echo $return_values; break; /** * EDIT user */ /** * EDIT user */ case "store_user_changes": // Check KEY if ($_POST['key'] != $_SESSION['key']) { // error exit; } // decrypt and retreive data in JSON format $dataReceived = prepareExchangedData($_POST['data'], "decode"); // Empty user if (mysqli_escape_string($link, htmlspecialchars_decode($dataReceived['login'])) == "") { echo '[ { "error" : "' . addslashes($LANG['error_empty_data']) . '" } ]'; break; } $account_status_action = mysqli_escape_string($link, htmlspecialchars_decode($dataReceived['action_on_user'])); // delete account // delete user in database if ($account_status_action == "delete") { DB::delete(prefix_table("users"), "id = %i", $_POST['id']); // delete personal folder and subfolders $data = DB::queryfirstrow("SELECT id FROM " . prefix_table("nested_tree") . "\n WHERE title = %s AND personal_folder = %i", $_POST['id'], "1"); // Get through each subfolder if (!empty($data['id'])) { $folders = $tree->getDescendants($data['id'], true);
function identifyUser($sentData) { global $debugLdap, $debugDuo, $k; include $_SESSION['settings']['cpassman_dir'] . '/includes/settings.php'; header("Content-type: text/html; charset=utf-8"); error_reporting(E_ERROR); require_once $_SESSION['settings']['cpassman_dir'] . '/sources/main.functions.php'; require_once $_SESSION['settings']['cpassman_dir'] . '/sources/SplClassLoader.php'; if ($debugDuo == 1) { $dbgDuo = fopen($_SESSION['settings']['path_to_files_folder'] . "/duo.debug.txt", "a"); } /* if (empty($sentData) && isset($_COOKIE['TeamPassC'])) { $sentData = prepareExchangedData($_COOKIE['TeamPassC'], "encode"); setcookie('TeamPassC', "", time()-3600); } */ if ($debugDuo == 1) { fputs($dbgDuo, "Content of data sent '" . $sentData . "'\n"); } // connect to the server require_once $_SESSION['settings']['cpassman_dir'] . '/includes/libraries/Database/Meekrodb/db.class.php'; DB::$host = $server; DB::$user = $user; DB::$password = $pass; DB::$dbName = $database; DB::$port = $port; DB::$encoding = $encoding; DB::$error_handler = 'db_error_handler'; $link = mysqli_connect($server, $user, $pass, $database, $port); $link->set_charset($encoding); //Load AES $aes = new SplClassLoader('Encryption\\Crypt', '../includes/libraries'); $aes->register(); // load passwordLib library $pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries'); $pwdlib->register(); $pwdlib = new PasswordLib\PasswordLib(); // User's language loading $k['langage'] = @$_SESSION['user_language']; require_once $_SESSION['settings']['cpassman_dir'] . '/includes/language/' . $_SESSION['user_language'] . '.php'; // decrypt and retreive data in JSON format $dataReceived = prepareExchangedData($sentData, "decode"); // Prepare variables $passwordClear = htmlspecialchars_decode($dataReceived['pw']); $passwordOldEncryption = encryptOld(htmlspecialchars_decode($dataReceived['pw'])); $username = htmlspecialchars_decode($dataReceived['login']); $logError = ""; if ($debugDuo == 1) { fputs($dbgDuo, "Starting authentication of '" . $username . "'\n"); } // GET SALT KEY LENGTH if (strlen(SALT) > 32) { $_SESSION['error']['salt'] = true; } $_SESSION['user_language'] = $k['langage']; $ldapConnection = false; /* LDAP connection */ if ($debugLdap == 1) { // create temp file $dbgLdap = fopen($_SESSION['settings']['path_to_files_folder'] . "/ldap.debug.txt", "w"); fputs($dbgLdap, "Get all LDAP params : \n" . 'mode : ' . $_SESSION['settings']['ldap_mode'] . "\n" . 'type : ' . $_SESSION['settings']['ldap_type'] . "\n" . 'base_dn : ' . $_SESSION['settings']['ldap_domain_dn'] . "\n" . 'search_base : ' . $_SESSION['settings']['ldap_search_base'] . "\n" . 'bind_dn : ' . $_SESSION['settings']['ldap_bind_dn'] . "\n" . 'bind_passwd : ' . $_SESSION['settings']['ldap_bind_passwd'] . "\n" . 'user_attribute : ' . $_SESSION['settings']['ldap_user_attribute'] . "\n" . 'account_suffix : ' . $_SESSION['settings']['ldap_suffix'] . "\n" . 'domain_controllers : ' . $_SESSION['settings']['ldap_domain_controler'] . "\n" . 'use_ssl : ' . $_SESSION['settings']['ldap_ssl'] . "\n" . 'use_tls : ' . $_SESSION['settings']['ldap_tls'] . "\n*********\n\n"); } if ($debugDuo == 1) { fputs($dbgDuo, "LDAP status: " . $_SESSION['settings']['ldap_mode'] . "\n"); } if (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1 && $username != "admin") { //Multiple Domain Names if (strpos(html_entity_decode($username), '\\') == true) { $ldap_suffix = "@" . substr(html_entity_decode($username), 0, strpos(html_entity_decode($username), '\\')); $username = substr(html_entity_decode($username), strpos(html_entity_decode($username), '\\') + 1); } if ($_SESSION['settings']['ldap_type'] == 'posix-search') { $ldapconn = ldap_connect($_SESSION['settings']['ldap_domain_controler']); if ($debugLdap == 1) { fputs($dbgLdap, "LDAP connection : " . ($ldapconn ? "Connected" : "Failed") . "\n"); } ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3); if ($ldapconn) { $ldapbind = ldap_bind($ldapconn, $_SESSION['settings']['ldap_bind_dn'], $_SESSION['settings']['ldap_bind_passwd']); if ($debugLdap == 1) { fputs($dbgLdap, "LDAP bind : " . ($ldapbind ? "Bound" : "Failed") . "\n"); } if ($ldapbind) { $filter = "(&(" . $_SESSION['settings']['ldap_user_attribute'] . "={$username})(objectClass=posixAccount))"; $result = ldap_search($ldapconn, $_SESSION['settings']['ldap_search_base'], $filter, array('dn')); if ($debugLdap == 1) { fputs($dbgLdap, 'Search filter : ' . $filter . "\n" . 'Results : ' . print_r(ldap_get_entries($ldapconn, $result), true) . "\n"); } if (ldap_count_entries($ldapconn, $result)) { // try auth $result = ldap_get_entries($ldapconn, $result); $user_dn = $result[0]['dn']; $ldapbind = ldap_bind($ldapconn, $user_dn, $passwordClear); if ($ldapbind) { $ldapConnection = true; } else { $ldapConnection = false; } } } else { $ldapConnection = false; } } else { $ldapConnection = false; } } else { if ($debugLdap == 1) { fputs($dbgLdap, "Get all ldap params : \n" . 'base_dn : ' . $_SESSION['settings']['ldap_domain_dn'] . "\n" . 'account_suffix : ' . $_SESSION['settings']['ldap_suffix'] . "\n" . 'domain_controllers : ' . $_SESSION['settings']['ldap_domain_controler'] . "\n" . 'use_ssl : ' . $_SESSION['settings']['ldap_ssl'] . "\n" . 'use_tls : ' . $_SESSION['settings']['ldap_tls'] . "\n*********\n\n"); } $adldap = new SplClassLoader('LDAP\\adLDAP', '../includes/libraries'); $adldap->register(); // Posix style LDAP handles user searches a bit differently if ($_SESSION['settings']['ldap_type'] == 'posix') { $ldap_suffix = ',' . $_SESSION['settings']['ldap_suffix'] . ',' . $_SESSION['settings']['ldap_domain_dn']; } elseif ($_SESSION['settings']['ldap_type'] == 'windows' and $ldap_suffix == '') { //Multiple Domain Names $ldap_suffix = $_SESSION['settings']['ldap_suffix']; } $adldap = new LDAP\adLDAP\adLDAP(array('base_dn' => $_SESSION['settings']['ldap_domain_dn'], 'account_suffix' => $ldap_suffix, 'domain_controllers' => explode(",", $_SESSION['settings']['ldap_domain_controler']), 'use_ssl' => $_SESSION['settings']['ldap_ssl'], 'use_tls' => $_SESSION['settings']['ldap_tls'])); if ($debugLdap == 1) { fputs($dbgLdap, "Create new adldap object : " . $adldap->get_last_error() . "\n\n\n"); //Debug } // openLDAP expects an attribute=value pair if ($_SESSION['settings']['ldap_type'] == 'posix') { $auth_username = $_SESSION['settings']['ldap_user_attribute'] . '=' . $username; } else { $auth_username = $username; } // authenticate the user if ($adldap->authenticate($auth_username, html_entity_decode($passwordClear))) { $ldapConnection = true; //update user's password $data['pw'] = $pwdlib->createPasswordHash($passwordClear); DB::update(prefix_table('users'), array('pw' => $data['pw']), "login=%s", $username); } else { $ldapConnection = false; } if ($debugLdap == 1) { fputs($dbgLdap, "After authenticate : " . $adldap->get_last_error() . "\n\n\n" . "ldap status : " . $ldapConnection . "\n\n\n"); //Debug } } } else { if (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 2) { // nothing } } // Check if user exists $data = DB::queryFirstRow("SELECT * FROM " . prefix_table("users") . " WHERE login=%s_login", array('login' => $username)); $counter = DB::count(); if ($debugDuo == 1) { fputs($dbgDuo, "USer exists: " . $counter . "\n"); } // Check PSK if (isset($_SESSION['settings']['psk_authentication']) && $_SESSION['settings']['psk_authentication'] == 1 && $data['admin'] != 1) { $psk = htmlspecialchars_decode($dataReceived['psk']); $pskConfirm = htmlspecialchars_decode($dataReceived['psk_confirm']); if (empty($psk)) { echo '[{"value" : "psk_required"}]'; exit; } elseif (empty($data['psk'])) { if (empty($pskConfirm)) { echo '[{"value" : "bad_psk_confirmation"}]'; exit; } else { $_SESSION['my_sk'] = $psk; } } elseif ($pwdlib->verifyPasswordHash($psk, $data['psk']) === true) { echo '[{"value" : "bad_psk"}]'; exit; } } $proceedIdentification = false; if ($counter > 0) { $proceedIdentification = true; } elseif ($counter == 0 && $ldapConnection == true && isset($_SESSION['settings']['ldap_elusers']) && $_SESSION['settings']['ldap_elusers'] == 0) { // If LDAP enabled, create user in CPM if doesn't exist $data['pw'] = $pwdlib->createPasswordHash($passwordClear); // create passwordhash DB::insert(prefix_table('users'), array('login' => $username, 'pw' => $data['pw'], 'email' => "", 'admin' => '0', 'gestionnaire' => '0', 'personal_folder' => $_SESSION['settings']['enable_pf_feature'] == "1" ? '1' : '0', 'fonction_id' => '0', 'groupes_interdits' => '0', 'groupes_visibles' => '0', 'last_pw_change' => time(), 'user_language' => $_SESSION['settings']['default_language'])); $newUserId = DB::insertId(); // Create personnal folder if ($_SESSION['settings']['enable_pf_feature'] == "1") { DB::insert(prefix_table("nested_tree"), array('parent_id' => '0', 'title' => $newUserId, 'bloquer_creation' => '0', 'bloquer_modification' => '0', 'personal_folder' => '1')); } // Get info for user //$sql = "SELECT * FROM ".prefix_table("users")." WHERE login = '******'"; //$row = $db->query($sql); $proceedIdentification = true; } // Check if user exists (and has been created in case of new LDAP user) $data = DB::queryFirstRow("SELECT * FROM " . prefix_table("users") . " WHERE login=%s_login", array('login' => $username)); $counter = DB::count(); if ($counter == 0) { echo '[{"value" : "user_not_exists", "text":""}]'; exit; } if ($debugDuo == 1) { fputs($dbgDuo, "USer exists (confirm): " . $counter . "\n"); } // check GA code if (isset($_SESSION['settings']['2factors_authentication']) && $_SESSION['settings']['2factors_authentication'] == 1 && $username != "admin") { if (isset($dataReceived['GACode']) && !empty($dataReceived['GACode'])) { include_once $_SESSION['settings']['cpassman_dir'] . "/includes/libraries/Authentication/GoogleAuthenticator/FixedBitNotation.php"; include_once $_SESSION['settings']['cpassman_dir'] . "/includes/libraries/Authentication/GoogleAuthenticator/GoogleAuthenticator.php"; $g = new Authentication\GoogleAuthenticator\GoogleAuthenticator(); if ($g->checkCode($data['ga'], $dataReceived['GACode'])) { $proceedIdentification = true; } else { $proceedIdentification = false; $logError = "ga_code_wrong"; } } else { $proceedIdentification = false; $logError = "ga_code_wrong"; } } if ($debugDuo == 1) { fputs($dbgDuo, "Proceed with Ident: " . $proceedIdentification . "\n"); } if ($proceedIdentification === true) { // User exists in the DB //$data = $db->fetchArray($row); //v2.1.17 -> change encryption for users password if ($passwordOldEncryption == $data['pw'] && !empty($data['pw'])) { //update user's password $data['pw'] = bCrypt($passwordClear, COST); DB::update(prefix_table('users'), array('pw' => $data['pw']), "id=%i", $data['id']); } if (crypt($passwordClear, $data['pw']) == $data['pw'] && !empty($data['pw'])) { //update user's password $data['pw'] = $pwdlib->createPasswordHash($passwordClear); DB::update(prefix_table('users'), array('pw' => $data['pw']), "id=%i", $data['id']); } // check the given password if ($pwdlib->verifyPasswordHash($passwordClear, $data['pw']) === true) { $userPasswordVerified = true; } else { $userPasswordVerified = false; } if ($debugDuo == 1) { fputs($dbgDuo, "User's password verified: " . $userPasswordVerified . "\n"); } // Can connect if // 1- no LDAP mode + user enabled + pw ok // 2- LDAP mode + user enabled + ldap connection ok + user is not admin // 3- LDAP mode + user enabled + pw ok + usre is admin // This in order to allow admin by default to connect even if LDAP is activated if (isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 0 && $userPasswordVerified == true && $data['disabled'] == 0 || isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1 && $ldapConnection == true && $data['disabled'] == 0 && $username != "admin" || isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 2 && $ldapConnection == true && $data['disabled'] == 0 && $username != "admin" || isset($_SESSION['settings']['ldap_mode']) && $_SESSION['settings']['ldap_mode'] == 1 && $username == "admin" && $userPasswordVerified == true && $data['disabled'] == 0) { $_SESSION['autoriser'] = true; // Generate a ramdom ID $key = $pwdlib->getRandomToken(50); if ($debugDuo == 1) { fputs($dbgDuo, "User's token: " . $key . "\n"); } // Log into DB the user's connection if (isset($_SESSION['settings']['log_connections']) && $_SESSION['settings']['log_connections'] == 1) { logEvents('user_connection', 'connection', $data['id']); } // Save account in SESSION $_SESSION['login'] = stripslashes($username); $_SESSION['name'] = stripslashes($data['name']); $_SESSION['lastname'] = stripslashes($data['lastname']); $_SESSION['user_id'] = $data['id']; $_SESSION['user_admin'] = $data['admin']; $_SESSION['user_manager'] = $data['gestionnaire']; $_SESSION['user_read_only'] = $data['read_only']; $_SESSION['last_pw_change'] = $data['last_pw_change']; $_SESSION['last_pw'] = $data['last_pw']; $_SESSION['can_create_root_folder'] = $data['can_create_root_folder']; $_SESSION['key'] = $key; $_SESSION['personal_folder'] = $data['personal_folder']; $_SESSION['user_language'] = $data['user_language']; $_SESSION['user_email'] = $data['email']; $_SESSION['user_ga'] = $data['ga']; $_SESSION['user_avatar'] = $data['avatar']; $_SESSION['user_avatar_thumb'] = $data['avatar_thumb']; $_SESSION['user_upgrade_needed'] = $data['upgrade_needed']; // manage session expiration $serverTime = time(); if ($dataReceived['TimezoneOffset'] > 0) { $userTime = $serverTime + $dataReceived['TimezoneOffset']; } else { $userTime = $serverTime; } $_SESSION['fin_session'] = $userTime + $dataReceived['duree_session'] * 60; /* If this option is set user password MD5 is used as personal SALTKey */ if (isset($_SESSION['settings']['use_md5_password_as_salt']) && $_SESSION['settings']['use_md5_password_as_salt'] == 1) { $_SESSION['my_sk'] = md5($passwordClear); setcookie("TeamPass_PFSK_" . md5($_SESSION['user_id']), encrypt($_SESSION['my_sk'], ""), time() + 60 * 60 * 24 * $_SESSION['settings']['personal_saltkey_cookie_duration'], '/'); } @syslog(LOG_WARNING, "User logged in - " . $_SESSION['user_id'] . " - " . date("Y/m/d H:i:s") . " {$_SERVER['REMOTE_ADDR']} ({$_SERVER['HTTP_USER_AGENT']})"); if (empty($data['last_connexion'])) { $_SESSION['derniere_connexion'] = time(); } else { $_SESSION['derniere_connexion'] = $data['last_connexion']; } if (!empty($data['latest_items'])) { $_SESSION['latest_items'] = explode(';', $data['latest_items']); } else { $_SESSION['latest_items'] = array(); } if (!empty($data['favourites'])) { $_SESSION['favourites'] = explode(';', $data['favourites']); } else { $_SESSION['favourites'] = array(); } if (!empty($data['groupes_visibles'])) { $_SESSION['groupes_visibles'] = @implode(';', $data['groupes_visibles']); } else { $_SESSION['groupes_visibles'] = array(); } if (!empty($data['groupes_interdits'])) { $_SESSION['groupes_interdits'] = @implode(';', $data['groupes_interdits']); } else { $_SESSION['groupes_interdits'] = array(); } // User's roles $_SESSION['fonction_id'] = $data['fonction_id']; $_SESSION['user_roles'] = explode(";", $data['fonction_id']); // build array of roles $_SESSION['user_pw_complexity'] = 0; $_SESSION['arr_roles'] = array(); foreach (array_filter(explode(';', $_SESSION['fonction_id'])) as $role) { $resRoles = DB::queryFirstRow("SELECT title, complexity FROM " . prefix_table("roles_title") . " WHERE id=%i", $role); $_SESSION['arr_roles'][$role] = array('id' => $role, 'title' => $resRoles['title']); // get highest complexity if ($_SESSION['user_pw_complexity'] < $resRoles['complexity']) { $_SESSION['user_pw_complexity'] = $resRoles['complexity']; } } // build complete array of roles $_SESSION['arr_roles_full'] = array(); $rows = DB::query("SELECT id, title FROM " . prefix_table("roles_title") . " ORDER BY title ASC"); foreach ($rows as $record) { $_SESSION['arr_roles_full'][$record['id']] = array('id' => $record['id'], 'title' => $record['title']); } // Set some settings $_SESSION['user']['find_cookie'] = false; $_SESSION['settings']['update_needed'] = ""; // Update table DB::update(prefix_table('users'), array('key_tempo' => $_SESSION['key'], 'last_connexion' => time(), 'timestamp' => time(), 'disabled' => 0, 'no_bad_attempts' => 0, 'session_end' => $_SESSION['fin_session'], 'psk' => $pwdlib->createPasswordHash(htmlspecialchars_decode($psk))), "id=%i", $data['id']); if ($debugDuo == 1) { fputs($dbgDuo, "Preparing to identify the user rights\n"); } // Get user's rights identifyUserRights($data['groupes_visibles'], $_SESSION['groupes_interdits'], $data['admin'], $data['fonction_id'], false); // Get some more elements $_SESSION['screenHeight'] = $dataReceived['screenHeight']; // Get last seen items $_SESSION['latest_items_tab'][] = ""; foreach ($_SESSION['latest_items'] as $item) { if (!empty($item)) { $data = DB::queryFirstRow("SELECT id,label,id_tree FROM " . prefix_table("items") . " WHERE id=%i", $item); $_SESSION['latest_items_tab'][$item] = array('id' => $item, 'label' => $data['label'], 'url' => 'index.php?page=items&group=' . $data['id_tree'] . '&id=' . $item); } } // send back the random key $return = $dataReceived['randomstring']; // Send email if (isset($_SESSION['settings']['enable_send_email_on_user_login']) && $_SESSION['settings']['enable_send_email_on_user_login'] == 1 && $_SESSION['user_admin'] != 1) { // get all Admin users $receivers = ""; $rows = DB::query("SELECT email FROM " . prefix_table("users") . " WHERE admin = %i", 1); foreach ($rows as $record) { if (empty($receivers)) { $receivers = $record['email']; } else { $receivers = "," . $record['email']; } } // Add email to table DB::insert(prefix_table("emails"), array('timestamp' => time(), 'subject' => $LANG['email_subject_on_user_login'], 'body' => str_replace(array('#tp_user#', '#tp_date#', '#tp_time#'), array(" " . $_SESSION['login'], date($_SESSION['settings']['date_format'], $_SESSION['derniere_connexion']), date($_SESSION['settings']['time_format'], $_SESSION['derniere_connexion'])), $LANG['email_body_on_user_login']), 'receivers' => $receivers, 'status' => "not sent")); } } elseif ($data['disabled'] == 1) { // User and password is okay but account is locked $return = "user_is_locked"; } else { // User exists in the DB but Password is false // check if user is locked $userIsLocked = 0; $nbAttempts = intval($data['no_bad_attempts'] + 1); if ($_SESSION['settings']['nb_bad_authentication'] > 0 && intval($_SESSION['settings']['nb_bad_authentication']) < $nbAttempts) { $userIsLocked = 1; // log it if (isset($_SESSION['settings']['log_connections']) && $_SESSION['settings']['log_connections'] == 1) { logEvents('user_locked', 'connection', $data['id']); } } DB::update(prefix_table('users'), array('key_tempo' => $_SESSION['key'], 'last_connexion' => time(), 'disabled' => $userIsLocked, 'no_bad_attempts' => $nbAttempts), "id=%i", $data['id']); // What return shoulb we do if ($userIsLocked == 1) { $return = "user_is_locked"; } elseif ($_SESSION['settings']['nb_bad_authentication'] == 0) { $return = "false"; } else { $return = $nbAttempts; } } } else { $return = "false"; } if ($debugDuo == 1) { fputs($dbgDuo, "\n\n----\n" . "Identified : " . $return . "\n"); } echo '[{"value" : "' . $return . '", "user_admin":"', isset($_SESSION['user_admin']) ? $_SESSION['user_admin'] : "", '", "initial_url" : "' . @$_SESSION['initial_url'] . '", "error" : "' . $logError . '"}]'; $_SESSION['initial_url'] = ""; if ($_SESSION['settings']['cpassman_dir'] == "..") { $_SESSION['settings']['cpassman_dir'] = "."; } }
$findPfGroup = ""; $init_personal_folder = true; } } // prepare new line $sOutput .= '<li ondblclick="' . $action_dbl . '" class="item" id="' . $record['id'] . '" style="margin-left:-30px;"><a id="fileclass' . $record['id'] . '" class="file_search" onclick="' . $action . '"><i class="fa fa-key mi-yellow"></i> ' . substr(stripslashes($record['label']), 0, 65); if (!empty($record['description']) && isset($_SESSION['settings']['show_description']) && $_SESSION['settings']['show_description'] == 1) { $tempo = explode("<br />", $record['description']); if (count($tempo) == 1) { $sOutput .= ' <font size="2px">[' . strip_tags(stripslashes(substr(cleanString($record['description']), 0, 30))) . ']</font>'; } else { $sOutput .= ' <font size="2px">[' . strip_tags(stripslashes(substr(cleanString($tempo[0]), 0, 30))) . ']</font>'; } } // set folder $sOutput .= ' <span style="font-size:11px;font-style:italic;"><i class="fa fa-folder-o"></i> ' . strip_tags(stripslashes(substr(cleanString($record['folder']), 0, 30))) . '</span>'; $sOutput .= '<span style="float:right;margin:2px 10px 0px 0px;">'; // Prepare make Favorite small icon $sOutput .= ' <span id="quick_icon_fav_' . $record['id'] . '" title="Manage Favorite" class="cursor tip">'; if (in_array($record['id'], $_SESSION['favourites'])) { $sOutput .= '<i class="fa fa-star mi-yellow fa-lg" onclick="ActionOnQuickIcon(' . $record['id'] . ',0)" class="tip"></i> '; } else { $sOutput .= '<i class="fa fa-star-o fa-lg" onclick="ActionOnQuickIcon(' . $record['id'] . ',1)" class="tip"></i> '; } $sOutput .= "</span>"; $sOutput .= '</li>'; } $returnValues = array("items_html" => $sOutput, "message" => str_replace("%X%", $iFilteredTotal, $LANG['find_message'])); echo prepareExchangedData($returnValues, "encode"); } }
if ($dataReceived['field'] == "restricted_to_input" && $dataReceived['value'] == "0") { DB::update(prefix_table("misc"), array('valeur' => 0), "type = %s AND intitule = %s", $type, 'restricted_to_roles'); } } /* else if ($dataReceived['field'] == "use_md5_password_as_salt" && $dataReceived['value'] == "0") { // in case this option is changed, we need to warn the users to adapt $rows = DB::query( "SELECT id FROM ".prefix_table("users")." WHERE admin != %i", "", "1" ); foreach ($rows as $record) { DB::update( prefix_table("users"), array( 'upgrade_needed' => "1" ), "id = %i" ); } }*/ // store in SESSION $_SESSION['settings'][$dataReceived['field']] = $dataReceived['value']; // save change in config file handleConfigFile("update", $dataReceived['field'], $dataReceived['value']); // Encrypt data to return echo prepareExchangedData(array("error" => "", "misc" => $counter . " ; " . $_SESSION['settings'][$dataReceived['field']]), "encode"); break; }
$pwgen = new SplClassLoader('Encryption\\PwGen', '../includes/libraries'); $pwgen->register(); $pwgen = new Encryption\PwGen\pwgen(); $pwgen->setLength($_POST['size']); if (isset($_POST['secure']) && $_POST['secure'] == "true") { $pwgen->setSecure(true); $pwgen->setSymbols(true); $pwgen->setCapitalize(true); $pwgen->setNumerals(true); } else { $pwgen->setSecure($_POST['secure'] == "true" ? true : false); $pwgen->setNumerals($_POST['numerals'] == "true" ? true : false); $pwgen->setCapitalize($_POST['capitalize'] == "true" ? true : false); $pwgen->setSymbols($_POST['symbols'] == "true" ? true : false); } echo prepareExchangedData(array("key" => $pwgen->generate(), "error" => ""), "encode"); break; /** * Check if user exists and send back if psk is set */ /** * Check if user exists and send back if psk is set */ case "check_login_exists": $data = DB::query("SELECT login, psk FROM " . prefix_table("users") . "\n WHERE login = %i", mysqli_escape_string($link, stripslashes($_POST['userId']))); if (empty($data['login'])) { $userOk = false; } else { $userOk = true; } if (isset($_SESSION['settings']['psk_authentication']) && $_SESSION['settings']['psk_authentication'] == 1 && !empty($data['psk'])) {
//Class loader require_once $_SESSION['settings']['cpassman_dir'] . '/sources/SplClassLoader.php'; // Connect to mysql server require_once $_SESSION['settings']['cpassman_dir'] . '/includes/libraries/Database/Meekrodb/db.class.php'; DB::$host = $server; DB::$user = $user; DB::$password = $pass; DB::$dbName = $database; DB::$port = $port; DB::$encoding = $encoding; DB::$error_handler = 'db_error_handler'; $link = mysqli_connect($server, $user, $pass, $database, $port); $link->set_charset($encoding); // Check KEY and rights if (!isset($_POST['key']) || $_POST['key'] != $_SESSION['key']) { echo prepareExchangedData(array("error" => "ERR_KEY_NOT_CORRECT"), "encode"); break; } // Do asked action if (isset($_POST['type'])) { switch ($_POST['type']) { /* * CASE * log if item's password is shown */ case "item_password_shown": if (isset($_SESSION['settings']['log_accessed']) && $_SESSION['settings']['log_accessed'] == 1) { DB::insert(prefix_table("log_items"), array('id_item' => $_POST['id_item'], 'date' => time(), 'id_user' => $_SESSION['user_id'], 'action' => 'at_password_shown')); } break; /*
function meekrodb_error_handler($params) { /*if (isset($params['query'])) $out[] = "QUERY: " . $params['query']; if (isset($params['error'])) $out[] = "ERROR: " . $params['error']; $out[] = ""; if (php_sapi_name() == 'cli' && empty($_SERVER['REMOTE_ADDR'])) { echo implode("\n", $out); } else { echo implode("<br>\n", $out); } */ echo prepareExchangedData('[{"error" : "' . $params['error'] . '"}]', "encode"); die; }
// end $html .= ' </tr>'; $x++; } } // check if end $next_start = intval($_POST['from']) + intval($_POST['nb']); DB::query("SELECT * FROM " . prefix_table("users")); if ($next_start > DB::count()) { $end_is_reached = 1; } else { $end_is_reached = 0; } //echo $html; echo prepareExchangedData(array("html" => $html, "error" => "", "from" => $next_start, "end_reached" => $end_is_reached), "encode"); break; /** * UPDATE CAN CREATE ROOT FOLDER RIGHT */ /** * UPDATE CAN CREATE ROOT FOLDER RIGHT */ case "user_edit_login": // Check KEY if ($_POST['key'] != $_SESSION['key']) { // error exit; } DB::update(prefix_table("users"), array('login' => $_POST['login'], 'name' => $_POST['name'], 'lastname' => $_POST['lastname']), "id = %i", $_POST['id']); break;
if ($_POST['key'] != $_SESSION['key']) { echo '[{"error" : "something_wrong"}]'; break; } if (empty($_POST['currentId'])) { echo '[{"error" : "No ID provided"}]'; break; } if (empty($_SESSION['my_sk'])) { echo '[{"error" : "No personnal saltkey provided"}]'; break; } if (isset($_POST['data_to_share'])) { // ON DEMAND //decrypt and retreive data in JSON format $dataReceived = prepareExchangedData(str_replace("'", '"', $_POST['data_to_share']), "decode"); //Prepare variables $personal_sk = htmlspecialchars_decode($dataReceived['sk']); $oldPersonalSaltkey = htmlspecialchars_decode($dataReceived['old_sk']); if (empty($oldPersonalSaltkey)) { $oldPersonalSaltkey = $_SESSION['my_sk']; } if (empty($personal_sk)) { echo '[{"error" : "No personal saltkey provided"}]'; break; } // get data about pw $data = DB::queryfirstrow("SELECT id, pw, pw_iv\n FROM " . prefix_table("items") . "\n WHERE id = %i", $_POST['currentId']); // check if current encryption protocol #3 if (!empty($data['pw_iv']) && !empty($data['pw'])) { // decrypt it
$ret_server = $ssh->exec('echo -e "' . $dataReceived['new_pwd'] . '\\n' . $dataReceived['new_pwd'] . '" | passwd ' . $dataItem['login']); if (strpos($ret_server, "updated successfully") !== false) { $err = false; } else { $err = true; } $ret .= $ret_server . "</div>"; } } if ($err == false) { // store new password DB::update(prefix_table("items"), array('pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv']), "id = %i", $dataReceived['currentId']); // update log logItems($dataReceived['currentId'], $dataItem['label'], $_SESSION['user_id'], 'at_modification', $_SESSION['login'], 'at_pw :' . $oldPw, $oldPwIV); $ret .= "<br />" . $LANG['ssh_action_performed']; } else { $ret .= "<br /><i class='fa fa-warning'></i> " . $LANG['ssh_action_performed_with_error'] . "<br />"; } // finished echo prepareExchangedData(array("error" => "", "text" => str_replace(array("\n"), array("<br />"), $ret)), "encode"); break; case "server_auto_update_password_frequency": if ($_POST['key'] != $_SESSION['key'] || !isset($_POST['id']) || !isset($_POST['freq'])) { echo '[{"error" : "something_wrong"}]'; break; } // store new frequency DB::update(prefix_table("items"), array('auto_update_pwd_frequency' => $_POST['freq'], 'auto_update_pwd_next_date' => time() + 2592000 * intval($_POST['freq'])), "id = %i", $_POST['id']); echo '[{"error" : ""}]'; break; }
$reason[1] = ""; } } // imported via API if ($record['login'] == "") { $record['login'] = $LANG['imported_via_api']; } if (!empty($reason[1]) || $record['action'] == "at_copy" || $record['action'] == "at_creation" || $record['action'] == "at_manual" || $record['action'] == "at_modification" || $record['action'] == "at_delete" || $record['action'] == "at_restored") { $avatar = isset($record['avatar_thumb']) && !empty($record['avatar_thumb']) ? $_SESSION['settings']['cpassman_url'] . '/includes/avatars/' . $record['avatar_thumb'] : $_SESSION['settings']['cpassman_url'] . '/includes/images/photo.jpg'; $history .= '<tr style="">' . '<td rowspan="2" style="width:40px;"><img src="' . $avatar . '" style="border-radius:20px; height:35px;"></td>' . '<td colspan="2" style="font-size:11px;"><i>' . $LANG['by'] . ' ' . $record['login'] . ' ' . $LANG['at'] . ' ' . date($_SESSION['settings']['date_format'] . ' ' . $_SESSION['settings']['time_format'], $record['date']) . '</i></td></tr>' . '<tr style="border-bottom:3px solid #C9C9C9;"><td style="width:100px;"><b>' . $LANG[$record['action']] . '</b></td>' . '<td style="">' . (!empty($record['raison']) ? count($reason) > 1 ? $LANG[trim($reason[0])] . ' : ' . handleBackslash($reason[1]) : ($record['action'] == "at_manual" ? $reason[0] : $LANG[trim($reason[0])]) : '') . '</td>' . '</tr>' . '<tr></tr>'; } } $history .= "</table>"; $data = array('error' => "", 'new_html' => $history); // send data echo prepareExchangedData($data, "encode"); break; } } // Build the QUERY in case of GET if (isset($_GET['type'])) { switch ($_GET['type']) { /* * CASE * Autocomplet for TAGS */ case "autocomplete_tags": // Get a list off all existing TAGS $listOfTags = ""; $rows = DB::query("SELECT tag FROM " . prefix_table("tags") . " WHERE tag LIKE %ss GROUP BY tag", $_GET['term']); foreach ($rows as $record) {