public function authenticate()
{
if ($_GET['module'] == 'lang') {
if (in_array($_GET['code'], $this->arc_langs)) {
setcookie($this->lang_cookiename, $_GET['code'], TIME + 60 * 60 * 24 * 365, substr($this->relpath, 0, -1), $_SERVER['HTTP_HOST'], $this->https, TRUE);
}
if (isset($_GET['origin'])) {
header("Location: " . base64_decode($_GET['origin']), TRUE, 301);
exit;
} else {
redirect('login');
}
}
if ($_GET['module'] == 'status') {
$file = $this->tmppath . $_GET['sem'];
if (is_file($file)) {
if (dirname($file) . DS == $this->tmppath) {
$this->exitnow(file_get_contents($file));
} else {
throw new arcException('someone tried to get which is not in tmppath: [' . realpath($file) . ']', 666);
}
} else {
$ret = isset($_GET['upload']) ? e('uploading') : e('working');
$this->exitnow($ret);
}
}
//New User to login
if (isset($_POST['username']) && isset($_POST['password'])) {
$username = $this->request['username'] = $_POST['username'];
$password = $this->request['password'] = urldecode($_POST['password']);
if ($username != "" && $password != "") {
if ($this->arc_check_login($username, $password, TRUE) == TRUE) {
sleep(1);
##TMP Folder clean
$this->clean_tmp();
##Check for settings
$settings = DB_DataObject::factory('settings');
$settings->id_users = $this->id;
if ($settings->find(TRUE)) {
###################### Startmodule ############################
$start_module = $this->arc_decrypt_output($settings->start_module);
if (in_array($start_module, $this->registered_start_modules)) {
$this->startmodule = $start_module;
}
#####################################################################
###################### Check PATTERNLOCK ############################
$patternlock_user = $this->arc_decrypt_output($settings->patternlock);
//HOWTO: Reset Patternlock
//if ($username == 'emanuel')
// $patternlock_user = '';
if ($patternlock_user != '') {
if ($_POST['patternlock'] != '0') {
if ($_POST['patternlock'] != $patternlock_user) {
$tries_left = $this->jail('jail');
$this->kill();
$this->exitnow(json_encode(array('code' => '1', 'msg' => e('login_fail') . e('tries_left', array($tries_left), array(1)))));
}
} else {
//REQUEST PATTERNLOCK
$this->kill();
$this->exitnow(json_encode(array('code' => '2')));
}
}
#####################################################################
}
##De-Jail if IP was nominated to block
$this->jail('dejail');
##Cleanup Users log and invs
$this->user_log_cleanup();
if ($this->inv_mode == TRUE) {
$this->user_invitations_cleanup();
}
##
##Check if Users passwordhint was decrypted since last login
if ($this->forgot_active === TRUE && $this->session_exists('lastlogin')) {
$forgot = DB_DataObject::factory('forgot');
$forgot->active = 'yes';
$forgot->id_users = $this->id;
if ($forgot->find(TRUE)) {
$forgot_last_req = $forgot->lastreq != '' ? $this->arc_decrypt($forgot->lastreq, $username) : '';
$forgot_last_req = is_numeric($forgot_last_req) ? $forgot_last_req : 0;
if ($forgot_last_req >= $this->session_get('lastlogin')) {
$lastreq_ip = $this->arc_decrypt($forgot->lastreq_ip, $username);
$this->user_log(e('question_was_answered'), $this->systemlogger, FALSE, $forgot_last_req, $lastreq_ip);
$this->session_set('forgot_displayed_since_last_login', $forgot_last_req);
if ($this->startmodule != 'dashboard') {
$this->startmodule = 'dashboard';
}
}
}
}
###### Do the the login now
if ($this->startmodule == 'dashboard') {
$this->session_set('logged_in_and_default_site_shown', TRUE);
}
$this->log_login();
$this->exitnow(json_encode(array('code' => '0', 'msg' => link_for($this->startmodule))));
#########################################################################################
} else {
//die();
$tries_left = $this->jail('jail');
$this->exitnow(json_encode(array('code' => '1', 'msg' => e('login_fail') . e('tries_left', array($tries_left), array(1)))));
}
}
//ALREADY LOGGED IN
} elseif ($this->session_get('arc_id') != "" && $this->session_exists('logintime')) {
$sessionlifetime = ini_get('session.gc_maxlifetime');
$this->remaining_time = $sessionlifetime - (TIME - $this->session_get('logintime'));
$arc_key = $this->session_masterkey_get();
logit(pack('H*', $arc_key´));
$arc_id = $this->session_get('arc_id');
$login_check = DB_DataObject::factory('users');
$login_check->find();
while ($login_check->fetch()) {
if ($this->arc_hash($login_check->id) == $arc_id) {
//SET CRYPTV
$this->cryptv = $login_check->cryptv;
//SET COLOUR
$this->colour = $this->arc_decrypt($login_check->colour, $arc_key);
//SET ID
$this->id = $login_check->id;
//SET MASTERKEY
$this->masterkey = $arc_key;
$sec_problem = FALSE;
##Added securtiy checks
if (!$this->validate_colour($this->colour)) {
$sec_problem = 'Colour validate';
}
##Added securtiy checks
if ($this->ip_sec_check === TRUE) {
if (!($login_check->lastip == $this->arc_encrypt(UIP, $arc_key))) {
logit("IP Changed. Last recognized IP: " . $this->arc_decrypt($login_check->lastip, $arc_key) . " ---> new IP: " . UIP);
$sec_problem = 'IP Missmatch';
$sec_problem_text = e('logged_out_ip_changed');
##IPv6 Switch Checker
if ($this->ipv6switchgraceactive == TRUE) {
logit("IP Grace Active, Browser: " . UAGENT);
$update_login_ip = $sec_problem = FALSE;
if (filter_var(UIP, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
if ($this->session_exists('lastip6')) {
if ($this->session_get('lastip6') != UIP) {
$sec_problem_text .= ' ' . $this->session_get('lastip4') . '->' . UIP;
$sec_problem = TRUE;
}
} else {
logit("OK, IP4/IP6 Switch, storing new IP");
$this->session_set('lastip6', UIP);
$update_login_ip = TRUE;
}
} elseif (filter_var(UIP, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
if ($this->session_exists('lastip4')) {
if ($this->session_get('lastip4') != UIP) {
$sec_problem_text .= ' ' . $this->session_get('lastip4') . '->' . UIP;
$sec_problem = TRUE;
}
} else {
logit("OK, IP4/IP6 Switch, storing new IP");
$this->session_set('lastip4', UIP);
$update_login_ip = TRUE;
}
}
if ($update_login_ip === TRUE) {
$login_check->lastip = $this->arc_encrypt(UIP, $this->masterkey);
$login_check->update();
}
}
##IPv6 Switch Checker
}
}
##Added securtiy checks
if (!($login_check->lastbrowser == $this->arc_encrypt(UAGENT, $arc_key))) {
$sec_problem = 'Browser Missmatch';
$sec_problem_text = e('logged_out_browser_changed');
}
if ($sec_problem != FALSE) {
$this->user_log($sec_problem_text);
sleep(1);
$this->kill();
throw new arcException("Sec_logout [{$sec_problem}] {$sec_problem_text}", 408);
return FALSE;
}
//CHECK SESSION TIMEOUT TTL
if ($this->modulename != "login" && @$this->request['action'] != "logout") {
if ($this->remaining_time <= 0) {
define('SESSION_TIMEOUT_LOGOUT', TRUE);
//if true, user will be JS - logged out in menu.php
}
}
if ($this->modulename == "login" && @$_GET['action'] != "logout") {
//BUGFIX, after browserrestart
$this->check_cookies();
//FIX.
redirect("dashboard");
exit;
}
###############
$settings = DB_DataObject::factory('settings');
$settings->id_users = $this->id;
if ($settings->find(TRUE)) {
if ($this->arc_decrypt_output($settings->expand_memos) == "yes") {
define('EXPAND_MEMOS', TRUE);
}
if ($this->arc_decrypt_output($settings->hide_desc) == 'yes') {
define('HIDE_DESC', TRUE);
}
if ($this->arc_decrypt_output($settings->hide_comment) == 'yes') {
define('HIDE_COMMENT', TRUE);
}
if (in_array($this->arc_decrypt_output($settings->lang), $this->arc_langs)) {
define('LANG', $this->arc_decrypt_output($settings->lang));
}
}
###############
if (in_array($this->modulename, $this->registered_modules_no_auth) && $this->modulename != 'login') {
define('MENUAUTH', 'TRUE');
return FALSE;
}
return $this->session_check();
}
}
//IF User not found in DB
debug('$this->session_get(ALL);', $this->session_get('ALL'));
throw new arcException("ID: [" . $this->id . "] Session Data present, but no user found in DB!");
//New User tp register
} elseif ($this->modulename == 'register' && @$_GET['action'] == 'doit') {
$this->useview = FALSE;
$this->request = array_merge($_POST, $_GET);
if (@$this->inv_mode == TRUE) {
$inv = DB_DataObject::factory('invitations');
$inv->id_invhash = $this->request['inv_hash'];
if ($inv->find(TRUE) != TRUE) {
die(e('inv_id_not_valid'));
} else {
if ($inv->id_active != 0) {
die(e('inv_id_already_used'));
}
}
}
if (isset($this->request['username']) && isset($this->request['colour']) && isset($this->request['captcha']) && isset($this->request['password_1']) && isset($this->request['password_2']) && isset($this->request['captchacount'])) {
if ($this->inv_mode === TRUE || strtolower(trim(trim($this->request['captcha']), "\r\n")) == strtolower(captchavalue($this->request['captchacount'])) && $this->inv_mode === FALSE) {
if ($this->request['password_1'] == $this->request['password_2']) {
if ($this->request['username'] != "" && $this->request['colour'] != "") {
if ($this->validate_colour($this->request['colour'])) {
$username = $this->request['username'];
$password = $this->request['password_1'];
$colour = $this->request['colour'];
$login = $this->arc_encrypt($this->arc_hash($username), $this->arc_hash($password));
$password = $this->arc_encrypt($this->arc_hash($password), $this->arc_hash($username));
$colour = $this->arc_encrypt($colour, $this->arc_gen_master($this->request['password_1']));
$new = DB_DataObject::factory('users');
$new->login = $login;
$new->password = $password;
if ($new->find() === 0) {
$new->colour = $colour;
$new->lastupdated = $this->arc_encrypt(TIME, $this->arc_gen_master($this->request['password_1']));
$new->cryptv = $this->arcanum_cryptv;
$id = $new->insert();
logit("User " . $id . " successfully registered from " . UIP);
$this->jail('dejail');
if (@$this->inv_mode == TRUE) {
$inv->id_active = $id;
$inv->update();
}
die('1');
} else {
logit("Register: User [" . $this->request['username'] . "] and PW already in Database! ");
die(e('account_already_present'));
}
} else {
die(e('colour_incorrect'));
}
} else {
die(e('fields_missing'));
}
} else {
die(e('passwords_not_match'));
}
} else {
$ret = '2';
$tries_left = $this->jail('jail');
if ($tries_left < 5) {
$ret = e('retry_it') . ' ' . e('tries_left', array($tries_left), array(1));
}
die($ret);
}
} else {
die(e('fields_missing'));
}
//FORGOT
} elseif ($this->modulename == 'forgot' && isset($_GET['action']) && $_POST['username'] != '') {
if ($this->forgot_active != TRUE) {
die(e('forgot_is_inactive'));
}
$this->useview = $this->setlayout = FALSE;
$username = $_POST['username'];
$forgot = DB_DataObject::factory('forgot');
$forgot->active = 'yes';
$forgot->username = $this->arc_encrypt($username, $username);
$ret = e('retry_it');
if (!$forgot->find(TRUE)) {
$tries_left = $this->jail('jail');
if ($tries_left <= 5) {
$ret .= ' ' . e('tries_left', array($tries_left), array(1));
}
header('Status: 403 Forbidden');
die(e('forgot_std_no_user_msg') . $ret);
}
if ($_POST['answer'] == '' && $_POST['username'] != '') {
if ($this->arc_decrypt($forgot->username, $username) == $username) {
die($this->arc_decrypt($forgot->question, $username));
} else {
header('Status: 403 Forbidden');
die(e('forgot_std_no_user_msg'));
}
} else {
if ($_POST['answer'] == $this->arc_decrypt($forgot->answer, $username)) {
$hint = $forgot->hint;
$forgot->lastreq = $this->arc_encrypt(TIME, $username);
$forgot->lastreq_ip = $this->arc_encrypt(UIP, $username);
$forgot->update();
logit('Passwordhint for user ' . $forgot->id_users . ' was successfully decrypted!');
die($this->arc_decrypt($hint, $_POST['answer']));
} else {
$tries_left = $this->jail('jail');
if ($tries_left <= 5) {
$ret .= ' ' . e('tries_left', array($tries_left), array(1));
}
header('Status: 403 Forbidden');
die(e('forgot_std_wrong_answer') . $ret);
}
}
//INVCHECK
} elseif ($this->modulename == 'register' && $_GET['module'] == 'inv_hash_check') {
$inv = DB_DataObject::factory('invitations');
$inv->id_inv_hash = $_GET['code'];
die($inv->find());
}
}
<?php
$fontFile = $this->captchattf;
$backGround = $this->captchabg;
$text = isset($_GET['action']) ? captchavalue($_GET['action']) : captchavalue();
$backgroundSizeX = 2000;
$backgroundSizeY = 350;
$sizeX = 200;
$sizeY = 50;
$textLength = strlen($text);
// generate random security values
$backgroundOffsetX = rand(0, $backgroundSizeX - $sizeX - 1);
$backgroundOffsetY = rand(0, $backgroundSizeY - $sizeY - 1);
$angle = rand(-5, 5);
$fontColorR = rand(0, 127);
$fontColorG = rand(0, 127);
$fontColorB = rand(0, 127);
$fontSize = rand(30, 40);
$textX = rand(0, (int) ($sizeX - 0.9 * $textLength * ($fontSize - 10)));
// these coefficients are empiric
$textY = rand((int) (1.25 * $fontSize), (int) ($sizeY - 0.2 * $fontSize));
// don't try to learn how they were taken out
$gdInfoArray = gd_info();
if (!$gdInfoArray['PNG Support']) {
return IMAGE_ERROR_GD_TYPE_NOT_SUPPORTED;
}
// create image with background
$src_im = imagecreatefrompng($backGround);
if (function_exists('imagecreatetruecolor')) {
// this is more qualitative function, but it doesn't exist in old GD
$dst_im = imagecreatetruecolor($sizeX, $sizeY);
