Exemplo n.º 1
0
function mystery_log_violation($code, $message = '')
{
    // This function process a serious error/violation
    global $_MYSTERY;
    $types['Red'] = 'Spoofed User';
    $types['Orange'] = 'Spoofed File';
    $types['Yellow'] = 'Spoofed Action';
    $types['Green'] = 'Illegal Query';
    $types['Blue'] = 'Virus Upload';
    $types['Purple'] = 'Spoofed Table';
    $types['Brown'] = 'Illegal Many To Many Addition';
    ob_start();
    echo "SERVER: ";
    print_r($_SERVER);
    echo "SESSION: ";
    print_r($_SESSION);
    echo "REQUEST: ";
    print_r($_REQUEST);
    $context = ob_get_contents();
    ob_end_clean();
    $table = $_MYSTERY['table_prefix'] . 'security_log';
    $data['exception_type'] = $types[$code] . ' - ' . $message;
    $data['exception_code'] = $code;
    $data['user_id'] = $_SESSION['user_id'];
    $data['user_ip_address'] = $_SERVER['REMOTE_ADDR'];
    $data['user_action'] = $_REQUEST['action'];
    $data['user_time'] = date('Y-m-d h:i:s');
    $data['user_request'] = $_SERVER['REQUEST_URI'];
    $data['user_variables'] = $context;
    $log_id = mystery_insert_query($table, $data, 'record_id');
    // Prepare error string
    $error_parts = array();
    while (list($key, $value) = each($data)) {
        $error_parts[] .= ucwords(str_replace('_', ' ', $key)) . ': ' . $value;
    }
    $error_string = implode("\n", $error_parts) . "\n\n";
    mystery_log_error_to_file('security_log', $error_string);
    // make them wait a couple seconds so they won't automate the attack
    sleep(2);
    mystery_header();
    echo '
	<h1>Access Denied</h1>

	<p>Sorry, but the account you arelogged in as cannot perform the requested action. (<em>Code: ', $code, '</em>)</p>
	';
    mystery_display_admin_contact_info();
    if ($code == 'Blue') {
        echo '<p>The file you tried to upload is infected with a <strong>virus</strong>.
		Please <strong>disinfect the file</strong> and try again.</p>
		<p><code>', $_MYSTERY['virus_feedback'], '</code></p>';
    }
    mystery_footer();
}
Exemplo n.º 2
0
function mystery_session_write($id, $mystery_session_data)
{
    global $_MYSTERY;
    $table = $_MYSTERY['table_prefix'] . 'sessions';
    $query = 'DELETE FROM ' . $table . ' WHERE session_key = ?';
    $params = array($id);
    mystery_delete_query($query, $params);
    $pk = 'session_id';
    $data['session_key'] = $id;
    $data['session_timestamp'] = date('YmdHis');
    $data['session_data'] = $mystery_session_data;
    mystery_insert_query($table, $data, $pk);
    return true;
}
Exemplo n.º 3
0
 if ($diy_id == '') {
     mystery_redirect('/course/');
 }
 if (isset($_PORTAL['params']['process'])) {
     $query = 'DELETE FROM portal_comments_ratings WHERE comment_diy_identifier = ? AND comment_author = ?';
     $params = array($diy_id, $_SESSION['portal']['member_id']);
     $status = mystery_delete_query($query, $params, 'portal_dbh');
     if (!isset($_REQUEST['comment_delete'])) {
         $data = array();
         $data['comment_author'] = $_SESSION['portal']['member_id'];
         $data['comment_diy_identifier'] = $diy_id;
         $data['comment_title'] = $_REQUEST['comment_title'];
         $data['comment_body'] = $_REQUEST['comment_body'];
         //$data['comment_rating'] = $_REQUEST['comment_rating'];
         $data['creation_date'] = date('Y-m-d H:i:s');
         $comment_id = mystery_insert_query('portal_comments_ratings', $data, 'comment_id', 'portal_dbh');
         echo '<p style="color: #009900;"><em>Comment saved!</em></p>';
     } else {
         echo '<p style="color: #009900;"><em>Comment deleted!</em></p>';
     }
 }
 $activity_info = portal_get_activity_info_from_diy_id($diy_id);
 $page_title = $activity_info['activity_name'] . ' by ' . $activity_info['activity_author'];
 $comments = portal_get_activity_comments($diy_id);
 $average_rating = portal_lookup_activity_rating($diy_id);
 $my_comments = portal_get_member_activity_comments($diy_id, $_SESSION['portal']['member_id']);
 if (count($my_comments) > 0) {
     $add_edit_word = 'Edit';
     $delete_checkbox = '<input type="checkbox" name="comment_delete" id="comment-delete" value="yes"> Delete this comment?';
 } else {
     $add_edit_word = 'Add';
Exemplo n.º 4
0
if (isset($_PORTAL['params']['process'])) {
    $data = array();
    $data['class_name'] = $_REQUEST['class_name'];
    $data['class_teacher'] = $_SESSION['portal']['member_id'];
    //mystery_print_r($_REQUEST, $_PORTAL, $data); exit;
    // check the class word
    $class_word_in_use = 'no';
    $class_using_word = portal_check_class_word($_REQUEST['class_word']);
    if ($class_using_word != $id_param && $class_using_word != false) {
        $class_word_in_use = 'yes';
    }
    if ($_REQUEST['class_word'] != '' && $class_word_in_use == 'no') {
        if ($_PORTAL['activity'] == 'add' || $_PORTAL['activity'] == 'copy') {
            $data['creation_date'] = date('Y-m-d H:i:s');
            $data['class_uuid'] = portal_generate_uuid();
            $class_id = mystery_insert_query('portal_classes', $data, 'class_id', 'portal_dbh');
            $class_info['activities'] = array();
            $class_info['diy_activities'] = array();
        } else {
            $class_id = $id_param;
            $status = mystery_update_query('portal_classes', $data, 'class_id', $class_id, 'portal_dbh');
        }
        // update class word with the actual class word
        portal_set_class_word($class_id, $_REQUEST['class_word']);
        // add the standard activities here
        $new_activities = @$_REQUEST['activities'];
        if ($new_activities == '') {
            $new_activities = array();
        }
        $old_activities = @$class_info['activities'];
        if ($old_activities == '') {
Exemplo n.º 5
0
function mystery_error_handler($type, $message, $file, $line, $context)
{
    // This function replaces the built in PHP error handler
    global $_MYSTERY;
    // Check to see if this error was prepended with @
    if (error_reporting() == 0) {
        return;
    }
    $nice_types[E_NOTICE] = 'PHP Notice';
    $nice_types[E_USER_NOTICE] = 'Application Notice';
    $nice_types[E_WARNING] = 'PHP Warning';
    $nice_types[E_USER_WARNING] = 'Application Warning';
    $nice_types[E_USER_ERROR] = 'Application Fatal Error';
    if (defined('E_STRICT')) {
        $nice_types[E_STRICT] = 'PHP Code Needs Update';
    }
    if (defined('E_RECOVERABLE_ERROR')) {
        $nice_types[E_RECOVERABLE_ERROR] = 'Recoverable Application Error';
    }
    $now = date('Y-m-d h:i:s');
    $error_parts = array();
    $error_parts[] = 'Date: ' . $now;
    $error_parts[] = 'Type: ' . $nice_types[$type];
    $error_parts[] = 'Message: ' . $message;
    $error_parts[] = 'File: ' . $file;
    $error_parts[] = 'Line: ' . $line;
    $error_string = implode("\n", $error_parts) . "\n\n";
    if (!defined('E_STRICT') || $type != E_STRICT) {
        mystery_log_error_to_file('error_log', $error_string);
    }
    $table = $_MYSTERY['table_prefix'] . 'error_log';
    $data = array();
    $data['error_type'] = $nice_types[$type];
    $data['error_message'] = $message;
    $data['error_file'] = $file;
    $data['error_line'] = $line;
    $data['error_date'] = $now;
    if (!defined('E_STRICT') || $type != E_STRICT) {
        $this_error = mystery_insert_query($table, $data, 'error_id');
    }
    switch ($type) {
        case E_NOTICE:
        case E_USER_NOTICE:
            if (@$_SESSION['is_administrator'] == 'yes') {
                echo '<p style="background-color: #CEFFB5;">Notice: ', nl2br($error_string), '</p>';
            }
            break;
        case E_WARNING:
        case E_USER_WARNING:
            if (@$_SESSION['is_administrator'] == 'yes') {
                echo '<p style="background-color: #FCFFB5;">Warning: ', nl2br($error_string), '</p>';
            }
            break;
        case E_USER_ERROR:
            //mystery_header();
            if (@$_SESSION['is_administrator'] == 'yes') {
                echo '<p style="background-color: #FFB5B5;">Fatal Error: ', nl2br($error_string), '</p>';
                // The following outputs way too much data. Uncomment if you must.
                // echo '<pre style="background-color: #FFB5B5;">' . print_r($context) . '</pre>';
            } else {
                echo '
				<h1>An Unexpected Error Occurred</h1>
				<p>We regret than an unexpected error has occurred.  The error has been logged
				and the administrator of the system will look into it as soon as possible.</p>
				';
                mystery_display_admin_contact_info();
            }
            //mystery_footer();
            exit;
            break;
    }
}
Exemplo n.º 6
0
function portal_subscribe_class_to_diy_activities($class_id, $old_activities, $new_activities)
{
    global $_PORTAL;
    //mystery_print_r($old_activities); mystery_print_r($new_activities); exit;
    $to_add = array_values(array_diff($new_activities, $old_activities));
    $to_delete = array_values(array_diff($old_activities, $new_activities));
    //mystery_print_r($to_add); mystery_print_r($to_delete); exit;
    // first delete the old ones
    if (count($to_delete) > 0) {
        $query = 'DELETE FROM portal_class_diy_activities WHERE class_id = ? AND project_id = ? AND diy_activity_id IN (' . implode(',', $to_delete) . ')';
        $params = array($class_id, $_PORTAL['project_info']['project_id']);
        $status = mystery_delete_query($query, $params, 'portal_dbh');
    }
    // now add the new ones
    for ($i = 0; $i < count($to_add); $i++) {
        $data = array();
        $data['class_id'] = $class_id;
        $data['diy_activity_id'] = $to_add[$i];
        $data['project_id'] = $_PORTAL['project_info']['project_id'];
        $id = mystery_insert_query('portal_class_diy_activities', $data, 'class_diy_activity_id', 'portal_dbh');
    }
}
Exemplo n.º 7
0
        break;
        // STEP 4 - Ad a member for the teacher
    // STEP 4 - Ad a member for the teacher
    case 'info':
        if (!isset($_REQUEST['school_id'])) {
            $data = array();
            $data['school_name'] = $_REQUEST['school_name'];
            $data['school_district'] = $_REQUEST['district_id'];
            $data['school_department'] = $_REQUEST['school_department'];
            $data['school_address_1'] = $_REQUEST['school_address_1'];
            $data['school_address_2'] = $_REQUEST['school_address_2'];
            $data['school_city'] = $_REQUEST['school_city'];
            $data['school_state'] = $_REQUEST['school_state'];
            $data['school_zip'] = $_REQUEST['school_zip'];
            $data['school_country'] = $_REQUEST['school_country'];
            $_REQUEST['school_id'] = mystery_insert_query('portal_schools', $data, 'school_id', 'portal_dbh');
            $_SESSION['school_created'] = 'yes';
        }
        // show the teacher info form
        echo '
		<form action="/signup/teacher/process/" method="post">
		
		<h1>Teacher Registration — Step 4 — Your Info</h1>
		
		<p><strong>First Name</strong> <br><input type="text" name="first_name" id="first-name" value="" size="35"></p>
	
		<p><strong>Last Name</strong> <br><input type="text" name="last_name" id="last-name" value="" size="35"></p>
		
		<p><strong>Email</strong> <br><input type="text" name="email" id="email" value="" size="35"></p>
	
		<p><strong>Password</strong> <br><input type="text" name="password" id="password" value="" size="35"> <span class="form-field-info"><strong>Warning:</strong> this field will display your password<br><strong>Note:</strong> your password must be between 4 and 40 characters long</span></p>
Exemplo n.º 8
0
function mystery_auth($username, $password)
{
    // This is the general wrapper function for mystery authentication
    // It takes a username and password and attempts to authenticate
    // to the mystery_users table.
    //
    // If successful, it sets $_SESSION
    // variables for username, full name, and last name
    // and returns true;
    //
    // If it fails, it tries any of the configured external
    // authentication sources.  If those are successful, it
    // checks for extant mystery records for that user, creating
    // them if they don't exist.  If they fail it continues to the
    // next source until exhausted.
    //
    // After all else fails, if the user still can't be authenticated
    // the function takes a brief pause then returns false
    global $_MYSTERY;
    // Don't authenticate if user is logged in
    if (@$_SESSION['is_logged_in'] == 'yes') {
        return true;
    }
    // Try internal Mystery authentication first
    $user_info = mystery_internal_auth($username, $password);
    if (count($user_info) == 0) {
        if (isset($_MYSTERY['external_auth_functions'])) {
            // some external authentication functions are set, so include the custom auth file
            include 'custom/authentication.php';
            // loop through the custom function until one hopefully works
            for ($i = 0; $i < count($_MYSTERY['external_auth_functions']); $i++) {
                // call each function with the username and password parameters
                // if we get back a non-zero array, stop checking
                $user_info = call_user_func($_MYSTERY['external_auth_functions'][$i], $username, $password);
                if (count($user_info) > 0) {
                    break;
                }
            }
        }
    }
    if (count($user_info) == 0) {
        // the authentication was not successful
        //sleep(2);
        return false;
    } else {
        // set the user's session information
        $_SESSION['user_username'] = $username;
        $_SESSION['user_first_name'] = $user_info['user_first_name'];
        $_SESSION['user_last_name'] = $user_info['user_last_name'];
        $_SESSION['user_email'] = $user_info['user_email'];
        // check that the user is in Mystery.  If not, add them.  If so, get their id.
        $query = 'SELECT * FROM ' . $_MYSTERY['table_prefix'] . 'users WHERE user_username = ? OR user_email = ?';
        $params = array($_SESSION['user_username'], $_SESSION['user_username']);
        $results = mystery_select_query($query, $params);
        if (count($results) > 0) {
            // user exists, set the session user_id variable
            $_SESSION['user_id'] = $results[0]['user_id'];
        } else {
            // user doesn't exist.  Add them
            $table = $_MYSTERY['table_prefix'] . 'users';
            $now = date('Y-m-d h:i:s');
            $data['user_username'] = $user_info['user_username'];
            $data['user_first_name'] = $user_info['user_first_name'];
            $data['user_last_name'] = $user_info['user_last_name'];
            $data['user_email'] = $user_info['user_email'];
            $data['user_record_updated'] = $now;
            $data['user_creation_date'] = $now;
            $_SESSION['user_id'] = mystery_insert_query($table, $data, 'user_id');
            // add the user to the default groups
            if ($_MYSTERY['default_user_groups'] != '') {
                // remove whitespace and split on the commas
                $groups = explode(',', preg_replace('~\\s~', '', $_MYSTERY['default_user_groups']));
                $table = $_MYSTERY['table_prefix'] . 'users_groups';
                for ($i = 0; $i < count($groups); $i++) {
                    // for each group, add a record for the user
                    // NOTE: there should be a mystery function that better uses the prepared
                    // statements to insert multiple values, but I'm not sure how that works
                    // with sequences
                    $data = array();
                    $data['user_id'] = $_SESSION['user_id'];
                    $data['group_id'] = $groups[$i];
                    $ugid = mystery_insert_query($table, $data, 'ug_id');
                }
            }
        }
        // get the users groups and permissions
        $query = 'SELECT group_id FROM ' . $_MYSTERY['table_prefix'] . 'users_groups WHERE user_id = ?';
        $params = array($_SESSION['user_id']);
        $user_groups = mystery_select_query($query, $params);
        for ($i = 0; $i < count($user_groups); $i++) {
            $_SESSION['user_groups'][] = $user_groups[$i]['group_id'];
            if ($user_groups[$i]['group_id'] == '1') {
                // user is in the admin group
                $_SESSION['is_administrator'] = 'yes';
            }
        }
        // set final session varialbes
        $_SESSION['is_logged_in'] = 'yes';
        return true;
    }
}