public function authenticate() { if ($_GET['module'] == 'lang') { if (in_array($_GET['code'], $this->arc_langs)) { setcookie($this->lang_cookiename, $_GET['code'], TIME + 60 * 60 * 24 * 365, substr($this->relpath, 0, -1), $_SERVER['HTTP_HOST'], $this->https, TRUE); } if (isset($_GET['origin'])) { header("Location: " . base64_decode($_GET['origin']), TRUE, 301); exit; } else { redirect('login'); } } if ($_GET['module'] == 'status') { $file = $this->tmppath . $_GET['sem']; if (is_file($file)) { if (dirname($file) . DS == $this->tmppath) { $this->exitnow(file_get_contents($file)); } else { throw new arcException('someone tried to get which is not in tmppath: [' . realpath($file) . ']', 666); } } else { $ret = isset($_GET['upload']) ? e('uploading') : e('working'); $this->exitnow($ret); } } //New User to login if (isset($_POST['username']) && isset($_POST['password'])) { $username = $this->request['username'] = $_POST['username']; $password = $this->request['password'] = urldecode($_POST['password']); if ($username != "" && $password != "") { if ($this->arc_check_login($username, $password, TRUE) == TRUE) { sleep(1); ##TMP Folder clean $this->clean_tmp(); ##Check for settings $settings = DB_DataObject::factory('settings'); $settings->id_users = $this->id; if ($settings->find(TRUE)) { ###################### Startmodule ############################ $start_module = $this->arc_decrypt_output($settings->start_module); if (in_array($start_module, $this->registered_start_modules)) { $this->startmodule = $start_module; } ##################################################################### ###################### Check PATTERNLOCK ############################ $patternlock_user = $this->arc_decrypt_output($settings->patternlock); //HOWTO: Reset Patternlock //if ($username == 'emanuel') // $patternlock_user = ''; if ($patternlock_user != '') { if ($_POST['patternlock'] != '0') { if ($_POST['patternlock'] != $patternlock_user) { $tries_left = $this->jail('jail'); $this->kill(); $this->exitnow(json_encode(array('code' => '1', 'msg' => e('login_fail') . e('tries_left', array($tries_left), array(1))))); } } else { //REQUEST PATTERNLOCK $this->kill(); $this->exitnow(json_encode(array('code' => '2'))); } } ##################################################################### } ##De-Jail if IP was nominated to block $this->jail('dejail'); ##Cleanup Users log and invs $this->user_log_cleanup(); if ($this->inv_mode == TRUE) { $this->user_invitations_cleanup(); } ## ##Check if Users passwordhint was decrypted since last login if ($this->forgot_active === TRUE && $this->session_exists('lastlogin')) { $forgot = DB_DataObject::factory('forgot'); $forgot->active = 'yes'; $forgot->id_users = $this->id; if ($forgot->find(TRUE)) { $forgot_last_req = $forgot->lastreq != '' ? $this->arc_decrypt($forgot->lastreq, $username) : ''; $forgot_last_req = is_numeric($forgot_last_req) ? $forgot_last_req : 0; if ($forgot_last_req >= $this->session_get('lastlogin')) { $lastreq_ip = $this->arc_decrypt($forgot->lastreq_ip, $username); $this->user_log(e('question_was_answered'), $this->systemlogger, FALSE, $forgot_last_req, $lastreq_ip); $this->session_set('forgot_displayed_since_last_login', $forgot_last_req); if ($this->startmodule != 'dashboard') { $this->startmodule = 'dashboard'; } } } } ###### Do the the login now if ($this->startmodule == 'dashboard') { $this->session_set('logged_in_and_default_site_shown', TRUE); } $this->log_login(); $this->exitnow(json_encode(array('code' => '0', 'msg' => link_for($this->startmodule)))); ######################################################################################### } else { //die(); $tries_left = $this->jail('jail'); $this->exitnow(json_encode(array('code' => '1', 'msg' => e('login_fail') . e('tries_left', array($tries_left), array(1))))); } } //ALREADY LOGGED IN } elseif ($this->session_get('arc_id') != "" && $this->session_exists('logintime')) { $sessionlifetime = ini_get('session.gc_maxlifetime'); $this->remaining_time = $sessionlifetime - (TIME - $this->session_get('logintime')); $arc_key = $this->session_masterkey_get(); logit(pack('H*', $arc_key´)); $arc_id = $this->session_get('arc_id'); $login_check = DB_DataObject::factory('users'); $login_check->find(); while ($login_check->fetch()) { if ($this->arc_hash($login_check->id) == $arc_id) { //SET CRYPTV $this->cryptv = $login_check->cryptv; //SET COLOUR $this->colour = $this->arc_decrypt($login_check->colour, $arc_key); //SET ID $this->id = $login_check->id; //SET MASTERKEY $this->masterkey = $arc_key; $sec_problem = FALSE; ##Added securtiy checks if (!$this->validate_colour($this->colour)) { $sec_problem = 'Colour validate'; } ##Added securtiy checks if ($this->ip_sec_check === TRUE) { if (!($login_check->lastip == $this->arc_encrypt(UIP, $arc_key))) { logit("IP Changed. Last recognized IP: " . $this->arc_decrypt($login_check->lastip, $arc_key) . " ---> new IP: " . UIP); $sec_problem = 'IP Missmatch'; $sec_problem_text = e('logged_out_ip_changed'); ##IPv6 Switch Checker if ($this->ipv6switchgraceactive == TRUE) { logit("IP Grace Active, Browser: " . UAGENT); $update_login_ip = $sec_problem = FALSE; if (filter_var(UIP, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) { if ($this->session_exists('lastip6')) { if ($this->session_get('lastip6') != UIP) { $sec_problem_text .= ' ' . $this->session_get('lastip4') . '->' . UIP; $sec_problem = TRUE; } } else { logit("OK, IP4/IP6 Switch, storing new IP"); $this->session_set('lastip6', UIP); $update_login_ip = TRUE; } } elseif (filter_var(UIP, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) { if ($this->session_exists('lastip4')) { if ($this->session_get('lastip4') != UIP) { $sec_problem_text .= ' ' . $this->session_get('lastip4') . '->' . UIP; $sec_problem = TRUE; } } else { logit("OK, IP4/IP6 Switch, storing new IP"); $this->session_set('lastip4', UIP); $update_login_ip = TRUE; } } if ($update_login_ip === TRUE) { $login_check->lastip = $this->arc_encrypt(UIP, $this->masterkey); $login_check->update(); } } ##IPv6 Switch Checker } } ##Added securtiy checks if (!($login_check->lastbrowser == $this->arc_encrypt(UAGENT, $arc_key))) { $sec_problem = 'Browser Missmatch'; $sec_problem_text = e('logged_out_browser_changed'); } if ($sec_problem != FALSE) { $this->user_log($sec_problem_text); sleep(1); $this->kill(); throw new arcException("Sec_logout [{$sec_problem}] {$sec_problem_text}", 408); return FALSE; } //CHECK SESSION TIMEOUT TTL if ($this->modulename != "login" && @$this->request['action'] != "logout") { if ($this->remaining_time <= 0) { define('SESSION_TIMEOUT_LOGOUT', TRUE); //if true, user will be JS - logged out in menu.php } } if ($this->modulename == "login" && @$_GET['action'] != "logout") { //BUGFIX, after browserrestart $this->check_cookies(); //FIX. redirect("dashboard"); exit; } ############### $settings = DB_DataObject::factory('settings'); $settings->id_users = $this->id; if ($settings->find(TRUE)) { if ($this->arc_decrypt_output($settings->expand_memos) == "yes") { define('EXPAND_MEMOS', TRUE); } if ($this->arc_decrypt_output($settings->hide_desc) == 'yes') { define('HIDE_DESC', TRUE); } if ($this->arc_decrypt_output($settings->hide_comment) == 'yes') { define('HIDE_COMMENT', TRUE); } if (in_array($this->arc_decrypt_output($settings->lang), $this->arc_langs)) { define('LANG', $this->arc_decrypt_output($settings->lang)); } } ############### if (in_array($this->modulename, $this->registered_modules_no_auth) && $this->modulename != 'login') { define('MENUAUTH', 'TRUE'); return FALSE; } return $this->session_check(); } } //IF User not found in DB debug('$this->session_get(ALL);', $this->session_get('ALL')); throw new arcException("ID: [" . $this->id . "] Session Data present, but no user found in DB!"); //New User tp register } elseif ($this->modulename == 'register' && @$_GET['action'] == 'doit') { $this->useview = FALSE; $this->request = array_merge($_POST, $_GET); if (@$this->inv_mode == TRUE) { $inv = DB_DataObject::factory('invitations'); $inv->id_invhash = $this->request['inv_hash']; if ($inv->find(TRUE) != TRUE) { die(e('inv_id_not_valid')); } else { if ($inv->id_active != 0) { die(e('inv_id_already_used')); } } } if (isset($this->request['username']) && isset($this->request['colour']) && isset($this->request['captcha']) && isset($this->request['password_1']) && isset($this->request['password_2']) && isset($this->request['captchacount'])) { if ($this->inv_mode === TRUE || strtolower(trim(trim($this->request['captcha']), "\r\n")) == strtolower(captchavalue($this->request['captchacount'])) && $this->inv_mode === FALSE) { if ($this->request['password_1'] == $this->request['password_2']) { if ($this->request['username'] != "" && $this->request['colour'] != "") { if ($this->validate_colour($this->request['colour'])) { $username = $this->request['username']; $password = $this->request['password_1']; $colour = $this->request['colour']; $login = $this->arc_encrypt($this->arc_hash($username), $this->arc_hash($password)); $password = $this->arc_encrypt($this->arc_hash($password), $this->arc_hash($username)); $colour = $this->arc_encrypt($colour, $this->arc_gen_master($this->request['password_1'])); $new = DB_DataObject::factory('users'); $new->login = $login; $new->password = $password; if ($new->find() === 0) { $new->colour = $colour; $new->lastupdated = $this->arc_encrypt(TIME, $this->arc_gen_master($this->request['password_1'])); $new->cryptv = $this->arcanum_cryptv; $id = $new->insert(); logit("User " . $id . " successfully registered from " . UIP); $this->jail('dejail'); if (@$this->inv_mode == TRUE) { $inv->id_active = $id; $inv->update(); } die('1'); } else { logit("Register: User [" . $this->request['username'] . "] and PW already in Database! "); die(e('account_already_present')); } } else { die(e('colour_incorrect')); } } else { die(e('fields_missing')); } } else { die(e('passwords_not_match')); } } else { $ret = '2'; $tries_left = $this->jail('jail'); if ($tries_left < 5) { $ret = e('retry_it') . ' ' . e('tries_left', array($tries_left), array(1)); } die($ret); } } else { die(e('fields_missing')); } //FORGOT } elseif ($this->modulename == 'forgot' && isset($_GET['action']) && $_POST['username'] != '') { if ($this->forgot_active != TRUE) { die(e('forgot_is_inactive')); } $this->useview = $this->setlayout = FALSE; $username = $_POST['username']; $forgot = DB_DataObject::factory('forgot'); $forgot->active = 'yes'; $forgot->username = $this->arc_encrypt($username, $username); $ret = e('retry_it'); if (!$forgot->find(TRUE)) { $tries_left = $this->jail('jail'); if ($tries_left <= 5) { $ret .= ' ' . e('tries_left', array($tries_left), array(1)); } header('Status: 403 Forbidden'); die(e('forgot_std_no_user_msg') . $ret); } if ($_POST['answer'] == '' && $_POST['username'] != '') { if ($this->arc_decrypt($forgot->username, $username) == $username) { die($this->arc_decrypt($forgot->question, $username)); } else { header('Status: 403 Forbidden'); die(e('forgot_std_no_user_msg')); } } else { if ($_POST['answer'] == $this->arc_decrypt($forgot->answer, $username)) { $hint = $forgot->hint; $forgot->lastreq = $this->arc_encrypt(TIME, $username); $forgot->lastreq_ip = $this->arc_encrypt(UIP, $username); $forgot->update(); logit('Passwordhint for user ' . $forgot->id_users . ' was successfully decrypted!'); die($this->arc_decrypt($hint, $_POST['answer'])); } else { $tries_left = $this->jail('jail'); if ($tries_left <= 5) { $ret .= ' ' . e('tries_left', array($tries_left), array(1)); } header('Status: 403 Forbidden'); die(e('forgot_std_wrong_answer') . $ret); } } //INVCHECK } elseif ($this->modulename == 'register' && $_GET['module'] == 'inv_hash_check') { $inv = DB_DataObject::factory('invitations'); $inv->id_inv_hash = $_GET['code']; die($inv->find()); } }
<?php $fontFile = $this->captchattf; $backGround = $this->captchabg; $text = isset($_GET['action']) ? captchavalue($_GET['action']) : captchavalue(); $backgroundSizeX = 2000; $backgroundSizeY = 350; $sizeX = 200; $sizeY = 50; $textLength = strlen($text); // generate random security values $backgroundOffsetX = rand(0, $backgroundSizeX - $sizeX - 1); $backgroundOffsetY = rand(0, $backgroundSizeY - $sizeY - 1); $angle = rand(-5, 5); $fontColorR = rand(0, 127); $fontColorG = rand(0, 127); $fontColorB = rand(0, 127); $fontSize = rand(30, 40); $textX = rand(0, (int) ($sizeX - 0.9 * $textLength * ($fontSize - 10))); // these coefficients are empiric $textY = rand((int) (1.25 * $fontSize), (int) ($sizeY - 0.2 * $fontSize)); // don't try to learn how they were taken out $gdInfoArray = gd_info(); if (!$gdInfoArray['PNG Support']) { return IMAGE_ERROR_GD_TYPE_NOT_SUPPORTED; } // create image with background $src_im = imagecreatefrompng($backGround); if (function_exists('imagecreatetruecolor')) { // this is more qualitative function, but it doesn't exist in old GD $dst_im = imagecreatetruecolor($sizeX, $sizeY);