Exemplo n.º 1
0
if (SSO_USE_HTTPS && !BB_IsSSLRequest()) {
    SSO_DisplayError("SSL expected.  Most likely cause:  Bad server configuration.");
}
if (!isset($_REQUEST["sso_id"]) && isset($_COOKIE["sso_server_id"])) {
    $_REQUEST["sso_id"] = $_COOKIE["sso_server_id"];
}
if (!isset($_REQUEST["sso_id"])) {
    SSO_DisplayError("Session ID expected.  Most likely causes:  Pressing the back button, clicking a URL that launched a new web browser, using a non-offical client, or a bad or incorrectly configured web proxy.  If you clicked a URL in an e-mail, it opened a new web browser, and you got this error, then try this solution:  Copy the URL and paste it into the address bar of the other web browser.  Sorry for the inconvenience, but this behavior helps keep your account secure from hackers.");
}
// Migrate 'sso_id' to a cookie.
if (!isset($_COOKIE["sso_server_id"]) || $_COOKIE["sso_server_id"] != $_REQUEST["sso_id"]) {
    SetCookieFixDomain("sso_server_id", $_REQUEST["sso_id"], 0, "", "", SSO_IsSSLRequest(), true);
}
// Remove 'sso_id' from browser URL to reduce URL sharing vulnerabilities.
if (isset($_GET["sso_id"]) && isset($_SERVER["QUERY_STRING"])) {
    $url = BB_GetFullRequestURLBase();
    $qstr = explode("&", $_SERVER["QUERY_STRING"]);
    foreach ($qstr as $num => $opt) {
        if (substr($opt, 0, 7) == "sso_id=") {
            unset($qstr[$num]);
        }
    }
    $qstr = implode("&", $qstr);
    if ($qstr != "") {
        $url .= "?" . $qstr;
    }
    header("Location: " . $url);
    exit;
}
$sso_session_id = explode("-", $_REQUEST["sso_id"]);
if (count($sso_session_id) != 2) {
Exemplo n.º 2
0
function BB_GetBackURL($query = array(), $fullrequest = false, $protocol = "")
{
    if (isset($_REQUEST["bb_back"])) {
        $items = unserialize(base64_decode(str_replace(array("-", "_"), array("+", "/"), $_REQUEST["bb_back"])));
        if (is_array($items)) {
            foreach ($items as $key => $val) {
                if (!is_array($val)) {
                    $query[] = urlencode($key) . "=" . urlencode($val);
                } else {
                    foreach ($val as $val2) {
                        $query[] = urlencode($key) . "[]=" . urlencode($val2);
                    }
                }
            }
        }
    }
    return ($fullrequest ? BB_GetFullRequestURLBase($protocol) : BB_GetRequestURLBase()) . (count($query) ? "?" . implode("&", $query) : "");
}
Exemplo n.º 3
0
<?php

// Barebones CMS
// (C) 2015 CubicleSoft.  All Rights Reserved.
require_once "config.php";
require_once ROOT_PATH . "/" . SUPPORT_PATH . "/str_basics.php";
require_once ROOT_PATH . "/" . SUPPORT_PATH . "/utf8.php";
require_once ROOT_PATH . "/" . SUPPORT_PATH . "/bb_functions.php";
Str::ProcessAllInput();
// Don't proceed any further if this is an acciental re-upload of this file to the root path.
if (defined("STO_LOGIN") && STO_LOGIN && ROOT_PATH == str_replace("\\", "/", dirname(__FILE__))) {
    exit;
}
if (USE_HTTPS && !BB_IsSSLRequest()) {
    header("Location: " . BB_GetFullRequestURLBase("https"));
    exit;
}
// Allow developers to inject code here.  For example, IP address restriction logic or a SSO bypass.
if (file_exists("login_hook.php")) {
    require_once "login_hook.php";
} else {
    if (defined("STO_LOGIN") && STO_LOGIN && file_exists(ROOT_PATH . "/login_hook.php")) {
        require_once ROOT_PATH . "/login_hook.php";
    }
}
if (isset($_REQUEST["action"]) && $_REQUEST["action"] == "login") {
    require_once ROOT_PATH . "/accounts.php";
    $user = trim($_REQUEST["login_user"]);
    $pass = trim($_REQUEST["login_pass"]);
    if (!isset($bb_accounts["users"][$user]) || $bb_accounts["users"][$user]["pass"] != sha1($user . ":" . $pass)) {
        echo "<span class=\"error\">Incorrect username or password.</span>";
Exemplo n.º 4
0
     BB_LoadExtensionsCache();
     BB_UpdateExtensionsCache();
     if (count($bb_extensions_info["vulnerabilities"])) {
         echo "<div id=\"mainviewinfo_vulnerabilities\">" . BB_HTMLPurify(implode("<br /><br />", $bb_extensions_info["vulnerabilities"])) . "</div>";
     }
     if (count($bb_extensions_info["updates"])) {
         echo "<div id=\"mainviewinfo_updates\">" . BB_HTMLPurify(implode("<br /><br />", $bb_extensions_info["updates"])) . "</div>";
     }
     echo $bb_revision_writeable ? "" : BB_Translate("<b>[Read Only]</b> ");
     echo htmlspecialchars(BB_Translate(BB_GetIANADesc($bb_pref_lang)));
     echo $bb_pref_lang == $bb_page["defaultlang"] ? BB_Translate(" [default]") : "";
     echo $bb_profile != "" ? htmlspecialchars(BB_Translate(", " . $bb_profiles[$bb_profile])) : "";
     if ($bb_revision_num < 0) {
         echo ", <a href=\"" . htmlspecialchars(BB_GetFullRequestURLBase("http") . "?lang=" . urlencode($bb_pref_lang)) . "\">" . BB_Translate("Live Page") . "</a>";
     } else {
         echo BB_Translate(", Revision #%d, %s, Reason: %s | %s", $bb_revision_num, $bb_revision[0] == "" ? BB_Translate("<i>[Root]</i>") : htmlspecialchars($bb_revision[0]), htmlspecialchars($bb_revision[4]), "<a href=\"" . htmlspecialchars(BB_GetFullRequestURLBase("http") . "?lang=" . urlencode($bb_pref_lang)) . "\">" . BB_Translate("Live Page") . "</a>");
     }
     if (isset($_REQUEST["notify"])) {
         require_once "translate.php";
         if (isset($bb_translate_notify[(int) $_REQUEST["notify"]])) {
             $entry = $bb_translate_notify[(int) $_REQUEST["notify"]];
             echo BB_Translate("<br />%s, %s, %s =&gt; %s, %s", htmlspecialchars($entry[0]), BB_FormatTimestamp($entry[1]), htmlspecialchars(BB_Translate(BB_GetIANADesc($entry[4], true, true))), htmlspecialchars(BB_Translate(BB_GetIANADesc($entry[5], true, true))), htmlspecialchars($entry[6]));
         }
     }
     BB_RunPluginAction("post_bb_main_edit_mainviewinfo");
 } else {
     if ($_REQUEST["bb_action"] == "bb_main_edit_view") {
         BB_RunPluginAction("pre_bb_main_edit_view");
         if ($bb_page["redirect"] != "") {
             header("Location: " . $bb_page["redirect"]);
         } else {
Exemplo n.º 5
0
     $destfile = SSO_ROOT_PATH . "/" . $admindir;
     if (!@mkdir($destfile, 0755)) {
         InstallError("Unable to create endpoint directory.");
     }
     $destfile .= "/admin.php";
     if (!@rename($srcfile, $destfile)) {
         InstallError("Unable to move 'admin.php' to admin directory.");
     }
     $adminurl = dirname(BB_GetFullRequestURLBase());
     if (substr($adminurl, -1) != "/") {
         $adminurl .= "/";
     }
     $adminurl .= $admindir . "/admin.php";
     InstallSuccess("Successfully created a randomly named directory and moved 'admin.php' into it.");
 } else {
     $adminurl = dirname(BB_GetFullRequestURLBase());
     if (substr($adminurl, -1) != "/") {
         $adminurl .= "/";
     }
     $adminurl .= "admin.php";
 }
 // Set up the main configuration file.
 $data = "<" . "?php\n";
 $data .= "\tdefine(\"SSO_HTTP_SERVER\", \"\");\n";
 $data .= "\tdefine(\"SSO_HTTPS_SERVER\", \"\");\n";
 $data .= "\tdefine(\"SSO_USE_HTTPS\", " . var_export(BB_IsSSLRequest(), true) . ");\n";
 $data .= "\tdefine(\"SSO_ROOT_PATH\", " . var_export(SSO_ROOT_PATH, true) . ");\n";
 $data .= "\tdefine(\"SSO_ROOT_URL\", " . var_export(SSO_ROOT_URL, true) . ");\n";
 $data .= "\tdefine(\"SSO_LOGIN_URL\", " . var_export(SSO_LOGIN_URL, true) . ");\n";
 $data .= "\tdefine(\"SSO_ENDPOINT_URL\", " . var_export(SSO_ENDPOINT_URL, true) . ");\n";
 $data .= "\tdefine(\"SSO_SUPPORT_PATH\", " . var_export(SSO_SUPPORT_PATH, true) . ");\n";
Exemplo n.º 6
0
        echo htmlspecialchars($opts[0]);
        ?>
</changefreq>
		<priority><?php 
        echo htmlspecialchars($priority);
        ?>
</priority>
	</url>
<?php 
    }
    ?>
</urlset>
<?php 
} else {
    ?>
<sitemapindex xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<?php 
    foreach ($langs as $lang => $val) {
        ?>
	<sitemap>
		<loc><?php 
        echo htmlspecialchars(BB_GetFullRequestURLBase() . "?lang=" . $lang);
        ?>
</loc>
	</sitemap>
<?php 
    }
    ?>
</sitemapindex>
<?php 
}
Exemplo n.º 7
0
function BB_PreMainJS()
{
    global $bb_pref_lang, $bb_revision_num, $bb_paths;
    ?>
<script type="text/javascript">
var Gx__RootURL = '<?php 
    echo BB_JSSafe(isset($bb_paths) ? $bb_paths["ROOT_URL"] : ROOT_URL);
    ?>
';
var Gx__SupportDebug = <?php 
    echo defined("DEBUG_JS") ? "true" : "false";
    ?>
;
var Gx__SupportPath = '<?php 
    echo BB_JSSafe(isset($bb_paths) ? $bb_paths["SUPPORT_PATH"] : SUPPORT_PATH);
    ?>
';
var Gx__URLBase = '<?php 
    echo BB_JSSafe(BB_GetRequestURLBase());
    ?>
';
var Gx__PrefLang = '<?php 
    echo BB_JSSafe($bb_pref_lang);
    ?>
';
var Gx__FullRootURL = '<?php 
    echo BB_JSSafe(BB_GetFullRootURLBase());
    ?>
';
var Gx__FullRootURLHTTP = '<?php 
    echo BB_JSSafe(BB_GetFullRootURLBase("http"));
    ?>
';
var Gx__FullRootURLHTTPS = '<?php 
    echo BB_JSSafe(BB_GetFullRootURLBase("https"));
    ?>
';
var Gx__FullURLBase = '<?php 
    echo BB_JSSafe(BB_GetFullRequestURLBase());
    ?>
';
var Gx__FullURLBaseHTTP = '<?php 
    echo BB_JSSafe(BB_GetFullRequestURLBase("http"));
    ?>
';
var Gx__FullURLBaseHTTPS = '<?php 
    echo BB_JSSafe(BB_GetFullRequestURLBase("https"));
    ?>
';
<?php 
    if (isset($bb_revision_num)) {
        echo "var Gx__RevisionNum = " . $bb_revision_num . ";\n";
    }
    ?>
var Gx__MaxSendSize = <?php 
    echo min(BB_PHPShorthandToBytes(ini_get("post_max_size")), BB_PHPShorthandToBytes(ini_get("upload_max_filesize")));
    ?>
;
<?php 
    BB_RunPluginAction("bb_premainjs");
    ?>
</script>
<?php 
}