-8'); $passtime = date("Y-m-d H:i:s"); $selectexpire = mysql_query("SELECT * FROM " . $mysqltable_name_3 . " WHERE login_system_forgot_password_token = '" . mysql_real_escape_string($finalpasstoken) . "' AND login_system_forgot_password_expire > '" . mysql_real_escape_string($passtime) . "'"); $resultexpire = mysql_num_rows($selectexpire); if ($resultexpire == 1) { $search = mysql_query("SELECT login_system_forgot_password_useremail, login_system_forgot_password_token FROM " . $mysqltable_name_3 . " WHERE login_system_forgot_password_useremail = '" . mysql_real_escape_string($finaluseremail) . "' AND login_system_forgot_password_token = '" . mysql_real_escape_string($finalpasstoken) . "'"); $result = mysql_num_rows($search); if ($result == 1) { $newpassword = strip_tags(trim($_POST["password"])); $newretypepassword = strip_tags(trim($_POST["retypepassword"])); $newfinalpass = htmlspecialchars($newpassword, ENT_QUOTES, 'UTF-8'); $newfinalretypepass = htmlspecialchars($newretypepassword, ENT_QUOTES, 'UTF-8'); if (!CSRF::check('newpassword-form')) { echo $lang['new_password_wrong_security_token']; } else { include dirname(__FILE__) . '/php-pass-framework/PasswordHash.php'; $hasher = new PasswordHash(8, false); $finalsalt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true)); $newpassword = $hasher->HashPassword($newfinalpass . $finalsalt . $passwordsalt); $update = "UPDATE " . $mysqltable_name_1 . " SET password = '******', salt = '" . mysql_real_escape_string($finalsalt) . "' WHERE email_id = '" . mysql_real_escape_string($finaluseremail) . "'"; $updatequery = mysql_query($update); if ($updatequery) { echo $lang['new_password_successful']; } else { echo $lang['new_password_unsuccessful']; } } } else {
<?php $this->setTitle("Admin"); ?> <div class="contents"> <h1>Lobby Admin</h1> <?php echo \Lobby::l("/admin/app/lobby-server/new-app", "New App", "class='btn green' clear"); echo \Lobby::l("/admin/app/lobby-server/downloads", "Download Stats", "class='btn' clear"); echo \Lobby::l("https://lobby-subins.rhcloud.com/phpmyadmin", "Database", "class='btn red' clear target='_blank'"); echo \Lobby::l("/admin/app/lobby-server?clear-git-cache" . \CSRF::getParam(), "Clear Git Cache", "class='btn orange' clear"); if (isset($_GET["clear-git-cache"]) && \CSRF::check()) { \Lobby\DB::getDBH()->exec("TRUNCATE TABLE `git_cache`"); echo "<h2>cleared</h2>"; } ?> </div>
require_once __DIR__ . '/../includes/helpers.php'; require_once __DIR__ . '/../loader.php'; if (empty($_GET['id']) and empty($_GET['slug'])) { redirect_to("index.php"); } if (isset($_GET['id'])) { $p = Pics::getPic($_GET['id']); } else { $p = Pics::getBySlug($_GET['slug']); } $c = Comment::findComments($p->id); if (!$p) { redirect_to("index.php"); } if (isset($_POST['submit'])) { if (CSRF::check($_POST['token'])) { $author = htmlspecialchars($_POST['author']); $body = htmlspecialchars($_POST['body']); $comment = Comment::make($p->id, $author, $body); if ($comment) { $comment->create(); $msg = opmsg("Comment posted successfully and awaiting moderation!", "success"); } else { $msg = opmsg("Failed", "danger"); } } else { $msg = opmsg("Failed", "danger"); } } else { $author = ""; $body = "";
<?php use Fr\Process; $appID = \Request::postParam("id"); if (!CSRF::check()) { echo json_encode(array("statusID" => "error", "status" => "CSRF Token didn't match")); } else { if ($appID === null) { echo json_encode(array("statusID" => "error", "status" => "Invalid App ID")); } else { /** * A queue of App downloads */ $appInstallQueue = Lobby\DB::getJSONOption("lobby_app_downloads"); /** * If the $appID is in the queue, then give the download status of it * If the updated value is less than 20 seconds ago, then restart the download */ if (isset($appInstallQueue[$appID]) && $appInstallQueue[$appID]["updated"] > strtotime("-20 seconds")) { echo json_encode(array("statusID" => $appInstallQueue[$appID]["statusID"], "status" => $appInstallQueue[$appID]["status"])); } else { $appInfo = \Lobby\Server::store(array("get" => "app", "id" => $appID)); /** * App doesn't exist on Lobby Store */ if ($appInfo === "false") { echo json_encode(array("status" => "error", "error" => "App Doesn't Exist")); } else { $appName = $appInfo["name"]; $Process = new Process(Process::getPHPExecutable(), array("arguments" => array(L_DIR . "/admin/ajax/install-app-bg.php", \Lobby::getLID(), base64_encode(serialize($_SERVER)), $appID))); /**
include '../csrf_protection/csrf-class.php'; if (!isset($_SESSION)) { $some_name = session_name("VedicaAdmission"); session_start(); } include '../config/config.php'; include '../config/functions.php'; $language = array('en' => 'en', 'pt' => 'pt'); if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) { include '../language/' . $language[$_GET['lang']] . '.php'; } else { include '../language/en.php'; } $update_social_email = strip_tags(trim_awesome($_POST["update_social_useremail"])); $update_final_social_email = htmlspecialchars($update_social_email, ENT_QUOTES, 'UTF-8'); if (!CSRF::check('update-social-account')) { echo $lang['update_social_account_wrong_security_token']; } else { $emailsearch = mysql_query("SELECT * FROM " . $mysqltable_name_5 . " WHERE login_system_register_social_networks_email = " . mysql_real_escape_string_awesome($update_final_social_email) . ""); $emailresult = mysql_num_rows($emailsearch); $emailquery = mysql_fetch_array($emailsearch); if ($emailquery && $emailquery['login_system_register_social_networks_provider_user_id'] != $_SESSION['loginProviderID']) { echo $lang['update_social_account_already_taken']; } else { $update1 = "UPDATE " . $mysqltable_name_5 . " SET login_system_register_social_networks_email = " . mysql_real_escape_string_awesome($update_final_social_email) . " WHERE login_system_register_social_networks_provider_user_id = " . mysql_real_escape_string_awesome($_SESSION['loginProviderID']) . ""; $updatequery1 = mysql_query($update1); if ($updatequery1) { echo $lang['update_social_account_successful']; } else { echo $lang['update_social_account_unsuccessful']; }
<?php if (isset($_POST['diary']) && CSRF::check()) { // Set name $this->saveData("name", $_POST['diary']); } ?> <div class="contents"> <h1>Diary</h1> <p style="font-style: italic;margin-bottom: 20px;">Saving memories of your life</p> <h2>Entries</h2> <p>Choose a date to view it's entry or <?php echo $this->l("/entry", "write today's", "class='btn'"); ?> </p> <div class="datepicker" style="margin: 10px auto;"></div> <?php if (isset($_POST['diary'])) { echo sss("Name Set", "Your diary's name has been set."); } ?> <h2>Name</h2> <form action="<?php echo \Lobby::u(); ?> " method="POST"> <p>Want to name your diary ?</p> <?php CSRF::getInput(); ?> <input type="text" name="diary" placeholder="Type name here... (Kitty, John)" value="<?php
if (!isset($_SESSION)) { $some_name = session_name("VedicaAdmission"); session_start(); } include '../config/config.php'; include '../config/functions.php'; $language = array('en' => 'en', 'pt' => 'pt'); if (isset($_GET['lang']) and array_key_exists($_GET['lang'], $language)) { include '../language/' . $language[$_GET['lang']] . '.php'; } else { include '../language/en.php'; } $update_password = strip_tags(trim_awesome($_POST["update_password"])); $update_retypepassword = strip_tags(trim_awesome($_POST["update_retypepassword"])); $update_finalpass = htmlspecialchars($update_password, ENT_QUOTES, 'UTF-8'); $update_finalretypepass = htmlspecialchars($update_retypepassword, ENT_QUOTES, 'UTF-8'); if (!CSRF::check('update-password-form')) { echo $lang['update_password_wrong_security_token']; } else { include '../php-pass-framework/PasswordHash.php'; $hasher = new PasswordHash(8, false); $finalsalt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true)); $newpassword = $hasher->HashPassword($update_finalpass . $finalsalt . $passwordsalt); $update = "UPDATE " . $admission_users . " SET password = "******", salt = " . mysql_real_escape_string_awesome($finalsalt) . " WHERE login_system_registrations_user_id = " . mysql_real_escape_string_awesome($_SESSION['userLogin']) . ""; $updatequery = mysql_query($update); if ($updatequery) { echo $lang['update_password_successful']; } else { echo $lang['update_password_unsuccessful']; } }
<?php require "../../../../load.php"; $app = Request::postParam('appID'); $key = Request::postParam('key'); $val = Request::postParam('value'); if ($app !== null && $key !== null && $val !== null && CSRF::check()) { $App = new Lobby\Apps($app); if (!$App->exists) { die("bad"); } var_dump($key); if (!$App->getInstance()->saveData($key, $val)) { die("bad"); } } else { echo "fieldsMissing"; }
Singleton::getInstance('Clockwork')->init(); // --- error handling if (!Config::getSetting('debug')) { error_reporting(0); ini_set('display_errors', false); } // --- sanitize if (Clockwork::isLibraryLoaded('sanitize') && Config::getSetting('sanitize_request')) { $_REQUEST = array(); $_GET = sanitize($_GET); $_POST = sanitize($_POST); } // --- CSRF if (Clockwork::isModuleLoaded('CSRF') && $_POST) { try { CSRF::check($_POST['CSRF-key']); } catch (Exception $e) { unset($_POST); $_POST = []; } } // --- locale if (Config::getSetting('locale', false)) { setlocale(LC_ALL, Config::getSetting('locale')); } // --- Login if (Clockwork::isModuleLoaded('Login') && !defined('CW_CRON') && !defined('CW_SKIP_LOGIN')) { new Login(); $_loginpage = Config::getSetting('login_loginpage', false, false) ? Config::getSetting('login_loginpage') : 'login/'; $_allowed = Config::getSetting('login_no_login', false, false) ? Config::getSetting('login_no_login') : []; $_allowed[] = $_loginpage;
} ?> <p> Looks like everything is ok. Hope you backed up Lobby installation & Database. <div clear></div> You can update now. </p> <?php echo \Lobby::l("/admin/update.php?step=2" . CSRF::getParam(), "Start Update", "clear class='btn green'"); } elseif ($step == 2) { $version = Lobby\DB::getOption("lobby_latest_version"); echo '<iframe src="' . L_URL . "/admin/download.php?type=lobby" . CSRF::getParam() . '" style="border: 0;width: 100%;height: 200px;"></iframe>'; } } $shouldUpdate = Request::postParam("updateApp"); if ($action === "updateApps" && is_array($shouldUpdate) && CSRF::check()) { foreach ($shouldUpdate as $appID) { echo '<iframe src="' . L_URL . "/admin/download.php?type=app&app={$appID}&isUpdate=1" . CSRF::getParam() . '" style="border: 0;width: 100%;height: 200px;"></iframe>'; } } if ($step === null) { echo "<h2>Apps</h2>"; } $appUpdates = Update::getApps(); if ($step === null && empty($appUpdates)) { echo "<p>All apps are up to date.</p>"; } else { if ($step === null && isset($appUpdates) && count($appUpdates)) { ?> <p>New versions of apps are available. Choose which apps to update from the following :</p> <form method="POST" clear>