include 'includes/validate.php'; include 'includes/' . $user_inc; //eom include 'includes/site_extras.php'; include_once 'includes/xcal.php'; $WebCalendar->initializeSecondPhase(); $appStr = generate_application_name(); // If WebCalendar is using http auth, then $login will be set in validate.php. if (empty($_SERVER['PHP_AUTH_USER']) && !empty($_ENV['REMOTE_USER'])) { list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_ENV['REMOTE_USER'], 6))); $_SERVER['PHP_AUTH_USER'] = trim($_SERVER['PHP_AUTH_USER']); $_SERVER['PHP_AUTH_PW'] = trim($_SERVER['PHP_AUTH_PW']); } unset($_ENV['REMOTE_USER']); if (empty($login) || $login == '__public__') { if (isset($_SERVER['PHP_AUTH_USER']) && user_valid_login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'], true)) { $login = $_SERVER['PHP_AUTH_USER']; } if (empty($login) || $login != $_SERVER['PHP_AUTH_USER']) { $_SERVER['PHP_AUTH_PW'] = $_SERVER['PHP_AUTH_USER'] = ''; unset($_SERVER['PHP_AUTH_USER']); unset($_SERVER['PHP_AUTH_PW']); header('WWW-Authenticate: Basic realm="' . $appStr . '"'); header('HTTP/1.0 401 Unauthorized'); exit; } } load_global_settings(); load_user_preferences(); $WebCalendar->setLanguage(); // Load user name, etc.
$PHP_SELF = $_SERVER["PHP_SELF"]; } $cookie_path = str_replace("login.php", "", $PHP_SELF); //echo "Cookie path: $cookie_path\n"; $out = "<login>\n"; if ($single_user == "Y") { // No login for single-user mode $out .= "<error>No login required for single-user mode</error>\n"; } else { if ($use_http_auth) { // There is no login page when using HTTP authorization $out .= "<error>No login required for HTTP authentication</error>\n"; } else { if (!empty($login) && !empty($password)) { $login = trim($login); if (user_valid_login($login, $password)) { user_load_variables($login, ""); // set login to expire in 365 days srand((double) microtime() * 1000000); $salt = chr(rand(ord('A'), ord('z'))) . chr(rand(ord('A'), ord('z'))); $encoded_login = encode_string($login . "|" . crypt($password, $salt)); //SetCookie ( "webcalendar_session", $encoded_login, 0, $cookie_path ); $out .= " <cookieName>webcalendar_session</cookieName>\n"; $out .= " <cookieValue>{$encoded_login}</cookieValue>\n"; if ($is_admin) { $out .= " <admin>1</admin>\n"; } } else { $out .= " <error>Invalid login</error>\n"; } }
<table id="securityAudit" border="0" cellpadding="4"> <tr><th><?php etranslate('Security Issue'); ?> </th> <th><?php etranslate('Status'); ?> </th> <th><?php etranslate('Details'); ?> </th></tr> <?php // Make sure they aren't still using the default admin username/password $isOk = user_valid_login('admin', 'admin') == false; $help = translate('You should change the password of the default admin user.'); print_issue(translate('Default admin user password'), $isOk, $help); // Is the main directory still writable? // just see if we get an error trying to append to it. $wcDir = '.'; $wcName = 'WebCalendar toplevel director'; if (preg_match('/(.*).security_audit.php/', __FILE__, $matches)) { $wcDir = $matches[1] . '\\'; $wcName = basename($wcDir); } $isOk = !is__writable($wcDir); $help = translate('The following item should not be writable') . ':<br/><tt>' . htmlentities($wcDir) . '</tt>'; print_issue(translate('File permissions') . ': ' . $wcName, $isOk, $help); // Is the includes directory still writable? // just see if we get an error trying to append to it.