function protector_prepare()
{
// Preferences (for performance, I dare to use an irregular method)
$conn = @mysql_connect(XOOPS_DB_HOST, XOOPS_DB_USER, XOOPS_DB_PASS);
mysql_select_db(XOOPS_DB_NAME, $conn);
// Protector class
require_once XOOPS_ROOT_PATH . '/modules/protector/class/protector.php';
$protector =& Protector::getInstance($conn);
$conf = $protector->getConf();
// petit-encrypt password for disabling bad_ips
// I know this method is not a good way :-)
if (substr($conf['passwd_disabling_bip'], 0, 3) != '*=*') {
$encrypted_password4sql = addslashes('*=*' . md5($conf['passwd_disabling_bip'] . XOOPS_DB_PREFIX));
mysql_query("UPDATE " . XOOPS_DB_PREFIX . "_config SET conf_value='{$encrypted_password4sql}' WHERE conf_title='_MI_PROTECTOR_PASSWD_BIP' AND conf_name='passwd_disabling_bip'", $conn);
}
// global enabled or disabled
if (!empty($conf['global_disabled'])) {
return true;
}
// reliable ips
$reliable_ips = unserialize($conf['reliable_ips']);
$is_reliable = false;
foreach ($reliable_ips as $reliable_ip) {
if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) {
$is_reliable = true;
}
}
// force intval variables whose name is *id
if (!empty($conf['id_forceintval'])) {
$protector->intval_allrequestsendid();
}
// eliminate '..' from requests looks like file specifications
if (!$is_reliable && !empty($conf['file_dotdot'])) {
$protector->eliminate_dotdot();
}
// Check uploaded files
if (!$is_reliable && !empty($_FILES) && !empty($conf['die_badext']) && !defined('PROTECTOR_SKIP_FILESCHECKER') && !$protector->check_uploaded_files()) {
$protector->output_log($protector->last_error_type);
$protector->purge();
}
// Variables contamination
if (!$protector->check_contami_systemglobals()) {
if ($conf['contami_action'] & 4) {
$protector->_should_be_banned = true;
$_GET = $_POST = array();
}
$protector->output_log($protector->last_error_type);
if ($conf['contami_action'] & 2) {
$protector->purge();
}
}
// prepare for DoS
//if( ! $protector->check_dos_attack_prepare() ) {
// $protector->output_log( $protector->last_error_type , 0 , true ) ;
//}
if (!empty($conf['patch_2092'])) {
$protector->patch_2092();
}
}
function injectionFound($sql)
{
$protector =& Protector::getInstance();
$protector->last_error_type = 'SQL Injection';
$protector->message .= $sql;
$protector->output_log($protector->last_error_type);
die('SQL Injection found');
}
function execute()
{
echo _MD_PROTECTOR_YOUAREBADIP;
$protector =& Protector::getInstance();
if ($protector->ip_matched_info) {
printf(_MD_PROTECTOR_FMT_JAILINFO, date(_MD_PROTECTOR_FMT_JAILTIME, $protector->ip_matched_info));
}
exit;
}
function execute()
{
echo _MD_PROTECTOR_YOUAREBADIP;
$protector =& Protector::getInstance();
if ($protector->ip_matched_info) {
printf(_MD_PROTECTOR_FMT_JAILINFO, date(_MD_PROTECTOR_FMT_JAILTIME, $protector->ip_matched_info));
}
error_log('Protector: badip ' . @$_SERVER['REMOTE_ADDR'], 0);
exit;
}
/**
* @static
*
* @param $args
*/
static function eventCoreClassDatabaseDatabasefactoryConnection($args)
{
// Protector class
require_once dirname(__DIR__) . '/class/protector.php';
// Protector object
$protector = Protector::getInstance();
$conf = $protector->getConf();
// "DB Layer Trapper"
$force_override = strstr(@$_SERVER['REQUEST_URI'], 'protector/admin/index.php?page=advisory') ? true : false;
//$force_override = true ;
if ($force_override || !empty($conf['enable_dblayertrap'])) {
@define('PROTECTOR_ENABLED_ANTI_SQL_INJECTION', 1);
$protector->dblayertrap_init($force_override);
}
if (defined('XOOPS_DB_ALTERNATIVE') && class_exists(XOOPS_DB_ALTERNATIVE)) {
$args[0] = XOOPS_DB_ALTERNATIVE;
}
}
/**
* Maintenance Form
* @return void
*/
public function getPrefIp($bad_ips4disp, $group1_ips4disp)
{
global $xoopsDB;
$db = $xoopsDB;
$protector = Protector::getInstance($db->conn);
require_once dirname(__DIR__) . '/gtickets.php';
parent::__construct('', "form_prefip", "center.php", 'post', true);
$bad_ips = new Xoops\Form\TextArea(_AM_TH_BADIPS, 'bad_ips', $bad_ips4disp, 3, 90);
$bad_ips->setDescription('<br />' . htmlspecialchars($protector->get_filepath4badips()));
$bad_ips->setClass('span3');
$this->addElement($bad_ips);
$group1_ips = new Xoops\Form\TextArea(_AM_TH_GROUP1IPS, 'group1_ips', $group1_ips4disp, 3, 90);
$group1_ips->setDescription('<br />' . htmlspecialchars($protector->get_filepath4group1ips()));
$group1_ips->setClass('span3');
$this->addElement($group1_ips);
$formTicket = new xoopsGTicket();
$this->addElement(new Xoops\Form\Hidden("action", "update_ips"));
$ticket = $formTicket->getTicketXoopsForm(__LINE__, 1800, 'protector_admin');
$this->addElement($ticket);
$this->addElement(new Xoops\Form\Button('', "submit_prefip", XoopsLocale::A_SUBMIT, "submit"));
}
require_once dirname(dirname(__FILE__)) . '/class/gtickets.php';
//dirty trick to get navigation working with system menus
if (isset($_GET['num'])) {
$_SERVER['REQUEST_URI'] = 'admin/center.php?page=center';
}
$myts =& MyTextSanitizer::getInstance();
$db =& XoopsDatabaseFactory::getDatabaseConnection();
// GET vars
$pos = empty($_GET['pos']) ? 0 : intval($_GET['pos']);
$num = empty($_GET['num']) ? 20 : intval($_GET['num']);
// Table Name
$log_table = $db->prefix($mydirname . "_log");
// Protector object
require_once dirname(dirname(__FILE__)) . '/class/protector.php';
$db =& XoopsDatabaseFactory::getDatabaseConnection();
$protector =& Protector::getInstance($db->conn);
$conf = $protector->getConf();
//
// transaction stage
//
if (!empty($_POST['action'])) {
// Ticket check
if (!$xoopsGTicket->check(true, 'protector_admin')) {
redirect_header(XOOPS_URL . '/', 3, $xoopsGTicket->getErrors());
}
if ($_POST['action'] == 'update_ips') {
$error_msg = '';
$lines = empty($_POST['bad_ips']) ? array() : explode("\n", trim($_POST['bad_ips']));
$bad_ips = array();
foreach ($lines as $line) {
@(list($bad_ip, $jailed_time) = explode(':', $line, 2));
function get_group1_ips($with_info = false)
{
list($group1_ips_serialized) = @file(Protector::get_filepath4group1ips());
$group1_ips = empty($group1_ips_serialized) ? array() : @unserialize($group1_ips_serialized);
if (!is_array($group1_ips)) {
$group1_ips = array();
}
if ($with_info) {
$group1_ips = array_flip($group1_ips);
}
return $group1_ips;
}
function protector_postcommon()
{
global $xoopsUser, $xoopsModule;
// patch for 2.2.x from xoops.org (I know this is not so beautiful...)
if (substr(@XOOPS_VERSION, 6, 3) > 2.0 && stristr(@$_SERVER['REQUEST_URI'], 'modules/system/admin.php?fct=preferences')) {
$module_handler =& xoops_gethandler('module');
$module =& $module_handler->get(intval(@$_GET['mod']));
if (is_object($module)) {
$module->getInfo();
}
}
// configs writable check
if (@$_SERVER['REQUEST_URI'] == '/admin.php' && !is_writable(dirname(dirname(__FILE__)) . '/configs')) {
trigger_error('You should turn the directory ' . dirname(dirname(__FILE__)) . '/configs writable', E_USER_WARNING);
}
// Protector object
require_once dirname(dirname(__FILE__)) . '/class/protector.php';
$db =& Database::getInstance();
$protector =& Protector::getInstance();
$protector->setConn($db->conn);
$protector->updateConfFromDb();
$conf = $protector->getConf();
if (empty($conf)) {
return true;
}
// not installed yet
// phpmailer vulnerability
// http://larholm.com/2007/06/11/phpmailer-0day-remote-execution/
if (in_array(substr(XOOPS_VERSION, 0, 12), array('XOOPS 2.0.16', 'XOOPS 2.0.13', 'XOOPS 2.2.4'))) {
$config_handler =& xoops_gethandler('config');
$xoopsMailerConfig =& $config_handler->getConfigsByCat(XOOPS_CONF_MAILER);
if ($xoopsMailerConfig['mailmethod'] == 'sendmail' && md5_file(XOOPS_ROOT_PATH . '/class/mail/phpmailer/class.phpmailer.php') == 'ee1c09a8e579631f0511972f929fe36a') {
echo '<strong>phpmailer security hole! Change the preferences of mail from "sendmail" to another, or upgrade the core right now! (message by protector)</strong>';
}
}
// global enabled or disabled
if (!empty($conf['global_disabled'])) {
return true;
}
// group1_ips (groupid=1)
if (is_object($xoopsUser) && in_array(1, $xoopsUser->getGroups())) {
$group1_ips = $protector->get_group1_ips(true);
if (implode('', array_keys($group1_ips))) {
$group1_allow = $protector->ip_match($group1_ips);
if (empty($group1_allow)) {
die('This account is disabled for your IP by Protector.<br />Clear cookie if you want to access this site as a guest.');
}
}
}
// reliable ips
$reliable_ips = @unserialize(@$conf['reliable_ips']);
if (is_array($reliable_ips)) {
foreach ($reliable_ips as $reliable_ip) {
if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) {
return true;
}
}
}
// user information (uid and can be banned)
if (is_object(@$xoopsUser)) {
$uid = $xoopsUser->getVar('uid');
$can_ban = count(@array_intersect($xoopsUser->getGroups(), @unserialize(@$conf['bip_except']))) ? false : true;
} else {
// login failed check
if (!empty($_POST['uname']) && !empty($_POST['pass']) || !empty($_COOKIE['autologin_uname']) && !empty($_COOKIE['autologin_pass'])) {
$protector->check_brute_force();
}
$uid = 0;
$can_ban = true;
}
// If precheck has already judged that he should be banned
if ($can_ban && $protector->_should_be_banned) {
$protector->register_bad_ips();
} else {
if ($can_ban && $protector->_should_be_banned_time0) {
$protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
}
}
// DOS/CRAWLER skipping based on 'dirname' or getcwd()
$dos_skipping = false;
$skip_dirnames = explode('|', @$conf['dos_skipmodules']);
if (!is_array($skip_dirnames)) {
$skip_dirnames = array();
}
if (is_object(@$xoopsModule)) {
if (in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) {
$dos_skipping = true;
}
} else {
foreach ($skip_dirnames as $skip_dirname) {
if ($skip_dirname && strstr(getcwd(), $skip_dirname)) {
$dos_skipping = true;
break;
}
}
}
// module can controll DoS skipping
if (defined('PROTECTOR_SKIP_DOS_CHECK')) {
$dos_skipping = true;
}
// DoS Attack
if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) {
$protector->output_log($protector->last_error_type, $uid, true, 16);
}
// check session hi-jacking
$ips = explode('.', @$_SESSION['protector_last_ip']);
$protector_last_numip = @$ips[0] * 0x1000000 + @$ips[1] * 0x10000 + @$ips[2] * 0x100 + @$ips[3];
$ips = explode('.', $_SERVER['REMOTE_ADDR']);
$remote_numip = @$ips[0] * 0x1000000 + @$ips[1] * 0x10000 + @$ips[2] * 0x100 + @$ips[3];
$shift = 32 - @$conf['session_fixed_topbit'];
if ($shift < 32 && $shift >= 0 && !empty($_SESSION['protector_last_ip']) && $protector_last_numip >> $shift != $remote_numip >> $shift) {
if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'])))) {
$protector->purge(true);
}
}
$_SESSION['protector_last_ip'] = $_SERVER['REMOTE_ADDR'];
// SQL Injection "Isolated /*"
if (!$protector->check_sql_isolatedcommentin(@$conf['isocom_action'] & 1)) {
if ($conf['isocom_action'] & 8 && $can_ban) {
$protector->register_bad_ips();
} else {
if ($conf['isocom_action'] & 4 && $can_ban) {
$protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
}
}
$protector->output_log('ISOCOM', $uid, true, 32);
if ($conf['isocom_action'] & 2) {
$protector->purge();
}
}
// SQL Injection "UNION"
if (!$protector->check_sql_union(@$conf['union_action'] & 1)) {
if ($conf['union_action'] & 8 && $can_ban) {
$protector->register_bad_ips();
} else {
if ($conf['union_action'] & 4 && $can_ban) {
$protector->register_bad_ips(time() + $protector->_conf['banip_time0']);
}
}
$protector->output_log('UNION', $uid, true, 32);
if ($conf['union_action'] & 2) {
$protector->purge();
}
}
if (!empty($_POST)) {
// SPAM Check
if (is_object($xoopsUser)) {
if (!$xoopsUser->isAdmin() && $conf['spamcount_uri4user']) {
$protector->spam_check(intval($conf['spamcount_uri4user']), $xoopsUser->getVar('uid'));
}
} else {
if ($conf['spamcount_uri4guest']) {
$protector->spam_check(intval($conf['spamcount_uri4guest']), 0);
}
}
// filter plugins for POST on postcommon stage
$protector->call_filter('postcommon_post');
}
// register.php Protection
if ($_SERVER['SCRIPT_FILENAME'] == XOOPS_ROOT_PATH . '/register.php') {
$protector->call_filter('postcommon_register');
}
}
function ProtectorFilterHandler()
{
$this->protector = Protector::getInstance();
$this->filters_base = dirname(__DIR__) . '/filters_enabled';
}
/**
* @return null|boolean
*/
function protector_precheck()
{
// check the access is from install/index.php
if (defined('_INSTALL_CHARSET') && !is_writable(\XoopsBaseConfig::get('root-path') . '/mainfile.php')) {
die('To use installer, remove protector\'s lines from mainfile.php first.');
}
// Protector class
require_once dirname(__DIR__) . '/class/protector.php';
// Protector object
$protector = Protector::getInstance();
$conf = $protector->getConf();
// bandwidth limitation
if (@$conf['bwlimit_count'] >= 10) {
$bwexpire = $protector->get_bwlimit();
if ($bwexpire > time()) {
header('HTTP/1.0 503 Service unavailable');
$protector->call_filter('precommon_bwlimit', 'This site is very crowed now. try later.');
}
}
// bad_ips
$bad_ips = $protector->get_bad_ips(true);
$bad_ip_match = $protector->ip_match($bad_ips);
if ($bad_ip_match) {
$protector->call_filter('precommon_badip', 'You are registered as BAD_IP by Protector.');
}
// global enabled or disabled
if (!empty($conf['global_disabled'])) {
return true;
}
// reliable ips
$reliable_ips = @unserialize(@$conf['reliable_ips']);
if (!is_array($reliable_ips)) {
// for the environment of (buggy core version && magic_quotes_gpc)
$reliable_ips = @unserialize(stripslashes(@$conf['reliable_ips']));
if (!is_array($reliable_ips)) {
$reliable_ips = array();
}
}
$is_reliable = false;
foreach ($reliable_ips as $reliable_ip) {
if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) {
$is_reliable = true;
}
}
// "Big Umbrella" subset version
if (!empty($conf['enable_bigumbrella'])) {
@define('PROTECTOR_ENABLED_ANTI_XSS', 1);
$protector->bigumbrella_init();
}
// force intval variables whose name is *id
if (!empty($conf['id_forceintval'])) {
$protector->intval_allrequestsendid();
}
// eliminate '..' from requests looks like file specifications
if (!$is_reliable && !empty($conf['file_dotdot'])) {
$protector->eliminate_dotdot();
}
// Check uploaded files
if (!$is_reliable && !empty($_FILES) && !empty($conf['die_badext']) && !defined('PROTECTOR_SKIP_FILESCHECKER') && !$protector->check_uploaded_files()) {
$protector->output_log($protector->last_error_type);
$protector->purge();
}
// Variables contamination
if (!$protector->check_contami_systemglobals()) {
if (@$conf['contami_action'] & 4) {
if (@$conf['contami_action'] & 8) {
$protector->_should_be_banned = true;
} else {
$protector->_should_be_banned_time0 = true;
}
$_GET = $_POST = array();
}
$protector->output_log($protector->last_error_type);
if (@$conf['contami_action'] & 2) {
$protector->purge();
}
}
// prepare for DoS
//if( ! $protector->check_dos_attack_prepare() ) {
// $protector->output_log( $protector->last_error_type , 0 , true ) ;
//}
if (!empty($conf['disable_features'])) {
$protector->disable_features();
}
return true;
}
function protector_postcommon()
{
global $xoopsUser, $xoopsDB, $xoopsModule;
// Protector class
require_once XOOPS_ROOT_PATH . '/modules/protector/class/protector.php';
$protector =& Protector::getInstance($xoopsDB->conn);
$conf = $protector->getConf();
// global enabled or disabled
if (!empty($conf['global_disabled'])) {
return true;
}
// reliable ips
$reliable_ips = unserialize($conf['reliable_ips']);
foreach ($reliable_ips as $reliable_ip) {
if (!empty($reliable_ip) && preg_match('/' . $reliable_ip . '/', $_SERVER['REMOTE_ADDR'])) {
return true;
}
}
// user information (uid and can be banned)
if (is_object(@$xoopsUser)) {
$uid = $xoopsUser->getVar('uid');
$can_ban = count(array_intersect($xoopsUser->getGroups(), unserialize($conf['bip_except']))) ? false : true;
} else {
// login failed check
if (!empty($_POST['uname']) && !empty($_POST['pass']) || !empty($_COOKIE['autologin_uname']) && !empty($_COOKIE['autologin_pass'])) {
$protector->check_brute_force();
}
$uid = 0;
$can_ban = true;
}
// If precheck has already judged that he should be banned
if ($can_ban && $protector->_should_be_banned) {
$protector->register_bad_ips();
}
// DOS/CRAWLER skipping based on 'dirname'
$skip_dirnames = explode('|', $conf['dos_skipmodules']);
if (!is_array($skip_dirnames)) {
$skip_dirnames = array();
}
if (is_object(@$xoopsModule) && in_array($xoopsModule->getVar('dirname'), $skip_dirnames)) {
$dos_skipping = true;
}
// DoS Attack
if (empty($dos_skipping) && !$protector->check_dos_attack($uid, $can_ban)) {
$protector->output_log($protector->last_error_type, $uid, true, 16);
}
// check session hi-jacking
if (!empty($_SESSION['protector_last_ip']) && $_SESSION['protector_last_ip'] != $_SERVER['REMOTE_ADDR']) {
if (is_object($xoopsUser) && count(array_intersect($xoopsUser->getGroups(), unserialize($conf['groups_denyipmove'])))) {
$protector->purge(true);
}
}
$_SESSION['protector_last_ip'] = $_SERVER['REMOTE_ADDR'];
// SQL Injection "Isolated /*"
if (!$protector->check_sql_isolatedcommentin($conf['isocom_action'] & 1)) {
if ($conf['isocom_action'] & 4 && $can_ban) {
$protector->register_bad_ips();
}
$protector->output_log('ISOCOM', $uid, 64);
if ($conf['isocom_action'] & 2) {
$protector->purge();
}
}
// SQL Injection "UNION"
if (!$protector->check_sql_union($conf['union_action'] & 1)) {
if ($conf['union_action'] & 4 && $can_ban) {
$protector->register_bad_ips();
}
$protector->output_log('UNION', $uid, 64);
if ($conf['union_action'] & 2) {
$protector->purge();
}
}
}
function ProtectorFilterHandler()
{
$this->protector =& Protector::getInstance();
$this->filters_base = dirname(dirname(__FILE__)) . '/filters_enabled';
$this->filters_byconfig = dirname(dirname(__FILE__)) . '/filters_byconfig';
}
public function __constructor($post)
{
parent::__construct($post);
}
/**
* ProtectorFilterHandler constructor.
*/
protected function __construct()
{
$this->protector = Protector::getInstance();
$this->filters_base = dirname(__DIR__) . '/filters_enabled';
}
