Esempio n. 1
0
function zen_session_recreate()
{
    if (PHP_VERSION >= 4.1) {
        $session_backup = $_SESSION;
        unset($_COOKIE[zen_session_name()]);
        zen_session_destroy();
        if (STORE_SESSIONS == 'db') {
            session_set_save_handler('_sess_open', '_sess_close', '_sess_read', '_sess_write', '_sess_destroy', '_sess_gc');
        }
        zen_session_start();
        $_SESSION = $session_backup;
        unset($session_backup);
    }
}
Esempio n. 2
0
    }
}
// confirm where link came from
if (!strstr($_SERVER['HTTP_REFERER'], FILENAME_CHECKOUT_CONFIRMATION)) {
    //    zen_redirect(zen_href_link(FILENAME_CHECKOUT_PAYMENT,'','SSL'));
}
// BEGIN CC SLAM PREVENTION
if (!isset($_SESSION['payment_attempt'])) {
    $_SESSION['payment_attempt'] = 0;
}
$_SESSION['payment_attempt']++;
$zco_notifier->notify('NOTIFY_CHECKOUT_SLAMMING_ALERT');
if ($_SESSION['payment_attempt'] > 3) {
    $zco_notifier->notify('NOTIFY_CHECKOUT_SLAMMING_LOCKOUT');
    $_SESSION['cart']->reset(TRUE);
    zen_session_destroy();
    zen_redirect(zen_href_link(FILENAME_TIME_OUT));
}
// END CC SLAM PREVENTION
if (!isset($credit_covers)) {
    $credit_covers = FALSE;
}
// load selected payment module
require DIR_WS_CLASSES . 'payment.php';
$payment_modules = new payment($_SESSION['payment']);
// load the selected shipping module
require DIR_WS_CLASSES . 'shipping.php';
$shipping_modules = new shipping($_SESSION['shipping']);
require DIR_WS_CLASSES . 'order.php';
$order = new order();
// prevent 0-entry orders from being generated/spoofed
Esempio n. 3
0
/**
 * Verify login according to security requirements
 * @param $admin_name
 * @param $admin_pass
 */
function zen_validate_user_login($admin_name, $admin_pass)
{
    global $db;
    $camefrom = isset($_GET['camefrom']) ? $_GET['camefrom'] : FILENAME_DEFAULT;
    $error = $expired = false;
    $message = $redirect = '';
    $expired_token = 0;
    $result = zen_read_user($admin_name);
    if (!isset($result) || $result == FALSE || $admin_name != $result['admin_name']) {
        // invalid login
        $error = true;
        $message = ERROR_WRONG_LOGIN;
        zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning');
    } else {
        if ($result['lockout_expires'] > time()) {
            // account locked
            $error = true;
            $message = ERROR_SECURITY_ERROR;
            // account locked. Simply give generic error, since otherwise we alert that the account name is correct
            zen_record_admin_activity(TEXT_ERROR_ATTEMPTED_TO_LOG_IN_TO_LOCKED_ACCOUNT . ' ' . $admin_name, 'warning');
        }
        if ($result['reset_token'] != '') {
            list($expired_token, $token) = explode('}', $result['reset_token']);
            if ($expired_token > 0) {
                if ($expired_token <= time() && $result['admin_pass'] != '') {
                    // reset the reset_token field to blank, since token has expired
                    $sql = "update " . TABLE_ADMIN . " set reset_token = '' where admin_name = :adminname: ";
                    $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
                    $db->Execute($sql);
                    $expired = false;
                } else {
                    if (!zen_validate_password($admin_pass, $token)) {
                        $error = true;
                        $message = ERROR_WRONG_LOGIN;
                        zen_record_admin_activity(sprintf(TEXT_ERROR_INCORRECT_PASSWORD_DURING_RESET_FOR_USER) . ' ' . $admin_name, 'warning');
                    } else {
                        $error = true;
                        $expired = true;
                        $message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED;
                    }
                }
            }
        }
        if ($result['admin_pass'] == '') {
            $error = true;
            $expired = true;
            $message = TEXT_TEMPORARY_PASSWORD_MUST_BE_CHANGED;
        } else {
            $token = $result['admin_pass'];
            if (!zen_validate_password($admin_pass, $token)) {
                $error = true;
                if (!$expired) {
                    $message = ERROR_WRONG_LOGIN;
                    zen_record_admin_activity(sprintf(TEXT_ERROR_FAILED_ADMIN_LOGIN_FOR_USER) . ' ' . $admin_name, 'warning');
                }
            }
        }
        if (password_needs_rehash($token, PASSWORD_DEFAULT)) {
            $token = zcPassword::getInstance(PHP_VERSION)->updateNotLoggedInAdminPassword($admin_pass, $admin_name);
        }
        // BEGIN 2-factor authentication
        if ($error == FALSE && defined('ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE') && ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE != '') {
            if (function_exists(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE)) {
                $response = zen_call_function(ZC_ADMIN_TWO_FACTOR_AUTHENTICATION_SERVICE, array($result['admin_id'], $result['admin_email'], $result['admin_name']));
                if ($response !== TRUE) {
                    $error = TRUE;
                    $message = ERROR_WRONG_LOGIN;
                    zen_record_admin_activity('TFA Failure - Two-factor authentication failed', 'warning');
                } elseif ($response === TRUE) {
                    zen_record_admin_activity('TFA Passed - Two-factor authentication passed', 'warning');
                }
            }
        }
    }
    // BEGIN LOGIN SLAM PREVENTION
    if ($error == TRUE) {
        if (!isset($_SESSION['login_attempt'])) {
            $_SESSION['login_attempt'] = 0;
        }
        $_SESSION['login_attempt']++;
        $sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = failed_logins + 1, last_failed_attempt = now(), last_failed_ip = :ip: WHERE admin_name = :adminname: ";
        $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
        $sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string');
        $db->Execute($sql);
        if (($_SESSION['login_attempt'] > 3 || $result['failed_logins'] > 3) && isset($result['admin_email']) && $result['admin_email'] != '' && ADMIN_SWITCH_SEND_LOGIN_FAILURE_EMAILS == 'Yes') {
            $html_msg['EMAIL_CUSTOMERS_NAME'] = $result['admin_name'];
            $html_msg['EMAIL_MESSAGE_HTML'] = sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']);
            zen_record_admin_activity(sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), 'warning');
            zen_mail($result['admin_name'], $result['admin_email'], TEXT_EMAIL_SUBJECT_LOGIN_FAILURES, sprintf(TEXT_EMAIL_MULTIPLE_LOGIN_FAILURES, $_SERVER['REMOTE_ADDR']), STORE_NAME, EMAIL_FROM, $html_msg, 'no_archive');
        }
        if ($expired_token < 10000) {
            if ($_SESSION['login_attempt'] > 6 || $result['failed_logins'] > 6) {
                $sql = "UPDATE " . TABLE_ADMIN . " SET lockout_expires = " . (time() + ADMIN_LOGIN_LOCKOUT_TIMER) . " WHERE admin_name = :adminname: ";
                $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
                $db->Execute($sql);
                zen_session_destroy();
                zen_record_admin_activity('Too many login failures. Account locked for ' . ADMIN_LOGIN_LOCKOUT_TIMER / 60 . ' minutes', 'warning');
                sleep(15);
                $redirect = zen_href_link(FILENAME_DEFAULT, '', 'SSL');
                return array($error, $expired, $message, $redirect);
            } else {
                sleep(4);
            }
        }
    }
    // END LOGIN SLAM PREVENTION
    // deal with expireds for SSL change
    if ($error == FALSE && $result['pwd_last_change_date'] == '1990-01-01 14:02:22') {
        $expired = true;
        $error = true;
        $message = ($message == '' ? '' : $message . '<br /><br />') . EXPIRED_DUE_TO_SSL;
    }
    // deal with expireds for PA-DSS
    if ($error == FALSE && PADSS_PWD_EXPIRY_ENFORCED == 1 && $result['pwd_last_change_date'] < date('Y-m-d H:i:s', ADMIN_PASSWORD_EXPIRES_INTERVAL)) {
        $expired = true;
        $error = true;
    }
    if ($error == false) {
        unset($_SESSION['login_attempt']);
        $sql = "UPDATE " . TABLE_ADMIN . " SET failed_logins = 0, lockout_expires = 0, last_login_date = now(), last_login_ip = :ip: WHERE admin_name = :adminname: ";
        $sql = $db->bindVars($sql, ':adminname:', $admin_name, 'string');
        $sql = $db->bindVars($sql, ':ip:', $_SERVER['REMOTE_ADDR'], 'string');
        $db->Execute($sql);
        $_SESSION['admin_id'] = $result['admin_id'];
        if (SESSION_RECREATE == 'True') {
            zen_session_recreate();
        }
        $redirect = zen_href_link($camefrom, zen_get_all_get_params(array('camefrom')), 'SSL');
    }
    return array($error, $expired, $message, $redirect);
}