** but WITHOUT ANY WARRANTY; without even the implied warranty of * ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * ** Lesser General Public License for more details. * ** * ** You should have received a copy of the GNU Lesser General Public * ** License along with this library; if not, write to * ** the Free Software Foundation, Inc., * ** 59 Temple Place, Suite 330, * ** Boston, MA * ** 02111-1307 USA * **---------------------------------------------------------------------*/ ob_start(); session_start(); include dirname(__FILE__) . "/login.inc.php"; // find out where we came from, strip the GET tags off the URL $user = lib_login_protect_page_uber(); $goback = GetReferer(); $goback = explode("?", $goback); $goback = $goback[0]; // don't let non-uber users run this page. if ($user != $UBER_USER) { header("Location: {$FAIL_PAGE}"); lib_login_no_browser_redirect("{$goback}?delerror={$error}"); die; } else { // do the update stuff here $giderror = urlencode(lib_login_do_group_change($usernames, $newgid)); } header("Location: {$goback}?giderror={$giderror}"); lib_login_no_browser_redirect("{$goback}?giderror={$giderror}"); ob_end_flush();
function lib_login_check_valid_lp($username, $password) { global $UBER_USER; global $UBER_PASS; global $ADMIN_EMAIL; global $LOG_MESSAGE; global $SUB_HEAD_TAG_OPEN; global $SUB_HEAD_TAG_CLOSE; global $HEADER_TAG_OPEN; global $HEADER_TAG_CLOSE; global $PUNISH_BAD_ATTEMPTS; global $BAD_ATTEMPTS_MAX; global $gDB; $db = $gDB; /*----------------------------------* ** uberuser account starts with * ** $UBER_PASS as a password. when * ** that combo is called we test to * ** see if an account for it already * ** exists. if not, we make one. * ** otherwise we pass on to the rest * ** of the function... * **----------------------------------*/ // this is not as insecure as it looks... if ($username == $UBER_USER && $password == $UBER_PASS && !lib_login_account_exists($UBER_USER)) { $foo = lib_login_create_account($UBER_USER, $UBER_PASS, $UBER_PASS, $ADMIN_EMAIL, "", ""); if ($foo != "success") { // $gString[64] = "a serious error has ocurred in creating the uber user account" // $gString[65] = "php_lib_login was unable to create the uber user account with // "the data given. the following exception has been thrown:" // $gString[66] = "please consult your configuration and try again. this system // is completely insecure" echo "{$HEADER_TAG_OPEN} {$gString['64']} {$HEADER_TAG_CLOSE}"; echo "{$HEADER_TAG_OPEN} {$gString['65']}:<p> <b>{$foo}</b><p>"; echo $gString[66] . $HEADER_TAG_CLOSE; } return $UBER_USER; } $username = trim("{$username}"); $password = trim("{$password}"); $password = md5($password); //store encrypted passwords only // this the link back to the login page... // strip GET off of URL $login_page = GetReferer(); // oops... maybe referer not login page... $login_page = explode("?", $login_page); $login_page = $login_page[0]; // first we should check to see if the user is on punishment time. if they are, they // are not allowed to login and should be bounced. if they aren't we should check and // see if they should be put on punishment time because they have exceeded their max // failed login attempts and punish them if necessary. if ($PUNISH_BAD_ATTEMPTS == "TRUE" && $username != $UBER_USER) { if (lib_login_test_bad_attempt_punishment($username)) { header("Location: {$login_page}?error=punished"); lib_login_no_browser_redirect("{$login_page}?error=punished"); die; } if (lib_login_test_bad_attempts($username)) { lib_login_enact_bad_attempt_punishment($username); } } $sql_valid_lp_test = <<<SQL \t\tSELECT \t* \t\tFROM \ttbl_users \t\tWHERE \tusername='******' \t\tAND \tpassword='******' SQL; /*----------------------------------* ** test for valid l/p * **----------------------------------*/ $result = $db->Execute($sql_valid_lp_test); // if the field is NULL, no rows were returned and, // therefor the l/p is wrong so we redirect to the login page if ($result->EOF) { if ($username == $UBER_USER) { lib_login_write_log($LOG_MESSAGE[2], $username); } else { lib_login_write_log($LOG_MESSAGE[1], $username); } // if we have set a max on bad login attempts then we should log // this bad attempt! if ($PUNISH_BAD_ATTEMPTS == "TRUE" && $username != $UBER_USER) { lib_login_write_bad_attempt($username); } header("Location: {$login_page}?error=invalid"); lib_login_no_browser_redirect("{$login_page}?error=invalid"); die; // don't let the rest of the code run if login fails!! } // a successful login - clear the bad attempts, write the log, return the username if ($PUNISH_BAD_ATTEMPTS == "TRUE") { lib_login_clear_bad_attempts($username); } lib_login_write_log($LOG_MESSAGE[0], $username); return $result->Fields["username"]; }