function mystery_log_violation($code, $message = '') { // This function process a serious error/violation global $_MYSTERY; $types['Red'] = 'Spoofed User'; $types['Orange'] = 'Spoofed File'; $types['Yellow'] = 'Spoofed Action'; $types['Green'] = 'Illegal Query'; $types['Blue'] = 'Virus Upload'; $types['Purple'] = 'Spoofed Table'; $types['Brown'] = 'Illegal Many To Many Addition'; ob_start(); echo "SERVER: "; print_r($_SERVER); echo "SESSION: "; print_r($_SESSION); echo "REQUEST: "; print_r($_REQUEST); $context = ob_get_contents(); ob_end_clean(); $table = $_MYSTERY['table_prefix'] . 'security_log'; $data['exception_type'] = $types[$code] . ' - ' . $message; $data['exception_code'] = $code; $data['user_id'] = $_SESSION['user_id']; $data['user_ip_address'] = $_SERVER['REMOTE_ADDR']; $data['user_action'] = $_REQUEST['action']; $data['user_time'] = date('Y-m-d h:i:s'); $data['user_request'] = $_SERVER['REQUEST_URI']; $data['user_variables'] = $context; $log_id = mystery_insert_query($table, $data, 'record_id'); // Prepare error string $error_parts = array(); while (list($key, $value) = each($data)) { $error_parts[] .= ucwords(str_replace('_', ' ', $key)) . ': ' . $value; } $error_string = implode("\n", $error_parts) . "\n\n"; mystery_log_error_to_file('security_log', $error_string); // make them wait a couple seconds so they won't automate the attack sleep(2); mystery_header(); echo ' <h1>Access Denied</h1> <p>Sorry, but the account you arelogged in as cannot perform the requested action. (<em>Code: ', $code, '</em>)</p> '; mystery_display_admin_contact_info(); if ($code == 'Blue') { echo '<p>The file you tried to upload is infected with a <strong>virus</strong>. Please <strong>disinfect the file</strong> and try again.</p> <p><code>', $_MYSTERY['virus_feedback'], '</code></p>'; } mystery_footer(); }
function mystery_simple_error_handler($type, $message, $file, $line, $context) { // This function replaces the built in PHP error handler in a very simple way to display a nice message to the user global $_MYSTERY; // Check to see if this error was prepended with @ if (error_reporting() == 0) { return; } $nice_types[E_NOTICE] = 'PHP Notice'; $nice_types[E_USER_NOTICE] = 'Application Notice'; $nice_types[E_WARNING] = 'PHP Warning'; $nice_types[E_USER_WARNING] = 'Application Warning'; $nice_types[E_USER_ERROR] = 'Application Fatal Error'; if (defined('E_STRICT')) { $nice_types[E_STRICT] = 'PHP Code Needs Update'; } if (defined('E_RECOVERABLE_ERROR')) { $nice_types[E_RECOVERABLE_ERROR] = 'Recoverable Application Error'; } $now = date('Y-m-d h:i:s'); $error_parts = array(); $error_parts[] = 'Date: ' . $now; $error_parts[] = 'Type: ' . $nice_types[$type]; $error_parts[] = 'Message: ' . $message; $error_parts[] = 'File: ' . $file; $error_parts[] = 'Line: ' . $line; $error_string = implode("\n", $error_parts) . "\n\n"; if (!defined('E_STRICT') || $type != E_STRICT) { mystery_log_error_to_file('error_log', $error_string); } switch ($type) { case E_NOTICE: case E_USER_NOTICE: if (@$_SESSION['is_administrator'] == 'yes') { echo '<p style="background-color: #CEFFB5;">Notice: ', nl2br($error_string), '</p>'; } break; case E_WARNING: case E_USER_WARNING: if (@$_SESSION['is_administrator'] == 'yes') { echo '<p style="background-color: #FCFFB5;">Warning: ', nl2br($error_string), '</p>'; } break; case E_USER_ERROR: //mystery_header(); if (@$_SESSION['is_administrator'] == 'yes') { echo '<p style="background-color: #FFB5B5;">Fatal Error: ', nl2br($error_string), '</p>'; // The following outputs way too much data. Uncomment if you must. // echo '<pre style="background-color: #FFB5B5;">' . print_r($context) . '</pre>'; } else { echo ' <h1>An Unexpected Error Occurred</h1> <p>We regret than an unexpected error has occurred. The error has been logged and the administrator of the system will look into it as soon as possible.</p> '; mystery_display_admin_contact_info(); } //mystery_footer(); exit; break; } }
function mystery_get_table_configuration($table_id) { // this function gets the configuration information for a particular // table and places it in the $_MYSTERY['table_info'] array. If the // info already exists, the function just returns. global $_MYSTERY; // put in an array like this $tables[$table_id]['key'] = $value; if (isset($_MYSTERY['table_info'][$table_id])) { return; } // Query to see if this user has access to this table. if ($_SESSION['is_administrator'] == 'yes') { $query = 'SELECT * FROM ' . $_MYSTERY['table_prefix'] . 'tables WHERE table_id = ?'; $params = array($table_id); } else { $query = 'SELECT * FROM ' . $_MYSTERY['table_prefix'] . 'groups_tables AS gtt LEFT JOIN ' . $_MYSTERY['table_prefix'] . 'tables AS tt ON gtt.table_id=tt.table_id WHERE gtt.table_id = ? AND group_id IN ("' . implode('","', $_SESSION['user_groups']) . '") ORDER BY access_type DESC'; $params = array($table_id); } $table_info = mystery_select_query($query, $params); if (count($table_info) == 0) { // user has selected a table that he doesn't have access to. Bad user... mystery_log_violation('Purple', 'User entered a table_id they did not have access to'); } // We only get the first row. If a user is in more than one group that has access to // this table, results will be unpredictable. The results are sorted by type, so if a // user has table access in one of the groups, it should show up above the row level access. $_MYSTERY['table_info'][$table_id]['database'] = $table_info[0]['table_database']; $_MYSTERY['table_info'][$table_id]['real_name'] = $table_info[0]['table_real_name']; $_MYSTERY['table_info'][$table_id]['display_name'] = $table_info[0]['table_display_name']; $_MYSTERY['table_info'][$table_id]['display_comment'] = $table_info[0]['table_display_comment']; $_MYSTERY['table_info'][$table_id]['display_data_word'] = $table_info[0]['table_display_data_word']; $_MYSTERY['table_info'][$table_id]['display_field_type'] = $table_info[0]['table_display_field_type']; $_MYSTERY['table_info'][$table_id]['display_functions'] = $table_info[0]['table_display_functions']; $_MYSTERY['table_info'][$table_id]['default_action'] = $table_info[0]['table_default_action']; $_MYSTERY['table_info'][$table_id]['default_query'] = $table_info[0]['table_default_query']; $_MYSTERY['table_info'][$table_id]['default_order_field'] = $table_info[0]['table_default_order_field']; $_MYSTERY['table_info'][$table_id]['default_reverse_sort'] = $table_info[0]['table_default_reverse_sort']; $_MYSTERY['table_info'][$table_id]['default_display'] = $table_info[0]['table_default_display']; $_MYSTERY['table_info'][$table_id]['default_display_fields'] = $table_info[0]['table_default_display_fields']; $_MYSTERY['table_info'][$table_id]['default_display_rows'] = $table_info[0]['table_default_display_rows']; $_MYSTERY['table_info'][$table_id]['default_display_width'] = $table_info[0]['table_default_display_width']; $_MYSTERY['table_info'][$table_id]['primary_key'] = $table_info[0]['table_primary_key']; $_MYSTERY['table_info'][$table_id]['owner_key'] = $table_info[0]['table_owner_key']; $_MYSTERY['table_info'][$table_id]['owner_type'] = $table_info[0]['table_owner_type']; $_MYSTERY['table_info'][$table_id]['is_many_to_many'] = $table_info[0]['table_is_many_to_many']; if ($_SESSION['is_administrator'] == 'yes') { // allow administrator all access $_MYSTERY['table_info'][$table_id]['access_type'] = 'table'; $_MYSTERY['table_info'][$table_id]['select_access'] = 'yes'; $_MYSTERY['table_info'][$table_id]['insert_access'] = 'yes'; $_MYSTERY['table_info'][$table_id]['update_access'] = 'yes'; $_MYSTERY['table_info'][$table_id]['delete_access'] = 'yes'; $_MYSTERY['table_info'][$table_id]['effective_group_id'] = '1'; } else { // set access depending on the user's group's permissions $_MYSTERY['table_info'][$table_id]['access_type'] = $table_info[0]['access_type']; $_MYSTERY['table_info'][$table_id]['select_access'] = $table_info[0]['select_access']; $_MYSTERY['table_info'][$table_id]['insert_access'] = $table_info[0]['insert_access']; $_MYSTERY['table_info'][$table_id]['update_access'] = $table_info[0]['update_access']; $_MYSTERY['table_info'][$table_id]['delete_access'] = $table_info[0]['delete_access']; $_MYSTERY['table_info'][$table_id]['effective_group_id'] = $table_info[0]['group_id']; } if ($_MYSTERY['table_info'][$table_id]['select_access'] != 'yes' && $_MYSTERY['table_info'][$table_id]['insert_access'] != 'yes' && $_MYSTERY['table_info'][$table_id]['update_access'] != 'yes' && $_MYSTERY['table_info'][$table_id]['delete_access'] != 'yes') { mystery_display_user_error('Cannot access ' . $_MYSTERY['word_that_means_table']); echo ' <p>The groups that you are a member of do not have any access to the ' . $_MYSTERY['word_that_means_table'] . ': ' . $_MYSTERY['table_info'][$table_id]['display_name'] . '</p> '; mystery_display_admin_contact_info(); mystery_footer(); } // Get all of the related items for this table mystery_get_table_owners_list($table_id); mystery_get_table_custom_menu_items($table_id); mystery_get_table_custom_actions($table_id); mystery_get_table_foreign_keys($table_id); mystery_get_table_hidden_fields($table_id); mystery_get_table_view_only_fields($table_id); mystery_get_table_binary_fields($table_id); mystery_get_table_custom_triggers($table_id); mystery_get_table_related_tables($table_id); mystery_get_table_portal_relation_1($table_id); mystery_get_table_portal_relation_2($table_id); }
function mystery_process_user_info_form() { // this function processes a user's info update form. global $_MYSTERY; // set elements in the data array and update the session $_SESSION['user_first_name'] = $data['user_first_name'] = $_REQUEST['user_first_name']; $_SESSION['user_last_name'] = $data['user_last_name'] = $_REQUEST['user_last_name']; $_SESSION['user_email'] = $data['user_email'] = $_REQUEST['user_email']; if ($_MYSTERY['allow_username_changes'] == 'yes') { $_SESSION['user_username'] = $data['user_username'] = $_REQUEST['user_username']; } // check to see if the passwords match and are set. If not, display error and the form again if ($_REQUEST['password_one'] != '') { // user want's to change password if ($_REQUEST['password_one'] != $_REQUEST['password_two']) { mystery_display_user_error('Your passwords do not match. Please try again.'); mystery_display_user_info_form(); return; } else { // passwords match, add to the update data array $data['user_password'] = md5($_REQUEST['password_one']); } } // prepare the rest of the items for the update query $table = $_MYSTERY['table_prefix'] . 'users'; $key = 'user_id'; $key_value = $_SESSION['user_id']; // perform the update query if (mystery_update_query($table, $data, $key, $key_value)) { mystery_display_user_feedback('Update Successful!'); echo ' <p>Your personal information was updated successfully. Any username/password change will take effect at your next login.</p> <p><a href="', $_SERVER['SCRIPT_NAME'], '">Return to the Main Menu</a></p> '; } else { mystery_display_user_error('Could not update Personal Information.'); mystery_display_admin_contact_info(); } }