if (SSO_USE_HTTPS && !BB_IsSSLRequest()) {
SSO_DisplayError("SSL expected. Most likely cause: Bad server configuration.");
}
if (!isset($_REQUEST["sso_id"]) && isset($_COOKIE["sso_server_id"])) {
$_REQUEST["sso_id"] = $_COOKIE["sso_server_id"];
}
if (!isset($_REQUEST["sso_id"])) {
SSO_DisplayError("Session ID expected. Most likely causes: Pressing the back button, clicking a URL that launched a new web browser, using a non-offical client, or a bad or incorrectly configured web proxy. If you clicked a URL in an e-mail, it opened a new web browser, and you got this error, then try this solution: Copy the URL and paste it into the address bar of the other web browser. Sorry for the inconvenience, but this behavior helps keep your account secure from hackers.");
}
// Migrate 'sso_id' to a cookie.
if (!isset($_COOKIE["sso_server_id"]) || $_COOKIE["sso_server_id"] != $_REQUEST["sso_id"]) {
SetCookieFixDomain("sso_server_id", $_REQUEST["sso_id"], 0, "", "", SSO_IsSSLRequest(), true);
}
// Remove 'sso_id' from browser URL to reduce URL sharing vulnerabilities.
if (isset($_GET["sso_id"]) && isset($_SERVER["QUERY_STRING"])) {
$url = BB_GetFullRequestURLBase();
$qstr = explode("&", $_SERVER["QUERY_STRING"]);
foreach ($qstr as $num => $opt) {
if (substr($opt, 0, 7) == "sso_id=") {
unset($qstr[$num]);
}
}
$qstr = implode("&", $qstr);
if ($qstr != "") {
$url .= "?" . $qstr;
}
header("Location: " . $url);
exit;
}
$sso_session_id = explode("-", $_REQUEST["sso_id"]);
if (count($sso_session_id) != 2) {
function BB_GetBackURL($query = array(), $fullrequest = false, $protocol = "")
{
if (isset($_REQUEST["bb_back"])) {
$items = unserialize(base64_decode(str_replace(array("-", "_"), array("+", "/"), $_REQUEST["bb_back"])));
if (is_array($items)) {
foreach ($items as $key => $val) {
if (!is_array($val)) {
$query[] = urlencode($key) . "=" . urlencode($val);
} else {
foreach ($val as $val2) {
$query[] = urlencode($key) . "[]=" . urlencode($val2);
}
}
}
}
}
return ($fullrequest ? BB_GetFullRequestURLBase($protocol) : BB_GetRequestURLBase()) . (count($query) ? "?" . implode("&", $query) : "");
}
<?php
// Barebones CMS
// (C) 2015 CubicleSoft. All Rights Reserved.
require_once "config.php";
require_once ROOT_PATH . "/" . SUPPORT_PATH . "/str_basics.php";
require_once ROOT_PATH . "/" . SUPPORT_PATH . "/utf8.php";
require_once ROOT_PATH . "/" . SUPPORT_PATH . "/bb_functions.php";
Str::ProcessAllInput();
// Don't proceed any further if this is an acciental re-upload of this file to the root path.
if (defined("STO_LOGIN") && STO_LOGIN && ROOT_PATH == str_replace("\\", "/", dirname(__FILE__))) {
exit;
}
if (USE_HTTPS && !BB_IsSSLRequest()) {
header("Location: " . BB_GetFullRequestURLBase("https"));
exit;
}
// Allow developers to inject code here. For example, IP address restriction logic or a SSO bypass.
if (file_exists("login_hook.php")) {
require_once "login_hook.php";
} else {
if (defined("STO_LOGIN") && STO_LOGIN && file_exists(ROOT_PATH . "/login_hook.php")) {
require_once ROOT_PATH . "/login_hook.php";
}
}
if (isset($_REQUEST["action"]) && $_REQUEST["action"] == "login") {
require_once ROOT_PATH . "/accounts.php";
$user = trim($_REQUEST["login_user"]);
$pass = trim($_REQUEST["login_pass"]);
if (!isset($bb_accounts["users"][$user]) || $bb_accounts["users"][$user]["pass"] != sha1($user . ":" . $pass)) {
echo "<span class=\"error\">Incorrect username or password.</span>";
BB_LoadExtensionsCache();
BB_UpdateExtensionsCache();
if (count($bb_extensions_info["vulnerabilities"])) {
echo "<div id=\"mainviewinfo_vulnerabilities\">" . BB_HTMLPurify(implode("<br /><br />", $bb_extensions_info["vulnerabilities"])) . "</div>";
}
if (count($bb_extensions_info["updates"])) {
echo "<div id=\"mainviewinfo_updates\">" . BB_HTMLPurify(implode("<br /><br />", $bb_extensions_info["updates"])) . "</div>";
}
echo $bb_revision_writeable ? "" : BB_Translate("<b>[Read Only]</b> ");
echo htmlspecialchars(BB_Translate(BB_GetIANADesc($bb_pref_lang)));
echo $bb_pref_lang == $bb_page["defaultlang"] ? BB_Translate(" [default]") : "";
echo $bb_profile != "" ? htmlspecialchars(BB_Translate(", " . $bb_profiles[$bb_profile])) : "";
if ($bb_revision_num < 0) {
echo ", <a href=\"" . htmlspecialchars(BB_GetFullRequestURLBase("http") . "?lang=" . urlencode($bb_pref_lang)) . "\">" . BB_Translate("Live Page") . "</a>";
} else {
echo BB_Translate(", Revision #%d, %s, Reason: %s | %s", $bb_revision_num, $bb_revision[0] == "" ? BB_Translate("<i>[Root]</i>") : htmlspecialchars($bb_revision[0]), htmlspecialchars($bb_revision[4]), "<a href=\"" . htmlspecialchars(BB_GetFullRequestURLBase("http") . "?lang=" . urlencode($bb_pref_lang)) . "\">" . BB_Translate("Live Page") . "</a>");
}
if (isset($_REQUEST["notify"])) {
require_once "translate.php";
if (isset($bb_translate_notify[(int) $_REQUEST["notify"]])) {
$entry = $bb_translate_notify[(int) $_REQUEST["notify"]];
echo BB_Translate("<br />%s, %s, %s => %s, %s", htmlspecialchars($entry[0]), BB_FormatTimestamp($entry[1]), htmlspecialchars(BB_Translate(BB_GetIANADesc($entry[4], true, true))), htmlspecialchars(BB_Translate(BB_GetIANADesc($entry[5], true, true))), htmlspecialchars($entry[6]));
}
}
BB_RunPluginAction("post_bb_main_edit_mainviewinfo");
} else {
if ($_REQUEST["bb_action"] == "bb_main_edit_view") {
BB_RunPluginAction("pre_bb_main_edit_view");
if ($bb_page["redirect"] != "") {
header("Location: " . $bb_page["redirect"]);
} else {
$destfile = SSO_ROOT_PATH . "/" . $admindir;
if (!@mkdir($destfile, 0755)) {
InstallError("Unable to create endpoint directory.");
}
$destfile .= "/admin.php";
if (!@rename($srcfile, $destfile)) {
InstallError("Unable to move 'admin.php' to admin directory.");
}
$adminurl = dirname(BB_GetFullRequestURLBase());
if (substr($adminurl, -1) != "/") {
$adminurl .= "/";
}
$adminurl .= $admindir . "/admin.php";
InstallSuccess("Successfully created a randomly named directory and moved 'admin.php' into it.");
} else {
$adminurl = dirname(BB_GetFullRequestURLBase());
if (substr($adminurl, -1) != "/") {
$adminurl .= "/";
}
$adminurl .= "admin.php";
}
// Set up the main configuration file.
$data = "<" . "?php\n";
$data .= "\tdefine(\"SSO_HTTP_SERVER\", \"\");\n";
$data .= "\tdefine(\"SSO_HTTPS_SERVER\", \"\");\n";
$data .= "\tdefine(\"SSO_USE_HTTPS\", " . var_export(BB_IsSSLRequest(), true) . ");\n";
$data .= "\tdefine(\"SSO_ROOT_PATH\", " . var_export(SSO_ROOT_PATH, true) . ");\n";
$data .= "\tdefine(\"SSO_ROOT_URL\", " . var_export(SSO_ROOT_URL, true) . ");\n";
$data .= "\tdefine(\"SSO_LOGIN_URL\", " . var_export(SSO_LOGIN_URL, true) . ");\n";
$data .= "\tdefine(\"SSO_ENDPOINT_URL\", " . var_export(SSO_ENDPOINT_URL, true) . ");\n";
$data .= "\tdefine(\"SSO_SUPPORT_PATH\", " . var_export(SSO_SUPPORT_PATH, true) . ");\n";
echo htmlspecialchars($opts[0]);
?>
</changefreq>
<priority><?php
echo htmlspecialchars($priority);
?>
</priority>
</url>
<?php
}
?>
</urlset>
<?php
} else {
?>
<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<?php
foreach ($langs as $lang => $val) {
?>
<sitemap>
<loc><?php
echo htmlspecialchars(BB_GetFullRequestURLBase() . "?lang=" . $lang);
?>
</loc>
</sitemap>
<?php
}
?>
</sitemapindex>
<?php
}
function BB_PreMainJS()
{
global $bb_pref_lang, $bb_revision_num, $bb_paths;
?>
<script type="text/javascript">
var Gx__RootURL = '<?php
echo BB_JSSafe(isset($bb_paths) ? $bb_paths["ROOT_URL"] : ROOT_URL);
?>
';
var Gx__SupportDebug = <?php
echo defined("DEBUG_JS") ? "true" : "false";
?>
;
var Gx__SupportPath = '<?php
echo BB_JSSafe(isset($bb_paths) ? $bb_paths["SUPPORT_PATH"] : SUPPORT_PATH);
?>
';
var Gx__URLBase = '<?php
echo BB_JSSafe(BB_GetRequestURLBase());
?>
';
var Gx__PrefLang = '<?php
echo BB_JSSafe($bb_pref_lang);
?>
';
var Gx__FullRootURL = '<?php
echo BB_JSSafe(BB_GetFullRootURLBase());
?>
';
var Gx__FullRootURLHTTP = '<?php
echo BB_JSSafe(BB_GetFullRootURLBase("http"));
?>
';
var Gx__FullRootURLHTTPS = '<?php
echo BB_JSSafe(BB_GetFullRootURLBase("https"));
?>
';
var Gx__FullURLBase = '<?php
echo BB_JSSafe(BB_GetFullRequestURLBase());
?>
';
var Gx__FullURLBaseHTTP = '<?php
echo BB_JSSafe(BB_GetFullRequestURLBase("http"));
?>
';
var Gx__FullURLBaseHTTPS = '<?php
echo BB_JSSafe(BB_GetFullRequestURLBase("https"));
?>
';
<?php
if (isset($bb_revision_num)) {
echo "var Gx__RevisionNum = " . $bb_revision_num . ";\n";
}
?>
var Gx__MaxSendSize = <?php
echo min(BB_PHPShorthandToBytes(ini_get("post_max_size")), BB_PHPShorthandToBytes(ini_get("upload_max_filesize")));
?>
;
<?php
BB_RunPluginAction("bb_premainjs");
?>
</script>
<?php
}
