function protector_prepare()
{
    // Preferences (for performance, I dare to use an irregular method)
    $conn = @mysql_connect(XOOPS_DB_HOST, XOOPS_DB_USER, XOOPS_DB_PASS);
    mysql_select_db(XOOPS_DB_NAME, $conn);
    // Protector class
    require_once XOOPS_ROOT_PATH . '/modules/protector/class/protector.php';
    $protector =& Protector::getInstance($conn);
    $conf = $protector->getConf();
    // petit-encrypt password for disabling bad_ips
    // I know this method is not a good way :-)
    if (substr($conf['passwd_disabling_bip'], 0, 3) != '*=*') {
        $encrypted_password4sql = addslashes('*=*' . md5($conf['passwd_disabling_bip'] . XOOPS_DB_PREFIX));
        mysql_query("UPDATE " . XOOPS_DB_PREFIX . "_config SET conf_value='{$encrypted_password4sql}' WHERE conf_title='_MI_PROTECTOR_PASSWD_BIP' AND conf_name='passwd_disabling_bip'", $conn);
    }
    // global enabled or disabled
    if (!empty($conf['global_disabled'])) {
        return true;
    }
    // reliable ips
    $reliable_ips = unserialize($conf['reliable_ips']);
    $is_reliable = false;
    foreach ($reliable_ips as $reliable_ip) {
        if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) {
            $is_reliable = true;
        }
    }
    // force intval variables whose name is *id
    if (!empty($conf['id_forceintval'])) {
        $protector->intval_allrequestsendid();
    }
    // eliminate '..' from requests looks like file specifications
    if (!$is_reliable && !empty($conf['file_dotdot'])) {
        $protector->eliminate_dotdot();
    }
    // Check uploaded files
    if (!$is_reliable && !empty($_FILES) && !empty($conf['die_badext']) && !defined('PROTECTOR_SKIP_FILESCHECKER') && !$protector->check_uploaded_files()) {
        $protector->output_log($protector->last_error_type);
        $protector->purge();
    }
    // Variables contamination
    if (!$protector->check_contami_systemglobals()) {
        if ($conf['contami_action'] & 4) {
            $protector->_should_be_banned = true;
            $_GET = $_POST = array();
        }
        $protector->output_log($protector->last_error_type);
        if ($conf['contami_action'] & 2) {
            $protector->purge();
        }
    }
    // prepare for DoS
    //if( ! $protector->check_dos_attack_prepare() ) {
    //	$protector->output_log( $protector->last_error_type , 0 , true ) ;
    //}
    if (!empty($conf['patch_2092'])) {
        $protector->patch_2092();
    }
}
 function injectionFound($sql)
 {
     $protector =& Protector::getInstance();
     $protector->last_error_type = 'SQL Injection';
     $protector->message .= $sql;
     $protector->output_log($protector->last_error_type);
     die('SQL Injection found');
 }
 function execute()
 {
     echo _MD_PROTECTOR_YOUAREBADIP;
     $protector =& Protector::getInstance();
     if ($protector->ip_matched_info) {
         printf(_MD_PROTECTOR_FMT_JAILINFO, date(_MD_PROTECTOR_FMT_JAILTIME, $protector->ip_matched_info));
     }
     exit;
 }
 function execute()
 {
     echo _MD_PROTECTOR_YOUAREBADIP;
     $protector =& Protector::getInstance();
     if ($protector->ip_matched_info) {
         printf(_MD_PROTECTOR_FMT_JAILINFO, date(_MD_PROTECTOR_FMT_JAILTIME, $protector->ip_matched_info));
     }
     error_log('Protector: badip ' . @$_SERVER['REMOTE_ADDR'], 0);
     exit;
 }
Exemple #5
0
 /**
  * @static
  *
  * @param $args
  */
 static function eventCoreClassDatabaseDatabasefactoryConnection($args)
 {
     // Protector class
     require_once dirname(__DIR__) . '/class/protector.php';
     // Protector object
     $protector = Protector::getInstance();
     $conf = $protector->getConf();
     // "DB Layer Trapper"
     $force_override = strstr(@$_SERVER['REQUEST_URI'], 'protector/admin/index.php?page=advisory') ? true : false;
     //$force_override = true ;
     if ($force_override || !empty($conf['enable_dblayertrap'])) {
         @define('PROTECTOR_ENABLED_ANTI_SQL_INJECTION', 1);
         $protector->dblayertrap_init($force_override);
     }
     if (defined('XOOPS_DB_ALTERNATIVE') && class_exists(XOOPS_DB_ALTERNATIVE)) {
         $args[0] = XOOPS_DB_ALTERNATIVE;
     }
 }
Exemple #6
0
 /**
  * Maintenance Form
  * @return void
  */
 public function getPrefIp($bad_ips4disp, $group1_ips4disp)
 {
     global $xoopsDB;
     $db = $xoopsDB;
     $protector = Protector::getInstance($db->conn);
     require_once dirname(__DIR__) . '/gtickets.php';
     parent::__construct('', "form_prefip", "center.php", 'post', true);
     $bad_ips = new Xoops\Form\TextArea(_AM_TH_BADIPS, 'bad_ips', $bad_ips4disp, 3, 90);
     $bad_ips->setDescription('<br />' . htmlspecialchars($protector->get_filepath4badips()));
     $bad_ips->setClass('span3');
     $this->addElement($bad_ips);
     $group1_ips = new Xoops\Form\TextArea(_AM_TH_GROUP1IPS, 'group1_ips', $group1_ips4disp, 3, 90);
     $group1_ips->setDescription('<br />' . htmlspecialchars($protector->get_filepath4group1ips()));
     $group1_ips->setClass('span3');
     $this->addElement($group1_ips);
     $formTicket = new xoopsGTicket();
     $this->addElement(new Xoops\Form\Hidden("action", "update_ips"));
     $ticket = $formTicket->getTicketXoopsForm(__LINE__, 1800, 'protector_admin');
     $this->addElement($ticket);
     $this->addElement(new Xoops\Form\Button('', "submit_prefip", XoopsLocale::A_SUBMIT, "submit"));
 }
Exemple #7
0
require_once dirname(dirname(__FILE__)) . '/class/gtickets.php';
//dirty trick to get navigation working with system menus
if (isset($_GET['num'])) {
    $_SERVER['REQUEST_URI'] = 'admin/center.php?page=center';
}
$myts =& MyTextSanitizer::getInstance();
$db =& XoopsDatabaseFactory::getDatabaseConnection();
// GET vars
$pos = empty($_GET['pos']) ? 0 : intval($_GET['pos']);
$num = empty($_GET['num']) ? 20 : intval($_GET['num']);
// Table Name
$log_table = $db->prefix($mydirname . "_log");
// Protector object
require_once dirname(dirname(__FILE__)) . '/class/protector.php';
$db =& XoopsDatabaseFactory::getDatabaseConnection();
$protector =& Protector::getInstance($db->conn);
$conf = $protector->getConf();
//
// transaction stage
//
if (!empty($_POST['action'])) {
    // Ticket check
    if (!$xoopsGTicket->check(true, 'protector_admin')) {
        redirect_header(XOOPS_URL . '/', 3, $xoopsGTicket->getErrors());
    }
    if ($_POST['action'] == 'update_ips') {
        $error_msg = '';
        $lines = empty($_POST['bad_ips']) ? array() : explode("\n", trim($_POST['bad_ips']));
        $bad_ips = array();
        foreach ($lines as $line) {
            @(list($bad_ip, $jailed_time) = explode(':', $line, 2));
function protector_postcommon()
{
    global $xoopsUser, $xoopsModule;
    // patch for 2.2.x from xoops.org (I know this is not so beautiful...)
    if (substr(@XOOPS_VERSION, 6, 3) > 2.0 && stristr(@$_SERVER['REQUEST_URI'], 'modules/system/admin.php?fct=preferences')) {
        $module_handler =& xoops_gethandler('module');
        $module =& $module_handler->get(intval(@$_GET['mod']));
        if (is_object($module)) {
            $module->getInfo();
        }
    }
    // configs writable check
    if (@$_SERVER['REQUEST_URI'] == '/admin.php' && !is_writable(dirname(dirname(__FILE__)) . '/configs')) {
        trigger_error('You should turn the directory ' . dirname(dirname(__FILE__)) . '/configs writable', E_USER_WARNING);
    }
    // Protector object
    require_once dirname(dirname(__FILE__)) . '/class/protector.php';
    $db =& Database::getInstance();
    $protector =& Protector::getInstance();
    $protector->setConn($db->conn);
    $protector->updateConfFromDb();
    $conf = $protector->getConf();
    if (empty($conf)) {
        return true;
    }
    // not installed yet
    // phpmailer vulnerability
    // http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/
    if (in_array(substr(XOOPS_VERSION, 0, 12), array('XOOPS 2.0.16', 'XOOPS 2.0.13', 'XOOPS 2.2.4'))) {
        $config_handler =& xoops_gethandler('config');
        $xoopsMailerConfig =& $config_handler->getConfigsByCat(XOOPS_CONF_MAILER);
        if ($xoopsMailerConfig['mailmethod'] == 'sendmail' && md5_file(XOOPS_ROOT_PATH . '/class/mail/phpmailer/class.phpmailer.php') == 'ee1c09a8e579631f0511972f929fe36a') {
            echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>';
        }
    }
    // global enabled or disabled
    if (!empty($conf['global_disabled'])) {
        return true;
    }
    // group1_ips (groupid=1)
    if (is_object($xoopsUser) && in_array(1, $xoopsUser->getGroups())) {
        $group1_ips = $protector->get_group1_ips(true);
        if (implode('', array_keys($group1_ips))) {
            $group1_allow = $protector->ip_match($group1_ips);
            if (empty($group1_allow)) {
                die('This account is disabled for your IP by Protector.<br />Clear cookie if you want to access this site as a guest.');
            }
        }
    }
    // reliable ips
    $reliable_ips = @unserialize(@$conf['reliable_ips']);
    if (is_array($reliable_ips)) {
        foreach ($reliable_ips as $reliable_ip) {
            if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) {
                return true;
            }
        }
    }
    // user information (uid and can be banned)
    if (is_object(@$xoopsUser)) {
        $uid = $xoopsUser->getVar('uid');
        $can_ban = count(@array_intersect($xoopsUser->getGroups(), @unserialize(@$conf['bip_except']))) ? false : true;
    } else {
        // login failed check
        if (!empty($_POST['uname']) && !empty($_POST['pass']) || !empty($_COOKIE['autologin_uname']) && !empty($_COOKIE['autologin_pass'])) {
            $protector->check_brute_force();
        }
        $uid = 0;
        $can_ban = true;
    }
    // If precheck has already judged that he should be banned
    if ($can_ban && $protector->_should_be_banned) {
        $protector->register_bad_ips();
    } else {
        if ($can_ban && $protector->_should_be_banned_time0) {
            $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
        }
    }
    // DOS/CRAWLER skipping based on 'dirname' or getcwd()
    $dos_skipping = false;
    $skip_dirnames = explode('|', @$conf['dos_skipmodules']);
    if (!is_array($skip_dirnames)) {
        $skip_dirnames = array();
    }
    if (is_object(@$xoopsModule)) {
        if (in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) {
            $dos_skipping = true;
        }
    } else {
        foreach ($skip_dirnames as $skip_dirname) {
            if ($skip_dirname && strstr(getcwd(), $skip_dirname)) {
                $dos_skipping = true;
                break;
            }
        }
    }
    // module can controll DoS skipping
    if (defined('PROTECTOR_SKIP_DOS_CHECK')) {
        $dos_skipping = true;
    }
    // DoS Attack
    if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) {
        $protector->output_log($protector->last_error_type, $uid, true, 16);
    }
    // check session hi-jacking
    $ips = explode('.', @$_SESSION['protector_last_ip']);
    $protector_last_numip = @$ips[0] * 0x1000000 + @$ips[1] * 0x10000 + @$ips[2] * 0x100 + @$ips[3];
    $ips = explode('.', $_SERVER['REMOTE_ADDR']);
    $remote_numip = @$ips[0] * 0x1000000 + @$ips[1] * 0x10000 + @$ips[2] * 0x100 + @$ips[3];
    $shift = 32 - @$conf['session_fixed_topbit'];
    if ($shift < 32 && $shift >= 0 && !empty($_SESSION['protector_last_ip']) && $protector_last_numip >> $shift != $remote_numip >> $shift) {
        if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'])))) {
            $protector->purge(true);
        }
    }
    $_SESSION['protector_last_ip'] = $_SERVER['REMOTE_ADDR'];
    // SQL Injection "Isolated /*"
    if (!$protector->check_sql_isolatedcommentin(@$conf['isocom_action'] & 1)) {
        if ($conf['isocom_action'] & 8 && $can_ban) {
            $protector->register_bad_ips();
        } else {
            if ($conf['isocom_action'] & 4 && $can_ban) {
                $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
            }
        }
        $protector->output_log('ISOCOM', $uid, true, 32);
        if ($conf['isocom_action'] & 2) {
            $protector->purge();
        }
    }
    // SQL Injection "UNION"
    if (!$protector->check_sql_union(@$conf['union_action'] & 1)) {
        if ($conf['union_action'] & 8 && $can_ban) {
            $protector->register_bad_ips();
        } else {
            if ($conf['union_action'] & 4 && $can_ban) {
                $protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
            }
        }
        $protector->output_log('UNION', $uid, true, 32);
        if ($conf['union_action'] & 2) {
            $protector->purge();
        }
    }
    if (!empty($_POST)) {
        // SPAM Check
        if (is_object($xoopsUser)) {
            if (!$xoopsUser->isAdmin() && $conf['spamcount_uri4user']) {
                $protector->spam_check(intval($conf['spamcount_uri4user']), $xoopsUser->getVar('uid'));
            }
        } else {
            if ($conf['spamcount_uri4guest']) {
                $protector->spam_check(intval($conf['spamcount_uri4guest']), 0);
            }
        }
        // filter plugins for POST on postcommon stage
        $protector->call_filter('postcommon_post');
    }
    // register.php Protection
    if ($_SERVER['SCRIPT_FILENAME'] == XOOPS_ROOT_PATH . '/register.php') {
        $protector->call_filter('postcommon_register');
    }
}
 function ProtectorFilterHandler()
 {
     $this->protector = Protector::getInstance();
     $this->filters_base = dirname(__DIR__) . '/filters_enabled';
 }
/**
 * @return null|boolean
 */
function protector_precheck()
{
    // check the access is from install/index.php
    if (defined('_INSTALL_CHARSET') && !is_writable(\XoopsBaseConfig::get('root-path') . '/mainfile.php')) {
        die('To use installer, remove protector\'s lines from mainfile.php first.');
    }
    // Protector class
    require_once dirname(__DIR__) . '/class/protector.php';
    // Protector object
    $protector = Protector::getInstance();
    $conf = $protector->getConf();
    // bandwidth limitation
    if (@$conf['bwlimit_count'] >= 10) {
        $bwexpire = $protector->get_bwlimit();
        if ($bwexpire > time()) {
            header('HTTP/1.0 503 Service unavailable');
            $protector->call_filter('precommon_bwlimit', 'This site is very crowed now. try later.');
        }
    }
    // bad_ips
    $bad_ips = $protector->get_bad_ips(true);
    $bad_ip_match = $protector->ip_match($bad_ips);
    if ($bad_ip_match) {
        $protector->call_filter('precommon_badip', 'You are registered as BAD_IP by Protector.');
    }
    // global enabled or disabled
    if (!empty($conf['global_disabled'])) {
        return true;
    }
    // reliable ips
    $reliable_ips = @unserialize(@$conf['reliable_ips']);
    if (!is_array($reliable_ips)) {
        // for the environment of (buggy core version && magic_quotes_gpc)
        $reliable_ips = @unserialize(stripslashes(@$conf['reliable_ips']));
        if (!is_array($reliable_ips)) {
            $reliable_ips = array();
        }
    }
    $is_reliable = false;
    foreach ($reliable_ips as $reliable_ip) {
        if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) {
            $is_reliable = true;
        }
    }
    // "Big Umbrella" subset version
    if (!empty($conf['enable_bigumbrella'])) {
        @define('PROTECTOR_ENABLED_ANTI_XSS', 1);
        $protector->bigumbrella_init();
    }
    // force intval variables whose name is *id
    if (!empty($conf['id_forceintval'])) {
        $protector->intval_allrequestsendid();
    }
    // eliminate '..' from requests looks like file specifications
    if (!$is_reliable && !empty($conf['file_dotdot'])) {
        $protector->eliminate_dotdot();
    }
    // Check uploaded files
    if (!$is_reliable && !empty($_FILES) && !empty($conf['die_badext']) && !defined('PROTECTOR_SKIP_FILESCHECKER') && !$protector->check_uploaded_files()) {
        $protector->output_log($protector->last_error_type);
        $protector->purge();
    }
    // Variables contamination
    if (!$protector->check_contami_systemglobals()) {
        if (@$conf['contami_action'] & 4) {
            if (@$conf['contami_action'] & 8) {
                $protector->_should_be_banned = true;
            } else {
                $protector->_should_be_banned_time0 = true;
            }
            $_GET = $_POST = array();
        }
        $protector->output_log($protector->last_error_type);
        if (@$conf['contami_action'] & 2) {
            $protector->purge();
        }
    }
    // prepare for DoS
    //if( ! $protector->check_dos_attack_prepare() ) {
    //  $protector->output_log( $protector->last_error_type , 0 , true ) ;
    //}
    if (!empty($conf['disable_features'])) {
        $protector->disable_features();
    }
    return true;
}
function protector_postcommon()
{
    global $xoopsUser, $xoopsDB, $xoopsModule;
    // Protector class
    require_once XOOPS_ROOT_PATH . '/modules/protector/class/protector.php';
    $protector =& Protector::getInstance($xoopsDB->conn);
    $conf = $protector->getConf();
    // global enabled or disabled
    if (!empty($conf['global_disabled'])) {
        return true;
    }
    // reliable ips
    $reliable_ips = unserialize($conf['reliable_ips']);
    foreach ($reliable_ips as $reliable_ip) {
        if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) {
            return true;
        }
    }
    // user information (uid and can be banned)
    if (is_object(@$xoopsUser)) {
        $uid = $xoopsUser->getVar('uid');
        $can_ban = count(array_intersect($xoopsUser->getGroups(), unserialize($conf['bip_except']))) ? false : true;
    } else {
        // login failed check
        if (!empty($_POST['uname']) && !empty($_POST['pass']) || !empty($_COOKIE['autologin_uname']) && !empty($_COOKIE['autologin_pass'])) {
            $protector->check_brute_force();
        }
        $uid = 0;
        $can_ban = true;
    }
    // If precheck has already judged that he should be banned
    if ($can_ban && $protector->_should_be_banned) {
        $protector->register_bad_ips();
    }
    // DOS/CRAWLER skipping based on 'dirname'
    $skip_dirnames = explode('|', $conf['dos_skipmodules']);
    if (!is_array($skip_dirnames)) {
        $skip_dirnames = array();
    }
    if (is_object(@$xoopsModule) && in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) {
        $dos_skipping = true;
    }
    // DoS Attack
    if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) {
        $protector->output_log($protector->last_error_type, $uid, true, 16);
    }
    // check session hi-jacking
    if (!empty($_SESSION['protector_last_ip']) && $_SESSION['protector_last_ip'] != $_SERVER['REMOTE_ADDR']) {
        if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'])))) {
            $protector->purge(true);
        }
    }
    $_SESSION['protector_last_ip'] = $_SERVER['REMOTE_ADDR'];
    // SQL Injection "Isolated /*"
    if (!$protector->check_sql_isolatedcommentin($conf['isocom_action'] & 1)) {
        if ($conf['isocom_action'] & 4 && $can_ban) {
            $protector->register_bad_ips();
        }
        $protector->output_log('ISOCOM', $uid, 64);
        if ($conf['isocom_action'] & 2) {
            $protector->purge();
        }
    }
    // SQL Injection "UNION"
    if (!$protector->check_sql_union($conf['union_action'] & 1)) {
        if ($conf['union_action'] & 4 && $can_ban) {
            $protector->register_bad_ips();
        }
        $protector->output_log('UNION', $uid, 64);
        if ($conf['union_action'] & 2) {
            $protector->purge();
        }
    }
}
 function ProtectorFilterHandler()
 {
     $this->protector =& Protector::getInstance();
     $this->filters_base = dirname(dirname(__FILE__)) . '/filters_enabled';
     $this->filters_byconfig = dirname(dirname(__FILE__)) . '/filters_byconfig';
 }
 /**
  * ProtectorFilterHandler constructor.
  */
 protected function __construct()
 {
     $this->protector = Protector::getInstance();
     $this->filters_base = dirname(__DIR__) . '/filters_enabled';
 }