include 'includes/validate.php';
include 'includes/' . $user_inc;
//eom
include 'includes/site_extras.php';
include_once 'includes/xcal.php';
$WebCalendar->initializeSecondPhase();
$appStr = generate_application_name();
// If WebCalendar is using http auth, then $login will be set in validate.php.
if (empty($_SERVER['PHP_AUTH_USER']) && !empty($_ENV['REMOTE_USER'])) {
list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_ENV['REMOTE_USER'], 6)));
$_SERVER['PHP_AUTH_USER'] = trim($_SERVER['PHP_AUTH_USER']);
$_SERVER['PHP_AUTH_PW'] = trim($_SERVER['PHP_AUTH_PW']);
}
unset($_ENV['REMOTE_USER']);
if (empty($login) || $login == '__public__') {
if (isset($_SERVER['PHP_AUTH_USER']) && user_valid_login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'], true)) {
$login = $_SERVER['PHP_AUTH_USER'];
}
if (empty($login) || $login != $_SERVER['PHP_AUTH_USER']) {
$_SERVER['PHP_AUTH_PW'] = $_SERVER['PHP_AUTH_USER'] = '';
unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);
header('WWW-Authenticate: Basic realm="' . $appStr . '"');
header('HTTP/1.0 401 Unauthorized');
exit;
}
}
load_global_settings();
load_user_preferences();
$WebCalendar->setLanguage();
// Load user name, etc.
$PHP_SELF = $_SERVER["PHP_SELF"];
}
$cookie_path = str_replace("login.php", "", $PHP_SELF);
//echo "Cookie path: $cookie_path\n";
$out = "<login>\n";
if ($single_user == "Y") {
// No login for single-user mode
$out .= "<error>No login required for single-user mode</error>\n";
} else {
if ($use_http_auth) {
// There is no login page when using HTTP authorization
$out .= "<error>No login required for HTTP authentication</error>\n";
} else {
if (!empty($login) && !empty($password)) {
$login = trim($login);
if (user_valid_login($login, $password)) {
user_load_variables($login, "");
// set login to expire in 365 days
srand((double) microtime() * 1000000);
$salt = chr(rand(ord('A'), ord('z'))) . chr(rand(ord('A'), ord('z')));
$encoded_login = encode_string($login . "|" . crypt($password, $salt));
//SetCookie ( "webcalendar_session", $encoded_login, 0, $cookie_path );
$out .= " <cookieName>webcalendar_session</cookieName>\n";
$out .= " <cookieValue>{$encoded_login}</cookieValue>\n";
if ($is_admin) {
$out .= " <admin>1</admin>\n";
}
} else {
$out .= " <error>Invalid login</error>\n";
}
}
<table id="securityAudit" border="0" cellpadding="4">
<tr><th><?php
etranslate('Security Issue');
?>
</th>
<th><?php
etranslate('Status');
?>
</th>
<th><?php
etranslate('Details');
?>
</th></tr>
<?php
// Make sure they aren't still using the default admin username/password
$isOk = user_valid_login('admin', 'admin') == false;
$help = translate('You should change the password of the default admin user.');
print_issue(translate('Default admin user password'), $isOk, $help);
// Is the main directory still writable?
// just see if we get an error trying to append to it.
$wcDir = '.';
$wcName = 'WebCalendar toplevel director';
if (preg_match('/(.*).security_audit.php/', __FILE__, $matches)) {
$wcDir = $matches[1] . '\\';
$wcName = basename($wcDir);
}
$isOk = !is__writable($wcDir);
$help = translate('The following item should not be writable') . ':<br/><tt>' . htmlentities($wcDir) . '</tt>';
print_issue(translate('File permissions') . ': ' . $wcName, $isOk, $help);
// Is the includes directory still writable?
// just see if we get an error trying to append to it.
