function BB_GetRequestHost($protocol = "")
{
global $bb_getrequesthost_cache;
$protocol = strtolower($protocol);
$ssl = $protocol == "https" || $protocol == "" && BB_IsSSLRequest();
if ($protocol == "") {
$type = "def";
} else {
if ($ssl) {
$type = "https";
} else {
$type = "http";
}
}
if (!isset($bb_getrequesthost_cache)) {
$bb_getrequesthost_cache = array();
}
if (isset($bb_getrequesthost_cache[$type])) {
return $bb_getrequesthost_cache[$type];
}
$url = "http" . ($ssl ? "s" : "") . "://";
if ($ssl && defined("HTTPS_SERVER") && HTTPS_SERVER != "") {
$url .= HTTPS_SERVER;
} else {
if (!$ssl && defined("HTTP_SERVER") && HTTP_SERVER != "") {
$url .= HTTP_SERVER;
} else {
$str = str_replace("\\", "/", $_SERVER["REQUEST_URI"]);
$pos = strpos($str, "?");
if ($pos !== false) {
$str = substr($str, 0, $pos);
}
$str2 = strtolower($str);
if (substr($str2, 0, 7) == "http://") {
$pos = strpos($str, "/", 7);
if ($pos === false) {
$str = "";
} else {
$str = substr($str, 7, $pos);
}
} else {
if (substr($str2, 0, 8) == "https://") {
$pos = strpos($str, "/", 8);
if ($pos === false) {
$str = "";
} else {
$str = substr($str, 8, $pos);
}
} else {
$str = "";
}
}
if ($str != "") {
$host = $str;
} else {
if (isset($_SERVER["HTTP_HOST"])) {
$host = $_SERVER["HTTP_HOST"];
} else {
$host = $_SERVER["SERVER_NAME"] . ":" . (int) $_SERVER["SERVER_PORT"];
}
}
$pos = strpos($host, ":");
if ($pos === false) {
$port = 0;
} else {
$port = (int) substr($host, $pos + 1);
$host = substr($host, 0, $pos);
}
if ($port < 1 || $port > 65535) {
$port = $ssl ? 443 : 80;
}
$url .= preg_replace('/[^a-z0-9.\\-]/', "", strtolower($host));
if ($protocol == "" && (!$ssl && $port != 80 || $ssl && $port != 443)) {
$url .= ":" . $port;
} else {
if ($protocol == "http" && !$ssl && $port != 80) {
$url .= ":" . $port;
} else {
if ($protocol == "https" && $ssl && $port != 443) {
$url .= ":" . $port;
}
}
}
}
}
$bb_getrequesthost_cache[$type] = $url;
return $url;
}
<td>PHP 'magic_quotes_sybase' off</td>
<td align="right">
<?php
if (ini_get('magic_quotes_sybase')) {
echo "<span class=\"error\">No</span><br /><br />PHP is running with 'magic_quotes_sybase' enabled. This setting is generally accepted as a security risk AND causes all sorts of non-security-related problems. It is also deprecated. Please turn it off by editing the php.ini file for your site - you may need to contact your hosting provider to accomplish this task.";
} else {
echo "<span class=\"success\">Yes</span>";
}
?>
</td>
</tr>
<tr class="row altrow">
<td>Installation over SSL</td>
<td align="right">
<?php
if (!BB_IsSSLRequest()) {
echo "<span class=\"error\">No</span><br /><br />While Single Sign-On Client will install and run without using HTTPS/SSL, think about the implications of network sniffing access tokens, who will have access to the system, and what they can do in the system. SSL certificates can be obtained for free. Proceed only if this major security risk is acceptable.";
} else {
echo "<span class=\"success\">Yes</span>";
}
?>
</td>
</tr>
<tr class="row altrow">
<td>Crypto-safe CSPRNG available</td>
<td align="right">
<?php
try {
$rng = new SSO_CSPRNG(true);
echo "<span class=\"success\">Yes</span>";
} catch (Exception $e) {
if (file_exists(SSO_ROOT_PATH . "/footer.php")) {
require_once SSO_ROOT_PATH . "/footer.php";
}
$sso_footer = ob_get_contents();
ob_end_clean();
// Connect to the database and generate database globals.
try {
SSO_DBConnect(false);
} catch (Exception $e) {
SSO_DisplayError("Unable to connect to the database.");
}
// Load in fields without admin select.
SSO_LoadFields(false);
// Load in $sso_settings and initialize it.
SSO_LoadSettings();
if (SSO_USE_HTTPS && !BB_IsSSLRequest()) {
SSO_DisplayError("SSL expected. Most likely cause: Bad server configuration.");
}
if (!isset($_REQUEST["sso_id"]) && isset($_COOKIE["sso_server_id"])) {
$_REQUEST["sso_id"] = $_COOKIE["sso_server_id"];
}
if (!isset($_REQUEST["sso_id"])) {
SSO_DisplayError("Session ID expected. Most likely causes: Pressing the back button, clicking a URL that launched a new web browser, using a non-offical client, or a bad or incorrectly configured web proxy. If you clicked a URL in an e-mail, it opened a new web browser, and you got this error, then try this solution: Copy the URL and paste it into the address bar of the other web browser. Sorry for the inconvenience, but this behavior helps keep your account secure from hackers.");
}
// Migrate 'sso_id' to a cookie.
if (!isset($_COOKIE["sso_server_id"]) || $_COOKIE["sso_server_id"] != $_REQUEST["sso_id"]) {
SetCookieFixDomain("sso_server_id", $_REQUEST["sso_id"], 0, "", "", SSO_IsSSLRequest(), true);
}
// Remove 'sso_id' from browser URL to reduce URL sharing vulnerabilities.
if (isset($_GET["sso_id"]) && isset($_SERVER["QUERY_STRING"])) {
$url = BB_GetFullRequestURLBase();
<?php
// Barebones CMS
// (C) 2015 CubicleSoft. All Rights Reserved.
require_once "config.php";
require_once ROOT_PATH . "/" . SUPPORT_PATH . "/str_basics.php";
require_once ROOT_PATH . "/" . SUPPORT_PATH . "/utf8.php";
require_once ROOT_PATH . "/" . SUPPORT_PATH . "/bb_functions.php";
Str::ProcessAllInput();
// Don't proceed any further if this is an acciental re-upload of this file to the root path.
if (defined("STO_LOGIN") && STO_LOGIN && ROOT_PATH == str_replace("\\", "/", dirname(__FILE__))) {
exit;
}
if (USE_HTTPS && !BB_IsSSLRequest()) {
header("Location: " . BB_GetFullRequestURLBase("https"));
exit;
}
// Allow developers to inject code here. For example, IP address restriction logic or a SSO bypass.
if (file_exists("login_hook.php")) {
require_once "login_hook.php";
} else {
if (defined("STO_LOGIN") && STO_LOGIN && file_exists(ROOT_PATH . "/login_hook.php")) {
require_once ROOT_PATH . "/login_hook.php";
}
}
if (isset($_REQUEST["action"]) && $_REQUEST["action"] == "login") {
require_once ROOT_PATH . "/accounts.php";
$user = trim($_REQUEST["login_user"]);
$pass = trim($_REQUEST["login_pass"]);
if (!isset($bb_accounts["users"][$user]) || $bb_accounts["users"][$user]["pass"] != sha1($user . ":" . $pass)) {
echo "<span class=\"error\">Incorrect username or password.</span>";
public function LoginAddMap(&$mapinfo, $userrow, &$userinfo, $admin)
{
global $sso_rng;
$info = $this->GetInfo();
if ($info["cookiekey"] != "" && $info["cookieiv"] != "" && $info["cookiekey2"] != "" && $info["cookieiv2"] != "" && isset($userinfo["sso_antiphish"])) {
// Set the anti-phishing cookie here.
$data = base64_encode(Blowfish::CreateDataPacket($userinfo["sso_antiphish"], pack("H*", $info["cookiekey"]), array("prefix" => $sso_rng->GenerateString(), "mode" => "CBC", "iv" => pack("H*", $info["cookieiv"]), "key2" => pack("H*", $info["cookiekey2"]), "iv2" => pack("H*", $info["cookieiv2"]), "lightweight" => true)));
SetCookieFixDomain("sso_l_ap", $data, time() + 365 * 24 * 60 * 60, "", "", BB_IsSSLRequest(), true);
}
}
$adminurl .= "/";
}
$adminurl .= $admindir . "/admin.php";
InstallSuccess("Successfully created a randomly named directory and moved 'admin.php' into it.");
} else {
$adminurl = dirname(BB_GetFullRequestURLBase());
if (substr($adminurl, -1) != "/") {
$adminurl .= "/";
}
$adminurl .= "admin.php";
}
// Set up the main configuration file.
$data = "<" . "?php\n";
$data .= "\tdefine(\"SSO_HTTP_SERVER\", \"\");\n";
$data .= "\tdefine(\"SSO_HTTPS_SERVER\", \"\");\n";
$data .= "\tdefine(\"SSO_USE_HTTPS\", " . var_export(BB_IsSSLRequest(), true) . ");\n";
$data .= "\tdefine(\"SSO_ROOT_PATH\", " . var_export(SSO_ROOT_PATH, true) . ");\n";
$data .= "\tdefine(\"SSO_ROOT_URL\", " . var_export(SSO_ROOT_URL, true) . ");\n";
$data .= "\tdefine(\"SSO_LOGIN_URL\", " . var_export(SSO_LOGIN_URL, true) . ");\n";
$data .= "\tdefine(\"SSO_ENDPOINT_URL\", " . var_export(SSO_ENDPOINT_URL, true) . ");\n";
$data .= "\tdefine(\"SSO_SUPPORT_PATH\", " . var_export(SSO_SUPPORT_PATH, true) . ");\n";
$data .= "\tdefine(\"SSO_PROVIDER_PATH\", " . var_export(SSO_PROVIDER_PATH, true) . ");\n";
$data .= "\tdefine(\"SSO_LANG_PATH\", \"lang\");\n";
$data .= "\tdefine(\"SSO_DEFAULT_LANG\", " . var_export($_REQUEST["sso_default_lang"], true) . ");\n";
$data .= "\tdefine(\"SSO_ADMIN_LANG\", " . var_export($_REQUEST["sso_admin_lang"], true) . ");\n";
$data .= "\tdefine(\"SSO_PROXY_X_FORWARDED_FOR\", " . var_export($_REQUEST["sso_proxy_x_forwarded_for"], true) . ");\n";
$data .= "\tdefine(\"SSO_PROXY_CLIENT_IP\", " . var_export($_REQUEST["sso_proxy_client_ip"], true) . ");\n";
$data .= "\tdefine(\"SSO_BASE_RAND_SEED\", " . var_export(SSO_BASE_RAND_SEED, true) . ");\n";
$data .= "\tdefine(\"SSO_BASE_RAND_SEED2\", " . var_export(SSO_BASE_RAND_SEED2, true) . ");\n";
$data .= "\tdefine(\"SSO_BASE_RAND_SEED3\", " . var_export(SSO_BASE_RAND_SEED3, true) . ");\n";
$data .= "\tdefine(\"SSO_BASE_RAND_SEED4\", " . var_export(SSO_BASE_RAND_SEED4, true) . ");\n";
public function LoginAddMap(&$mapinfo, $userrow, &$userinfo, $admin)
{
global $sso_rng, $sso_session_info;
$info = $this->GetInfo();
if (!$admin && $info["cookiekey"] != "" && $info["cookieiv"] != "" && $info["cookiekey2"] != "" && $info["cookieiv2"] != "" && isset($sso_session_info["sso_login_remember_me"])) {
if (!isset($userinfo["sso_remember_me"])) {
$userinfo["sso_remember_me"] = array();
}
if ($sso_session_info["sso_login_remember_me"]["reset"]) {
$userinfo["sso_remember_me"] = array();
}
// Remove expired tokens.
foreach ($userinfo["sso_remember_me"] as $token => $info2) {
if (CSDB::ConvertFromDBTime($info2["expires"]) < time()) {
unset($userinfo["sso_remember_me"][$token]);
}
}
if ($sso_session_info["sso_login_remember_me"]["numdays"] > 0) {
$token = $sso_rng->GenerateString();
$token2 = $sso_rng->GenerateString();
$salt = $sso_rng->GenerateString();
$data = $salt . ":" . $token2;
$passwordinfo = sso_login::HashPasswordInfo($data);
if ($passwordinfo["success"]) {
// Add temporary session data to user information.
$userinfo["sso_remember_me"][$token] = array("salt" => $salt, "rounds" => (int) $passwordinfo["rounds"], "hash" => bin2hex($passwordinfo["hash"]), "expires" => CSDB::ConvertToDBTime(time() + $sso_session_info["sso_login_remember_me"]["numdays"] * 24 * 60 * 60), "bypass" => $sso_session_info["sso_login_remember_me"]["bypass"]);
// Append user ID and token to the cookie.
$info2 = false;
if (isset($_COOKIE["sso_l_rme"])) {
// Decrypt existing data.
$info2 = @base64_decode($_COOKIE["sso_l_rme"]);
if ($info2 !== false) {
$info2 = Blowfish::ExtractDataPacket($info2, pack("H*", $info["cookiekey"]), array("mode" => "CBC", "iv" => pack("H*", $info["cookieiv"]), "key2" => pack("H*", $info["cookiekey2"]), "iv2" => pack("H*", $info["cookieiv2"]), "lightweight" => true));
}
if ($info2 !== false) {
$info2 = @unserialize($info2);
}
}
if ($info2 === false) {
$info2 = array();
}
$info2[$userrow->id] = array($token, $token2);
// Set the Remember Me cookie.
$data = base64_encode(Blowfish::CreateDataPacket(serialize($info2), pack("H*", $info["cookiekey"]), array("prefix" => $sso_rng->GenerateString(), "mode" => "CBC", "iv" => pack("H*", $info["cookieiv"]), "key2" => pack("H*", $info["cookiekey2"]), "iv2" => pack("H*", $info["cookieiv2"]), "lightweight" => true)));
SetCookieFixDomain("sso_l_rme", $data, time() + $info["maxdays"] * 24 * 60 * 60, "", "", BB_IsSSLRequest(), true);
}
}
}
}
