$homepage = $tmp[0] . '?' . implode('&', $tmp3);
// and redirect.
$homepage = html_entity_decode($homepage);
redirect($homepage);
}
}
return;
#redirect("index.php");
} else {
if (isset($_POST['loginsubmit'])) {
//No error if changing languages
$error .= lang('usernameincorrect');
debug_buffer("Login failed. Error is: " . $error);
Events::SendEvent('Core', 'LoginFailed', array('user' => $_POST['username']));
// put mention into the admin log
$ip_login_failed = cms_utils::get_real_ip();
if ($ip_login_failed) {
// <- Silently ignore audit if return values is not ture, had admin XSS vulne.
audit('', '(IP: ' . $ip_login_failed . ') ' . "Admin Username: "******"loginsubmit"]);
}
}
}
// Language shizzle
cms_admin_sendheaders();
header("Content-Language: " . CmsNlsOperations::get_current_language());
//CHANGED
/**
* Put an event into the audit (admin) log. This should be
* done on most admin events for consistency.
*
* @since 0.3
* @param integer The item id (perhaps a content id, or a record id from a module)
* @param string The item name (perhaps Content, or the module name)
* @param string The action that needs to be audited
* @return void
*/
function audit($itemid, $itemname, $action)
{
$db = cmsms()->GetDb();
$userid = 0;
$username = '';
$ip_addr = '';
if ($itemid == '') {
$itemid = -1;
}
if (isset($_SESSION["cms_admin_user_id"])) {
$userid = $_SESSION["cms_admin_user_id"];
$ip_addr = cms_utils::get_real_ip();
} else {
if (isset($_SESSION['login_user_id'])) {
$userid = $_SESSION['login_user_id'];
$username = $_SESSION['login_user_username'];
}
}
if (isset($_SESSION["cms_admin_username"])) {
$username = $_SESSION["cms_admin_username"];
}
if (!isset($userid) || $userid == "") {
$userid = 0;
}
$query = "INSERT INTO " . cms_db_prefix() . "adminlog (timestamp, user_id, username, item_id, item_name, action, ip_addr) VALUES (?,?,?,?,?,?,?)";
$db->Execute($query, array(time(), $userid, $username, $itemid, $itemname, $action, $ip_addr));
}
