public function processApi()
{
global $loggedInUser;
// Extract requested API
$func = isset($_REQUEST['action']) ? strtolower(trim(str_replace("/", "", $_REQUEST['action']))) : null;
if (!$func && isset($_POST['action'])) {
$func = $_POST['action'];
}
// Extract API key
if (isUserLoggedIn() && $loggedInUser != NULL) {
// if logged in, we get it from current cookie
$key = $loggedInUser->activationtoken();
} else {
$key = strtolower(trim(str_replace("/", "", $_REQUEST['token'])));
if (!$key && isset($_POST['token'])) {
$key = $_POST['token'];
}
}
// Verify API key/ Save user id in REQUEST array
$is_api_valid = loggedInUser::checkapikey($key);
$user = loggedInUser::getuserbyapikey($key);
if ($user != null) {
$_REQUEST["user"] = $user;
}
// Go to selected route
if (!$is_api_valid) {
$this->response('', 401);
} else {
if ((int) method_exists($this, $func) > 0) {
$this->{$func}();
} else {
if ($this->get_request_method() == "DELETE" || isset($_REQUEST) && isset($_REQUEST['_method']) && $_REQUEST['_method'] == 'DELETE') {
$this->deletefile();
} else {
if (isset($_REQUEST) && isset($_REQUEST['download'])) {
$this->downloadfile();
} else {
$this->response('', 404);
}
}
}
}
}
} else {
$userdetails = fetchUserDetails($username);
//See if the user's account is activated
if ($userdetails["active"] == 0) {
$errors[] = lang("ACCOUNT_INACTIVE");
} else {
//Hash the password and use the salt from the database to compare the password.
$entered_pass = generateHash($password, $userdetails["password"]);
if ($entered_pass != $userdetails["password"]) {
//Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
} else {
//Passwords match! we're good to go'
//Construct a new logged in user object
//Transfer some db data to the session object
$loggedInUser = new loggedInUser();
$loggedInUser->email = $userdetails["email"];
$loggedInUser->user_id = $userdetails["id"];
$loggedInUser->hash_pw = $userdetails["password"];
$loggedInUser->title = $userdetails["title"];
$loggedInUser->displayname = $userdetails["display_name"];
$loggedInUser->username = $userdetails["user_name"];
//Update last sign in
$loggedInUser->updateLastSignIn();
$_SESSION["userCakeUser"] = $loggedInUser;
//Redirect to user account page
header("Location: account.php");
die;
}
}
}
} else {
$userdetails = fetchUserDetails($username);
//See if the user's account is activation
if ($userdetails["active"] == 0) {
$errors[] = lang("ACCOUNT_INACTIVE");
} else {
//Hash the password and use the salt from the database to compare the password.
$entered_pass = generateHash($password, $userdetails["password"]);
if ($entered_pass != $userdetails["password"]) {
//Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
} else {
//passwords match! we're good to go'
//Construct a new logged in user object
//Transfer some db data to the session object
$loggedInUser = new loggedInUser();
$loggedInUser->email = $userdetails["email"];
$loggedInUser->user_id = $userdetails["user_id"];
$loggedInUser->hash_pw = $userdetails["password"];
$loggedInUser->display_username = $userdetails["username"];
$loggedInUser->clean_username = $userdetails["username_clean"];
$loggedInUser->remember_me = $remember_choice;
$loggedInUser->remember_me_sessid = generateHash(uniqid(rand(), true));
//Update last sign in
$loggedInUser->updatelast_sign_in();
if ($loggedInUser->remember_me == 0) {
$_SESSION["userPieUser"] = $loggedInUser;
} else {
if ($loggedInUser->remember_me == 1) {
$db->sql_query("INSERT INTO " . $db_table_prefix . "sessions VALUES('" . time() . "', '" . serialize($loggedInUser) . "', '" . $loggedInUser->remember_me_sessid . "')");
setcookie("userPieUser", $loggedInUser->remember_me_sessid, time() + parseLength($remember_me_length));
//See if the user's account is activated
if ($userdetails["active"] == 0) {
$errors[] = lang("ACCOUNT_INACTIVE");
} else {
if ($userdetails["enabled"] == 0) {
$errors[] = lang("ACCOUNT_DISABLED");
} else {
// Validate the password
if (!passwordVerifyUF($password, $userdetails["password"])) {
//Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
} else {
//Passwords match! we're good to go'
//Construct a new logged in user object
//Transfer some db data to the session object
$loggedInUser = new loggedInUser();
$loggedInUser->email = $userdetails["email"];
$loggedInUser->user_id = $userdetails["id"];
$loggedInUser->hash_pw = $userdetails["password"];
$loggedInUser->title = $userdetails["title"];
$loggedInUser->displayname = $userdetails["display_name"];
$loggedInUser->username = $userdetails["user_name"];
$loggedInUser->alerts = array();
//Update last sign in
$loggedInUser->updateLastSignIn();
// Update password if we had encountered an outdated hash
if (getPasswordHashTypeUF($userdetails["password"]) != "modern") {
// Hash the user's password and update
$password_hash = passwordHashUF($password);
if ($password_hash === null) {
error_log("Notice: outdated password hash could not be updated because new hashing algorithm is not supported. Are you running PHP >= 5.3.7?");
} else {
$userdetails = fetchUserDetails($username);
//See if the user's account is activated
if ($userdetails["active"] == 0) {
$errors[] = lang("ACCOUNT_INACTIVE");
} else {
//Hash the password and use the salt from the database to compare the password.
$entered_pass = generateHash($password, $userdetails["password"]);
if ($entered_pass != $userdetails["password"]) {
//Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
} else {
//Passwords match! we're good to go'
//Construct a new logged in user object
//Transfer some db data to the session object
$loggedInUser = new loggedInUser();
$loggedInUser->email = $userdetails["email"];
$loggedInUser->user_id = $userdetails["id"];
$loggedInUser->hash_pw = $userdetails["password"];
$loggedInUser->currency = $userdetails["currency"];
$loggedInUser->remember_me = $remember_choice;
$loggedInUser->remember_me_sessid = generateHash(uniqid(rand(), true));
$loggedInUser->title = $userdetails["title"];
$loggedInUser->displayname = $userdetails["display_name"];
$loggedInUser->username = $userdetails["user_name"];
$loggedInUser->dogeaddress = $userdetails["dogeaddress"];
$loggedInUser->autodoge = $userdetails["autodoge"];
$loggedInUser->btcaddress = $userdetails["btcaddress"];
$loggedInUser->autobtc = $userdetails["autobtc"];
//Update last sign in
$loggedInUser->updateLastSignIn();
} else {
$userdetails = fetchUserDetails($username);
//See if the user's account is activated
if ($userdetails["active"] == 0) {
$loginErrors[] = lang("ACCOUNT_INACTIVE");
} else {
//Hash the password and use the salt from the database to compare the password.
$entered_pass = generateHash($pass, $userdetails["password"]);
if ($entered_pass != $userdetails["password"]) {
//Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing
$loginErrors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
} else {
//Passwords match! we're good to go'
//Construct a new logged in user object
//Transfer some db data to the session object
$loggedInUser = new loggedInUser();
$loggedInUser->email = $userdetails["email"];
$loggedInUser->user_id = $userdetails["id"];
$loggedInUser->hash_pw = $userdetails["password"];
$loggedInUser->title = $userdetails["title"];
$loggedInUser->displayname = $userdetails["display_name"];
$loggedInUser->username = $userdetails["user_name"];
//Update last sign in
$loggedInUser->updateLastSignIn();
$_SESSION["userCakeUser"] = $loggedInUser;
//Redirect to homepage
header("Location: ../../#/index");
die;
}
}
}
public function index()
{
/*
UserCake (Via CupCake) Version: 2.0.2
http://usercake.com
*/
global $baseURL;
require_once "{$baseURL}/application/third_party/user_cake/models/config.php";
if (!securePage($_SERVER['PHP_SELF'])) {
die;
}
//Prevent the user visiting the logged in page if he/she is already logged in
if (isUserLoggedIn()) {
header("Location: " . str_replace('index.php/', '', site_url('account')));
die;
}
//Forms posted
if (!empty($_POST)) {
global $errors;
$errors = array();
$username = sanitize(trim($_POST["username"]));
$password = trim($_POST["password"]);
//Perform some validation
//Feel free to edit / change as required
if ($username == "") {
$errors[] = lang("ACCOUNT_SPECIFY_USERNAME");
}
if ($password == "") {
$errors[] = lang("ACCOUNT_SPECIFY_PASSWORD");
}
if (count($errors) == 0) {
//A security note here, never tell the user which credential was incorrect
if (!usernameExists($username)) {
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
} else {
$userdetails = fetchUserDetails($username);
//See if the user's account is activated
if ($userdetails["active"] == 0) {
$errors[] = lang("ACCOUNT_INACTIVE");
} else {
//Hash the password and use the salt from the database to compare the password.
$entered_pass = generateHash($password, $userdetails["password"]);
if ($entered_pass != $userdetails["password"]) {
//Again, we know the password is at fault here, but lets not give away the combination incase of someone bruteforcing
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
} else {
//Passwords match! we're good to go'
//Construct a new logged in user object
//Transfer some db data to the session object
$loggedInUser = new loggedInUser();
$loggedInUser->email = $userdetails["email"];
$loggedInUser->user_id = $userdetails["id"];
$loggedInUser->hash_pw = $userdetails["password"];
$loggedInUser->title = $userdetails["title"];
$loggedInUser->displayname = $userdetails["display_name"];
$loggedInUser->username = $userdetails["user_name"];
//Update last sign in
$loggedInUser->updateLastSignIn();
$this->session->set_userdata('userCakeUser', $loggedInUser);
// $_SESSION["userCakeUser"] = $loggedInUser;
//Redirect to user account page
header("Location: " . str_replace('index.php/', '', site_url('account')));
die;
}
}
}
}
}
$this->load->view('login');
}
<?php
error_reporting(E_ALL);
$root = "../";
ini_set("date.timezone", "America/Los_Angeles");
require_once "classes.php";
require_once "search.php";
$db = ["people" => new DataBase($root . "data/people.db"), "archives" => new DataBase($root . "data/archives.db")];
$current_year = 1516;
if (isset($_GET["wwuid"], $_GET["token"]) && $_GET["wwuid"] != "" && $_GET["token"] != "") {
$user = new loggedInUser(json_decode(json_encode(["wwuid" => $_GET["wwuid"], "token" => $_GET["token"]])));
if (!$user->verify()) {
$errors[] = "invalid login";
}
if (isset($_GET["verify"])) {
echo !isset($errors) ? json_encode($user) : "{}";
die;
}
}
if (isset($_GET["q"])) {
if (isset($_GET["limits"])) {
$limits = explode(",", $_GET["limits"]);
} else {
$limits = [];
}
$s = new Search($_GET["q"], $limits);
$data["results"] = $s->fetch();
unset($s);
} else {
if (isset($_GET['cmd']) && !isset($errors)) {
include_once $_GET['cmd'] . ".php";
$loggedInUser->candidateid = $userdetails["candidateid"];
$_SESSION["userCakeUser"] = serialize($loggedInUser);
session_write_close();
header("Location:account.php");
exit;
}
}
if (employeeExists($username)) {
$userdetails = fetchEmployeeDetails($username);
$entered_pass = generateHash($password, $userdetails["password"]);
if (!isset($userdetails["empid"])) {
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
} elseif ($entered_pass != $userdetails["password"]) {
$errors[] = lang("ACCOUNT_USER_OR_PASS_INVALID");
} else {
$loggedInUser = new loggedInUser();
$loggedInUser->email = $userdetails["email"];
$loggedInUser->user_id = $userdetails["id"];
$loggedInUser->displayname = $userdetails["display_name"];
$loggedInUser->username = $userdetails["user_name"];
$loggedInUser->candidate = "N";
$loggedInUser->employee = "Y";
$loggedInUser->candidateid = 0;
$loggedInUser->employeeid = $userdetails["empid"];
$loggedInUser->managerid = $userdetails["mgrid"];
$loggedInUser->hash_pw = $userdetails["password"];
$loggedInUser->permissionid = $userdetails["permissionid"];
$loggedInUser->permissionname = $userdetails["permissionname"];
$loggedInUser->updateLastSignIn();
$_SESSION["userCakeUser"] = serialize($loggedInUser);
session_write_close();
function IterateFiles($filters)
{
if (isset($_GET["date"])) {
$filters->timestamp = $_GET["date"];
}
if (isset($_GET["hash"])) {
$filters->md5 = $_GET["hash"];
}
if (isset($_GET["vendor"])) {
$filters->vendor = $_GET["vendor"];
}
if (isset($_GET["name"])) {
$filters->filename = $_GET["name"];
}
if (isset($_GET["page"])) {
$filters->page = $_GET["page"];
}
if (isset($_GET["size"])) {
$filters->size = $_GET["size"];
}
if (isset($_GET["virustotal"])) {
$filters->virustotal = $_GET["virustotal"];
}
if (isset($_GET["cuckoo"])) {
$filters->cuckoo = $_GET["cuckoo"];
}
if (isset($_GET["user"])) {
$filters->user = loggedInUser::getusersbyname($_GET["user"]);
}
if (isset($_GET["comment"])) {
$filters->comment = $_GET["comment"];
}
if (isset($_GET["favorite"])) {
$filters->favorite = $_GET["favorite"];
}
if (isset($_GET["tags"])) {
$filters->tags = $_GET["tags"];
}
$results = GetFilesFromDatabase($filters, isset($_REQUEST["user"]) ? $_REQUEST["user"] : null);
$files = array();
for ($i = 0; $i < count($results); ++$i) {
array_push($files, $results[$i]['md5']);
}
return $files;
}
