$variables = substr($variables, strpos($variables, '?') + 1); } $variables = explode('&', $variables); foreach ($variables as $variable) { if (strpos($variable, '=') !== false) { $variable = explode('=', $variable); $checkable[$variable[0]] = $variable[1]; } else { $checkable[$variable] = null; } } } else { $checkable = $variables; } global $CMS_PARAMS; foreach ($checkable as $key => $value) { //printr(htmlspecialchars($key.$value)); if (in_array(strtolower($key), $CMS_PARAMS) && detect_xss_in_string($value)) { //printr(urldecode($value)); //printr(xss_clean(urldecode($value))); return true; } } return false; } //echo (detect_xss_in_saurus_params($_SERVER['PHP_SELF']) ? 1 : 0); if (strstr($_SERVER['REQUEST_URI'], $CMS_SETTINGS['wwwroot'] . '/admin/') === false && (detect_xss_in_saurus_params($_SERVER['QUERY_STRING']) || detect_xss_in_saurus_params($_SERVER['REQUEST_URI']) || detect_xss_in_string($_SERVER['PHP_SELF']) || detect_xss_in_saurus_params($_POST) || detect_xss_in_saurus_params($_GET))) { header('Location: ' . $CMS_SETTINGS['wwwroot'] . '/index.php'); exit; } //printr($_SERVER);
function detect_xss_in_saurus_params($variables) { $checkable = array(); if (!is_array($variables)) { if (strpos($variables, '?') !== false) { $variables = substr($variables, strpos($variables, '?') + 1); } $variables = explode('&', $variables); foreach ($variables as $variable) { if (strpos($variable, '=') !== false) { $variable = explode('=', $variable); $checkable[$variable[0]] = $variable[1]; } else { $checkable[$variable] = null; } } } else { $checkable = $variables; } global $CMS_PARAMS; foreach ($checkable as $key => $value) { if (in_array(strtolower($key), $CMS_PARAMS) && detect_xss_in_string($value)) { return true; } } return false; } if (strpos(str_replace('\\', '/', getcwd()), $absolute_path . 'admin') !== 0 && (detect_xss_in_saurus_params($_SERVER['QUERY_STRING']) || detect_xss_in_saurus_params($_SERVER['REQUEST_URI']) || detect_xss_in_string($_SERVER['PHP_SELF']) || detect_xss_in_saurus_params($_POST) || detect_xss_in_saurus_params($_GET))) { header('Location: ' . $CMS_SETTINGS['wwwroot'] . '/index.php'); exit; }