Example #1
0
                $homepage = $tmp[0] . '?' . implode('&', $tmp3);
                // and redirect.
                $homepage = html_entity_decode($homepage);
                redirect($homepage);
            }
        }
        return;
        #redirect("index.php");
    } else {
        if (isset($_POST['loginsubmit'])) {
            //No error if changing languages
            $error .= lang('usernameincorrect');
            debug_buffer("Login failed.  Error is: " . $error);
            Events::SendEvent('Core', 'LoginFailed', array('user' => $_POST['username']));
            // put mention into the admin log
            $ip_login_failed = cms_utils::get_real_ip();
            if ($ip_login_failed) {
                // <- Silently ignore audit if return values is not ture, had admin XSS vulne.
                audit('', '(IP: ' . $ip_login_failed . ') ' . "Admin Username: "******"loginsubmit"]);
        }
    }
}
// Language shizzle
cms_admin_sendheaders();
header("Content-Language: " . CmsNlsOperations::get_current_language());
//CHANGED
/**
 * Put an event into the audit (admin) log.  This should be
 * done on most admin events for consistency.
 *
 * @since 0.3
 * @param integer The item id (perhaps a content id, or a record id from a module)
 * @param string  The item name (perhaps Content, or the module name)
 * @param string  The action that needs to be audited
 * @return void
 */
function audit($itemid, $itemname, $action)
{
    $db = cmsms()->GetDb();
    $userid = 0;
    $username = '';
    $ip_addr = '';
    if ($itemid == '') {
        $itemid = -1;
    }
    if (isset($_SESSION["cms_admin_user_id"])) {
        $userid = $_SESSION["cms_admin_user_id"];
        $ip_addr = cms_utils::get_real_ip();
    } else {
        if (isset($_SESSION['login_user_id'])) {
            $userid = $_SESSION['login_user_id'];
            $username = $_SESSION['login_user_username'];
        }
    }
    if (isset($_SESSION["cms_admin_username"])) {
        $username = $_SESSION["cms_admin_username"];
    }
    if (!isset($userid) || $userid == "") {
        $userid = 0;
    }
    $query = "INSERT INTO " . cms_db_prefix() . "adminlog (timestamp, user_id, username, item_id, item_name, action, ip_addr) VALUES (?,?,?,?,?,?,?)";
    $db->Execute($query, array(time(), $userid, $username, $itemid, $itemname, $action, $ip_addr));
}