DB::$dbName = $database;
DB::$port = $port;
DB::$encoding = $encoding;
DB::$error_handler = 'db_error_handler';
$link = mysqli_connect($server, $user, $pass, $database, $port);
$link->set_charset($encoding);
// check session validity
$data = DB::queryfirstrow("SELECT timestamp, code, item_id FROM " . prefix_table("otv") . "\n WHERE id = %i", intval($_GET['otv_id']));
if ($data['timestamp'] == $_GET['stamp'] && $data['code'] == $_GET['code'] && $data['item_id'] == $_GET['item_id']) {
// otv is too old
if ($data['timestamp'] < time() - $_SESSION['settings']['otv_expiration_period'] * 86400) {
$html = "Link is too old!";
} else {
$dataItem = DB::queryfirstrow("SELECT *\n FROM " . prefix_table("items") . " as i\n INNER JOIN " . prefix_table("log_items") . " as l ON (l.id_item = i.id)\n WHERE i.id = %i AND l.action = %s", intval($_GET['item_id']), 'at_creation');
// get data
$pw = cryption($dataItem['pw'], SALT, $dataItem['pw_iv'], "decrypt");
// get key for original pw
$originalKey = DB::queryfirstrow("SELECT rand_key FROM `" . prefix_table("keys") . "`\n WHERE `sql_table` = %s AND `id` = %i", 'items', intval($_GET['item_id']));
// unsalt previous pw
$pw = substr($pw, strlen($originalKey['rand_key']));
$label = $dataItem['label'];
$email = $dataItem['email'];
$url = $dataItem['url'];
$description = preg_replace('/(?<!\\r)\\n+(?!\\r)/', '', strip_tags($dataItem['description'], $k['allowedTags']));
$login = str_replace('"', '"', $dataItem['login']);
// display data
$html = "<div style='margin:30px;'>" . "<div style='font-size:20px;font-weight:bold;'>Welcome to One-Time item view page.</div>" . "<div style='font-style:italic;'>Here are the details of the Item that has been shared to you</div>" . "<div style='margin-top:10px;'><table>" . "<tr><td>Label:</td><td>" . $label . "</td</tr>" . "<tr><td>Password:</td><td>" . $pw . "</td</tr>" . "<tr><td>Description:</td><td>" . $description . "</td</tr>" . "<tr><td>login:</td><td>" . $login . "</td</tr>" . "<tr><td>URL:</td><td>" . $url . "</td</tr>" . "</table></div>" . "<div style='margin-top:30px;'>Copy carefully the data you need. This page is only visible once.</div>" . "</div>";
// delete entry
//DB::delete(prefix_table("otv"), "id = %i", intval($_GET['otv_id']));
// display
echo $html;
} else {
//data is lost ... unknown encryption
}
}
fputs($dbgDuo, "\nCategory treatment done.");
}
}
if ($next >= $_POST['total']) {
$finish = "suggestion";
}
} else {
fputs($dbgDuo, "\nStarting suggestion.\n\n");
// decrypt passwords in suggestion table
$resData = mysqli_query($dbTmp, "SELECT id, pw, pw_iv\n FROM " . $_SESSION['tbl_prefix'] . "suggestion") or die(mysqli_error($dbTmp));
while ($record = mysqli_fetch_array($resData)) {
$tmpData = substr(decrypt($record['pw']), strlen($record['pw_iv']));
if (isUTF8($tmpData) && !empty($tmpData)) {
$encrypt = cryption($tmpData, SALT, "", "encrypt");
// store Password
mysqli_query($dbTmp, "UPDATE " . $_SESSION['tbl_prefix'] . "suggestion\n SET pw = '" . $encrypt['string'] . "', pw_iv = '" . $encrypt['iv'] . "'\n WHERE id =" . $record['id']) or die(mysqli_error($dbTmp));
} else {
//data is lost ... unknown encryption
}
}
$finish = true;
}
fputs($dbgDuo, "\n\nAll finished.\n");
echo '[{"finish":"' . $finish . '" , "next":"' . $next . '" ' . ', "progress":"' . round($next * 100 / $_POST['total'], 0) . '"}]';
break;
}
}
echo '[{"error":"true"}]';
break;
}
$full_listing = array();
include $_SESSION['settings']['cpassman_dir'] . '/includes/include.php';
require_once $_SESSION['settings']['cpassman_dir'] . '/includes/libraries/encryption/GibberishAES/GibberishAES.php';
$rows = DB::query("SELECT i.id as id, i.url as url, i.perso as perso, i.label as label, i.description as description, i.pw as pw, i.login as login, i.id_tree as id_tree,\n l.date as date, i.pw_iv as pw_iv,\n n.renewal_period as renewal_period\n FROM " . prefix_table("items") . " as i\n INNER JOIN " . prefix_table("nested_tree") . " as n ON (i.id_tree = n.id)\n INNER JOIN " . prefix_table("log_items") . " as l ON (i.id = l.id_item)\n WHERE i.inactif = %i\n AND i.id_tree= %i\n AND (l.action = %s OR (l.action = %s AND l.raison LIKE %s))\n ORDER BY i.label ASC, l.date DESC", "0", intval($_POST['idTree']), "at_creation", "at_modification", "at_pw :%");
//AND i.id_tree IN (".implode(',', $list).")
foreach ($rows as $record) {
//exclude all results except the first one returned by query
if (empty($id_managed) || $id_managed != $record['id']) {
// decrypt PW
if (!empty($_POST['salt_key']) && isset($_POST['salt_key'])) {
$pw = cryption($record['pw'], mysqli_escape_string($link, stripslashes($_POST['salt_key'])), $record['pw_iv'], "decrypt");
} else {
$pw = cryption($record['pw'], SALT, $record['pw_iv'], "decrypt");
}
array_push($full_listing, array('id_tree' => $record['id_tree'], 'id' => $record['id'], 'label' => $record['label'], 'description' => addslashes(str_replace(array(";", "<br />"), array("|", "\n\r"), mysqli_escape_string($link, stripslashes(utf8_decode($record['description']))))), 'pw' => $pw, 'login' => $record['login'], 'url' => $record['url'], 'perso' => $record['perso']));
$i++;
array_push($items_id_list, $record['id']);
}
$id_managed = $record['id'];
}
//save in export file
$outstream = fopen($_POST['file'], "a");
$lineType = "line1";
$idTree = "";
foreach ($full_listing as $elem) {
if ($lineType == "line0") {
$lineType = "line1";
} else {
$error = "";
require_once 'main.functions.php';
// prepare SK
$dataReceived = prepareExchangedData($_POST['newSK'], "decode");
$new_salt_key = htmlspecialchars_decode($dataReceived['newSK']);
if (!isUTF8($new_salt_key) || empty($new_salt_key)) {
// SK is not correct
echo '[{"nextAction":"" , "error":"saltkey is corrupted or empty" , "nbOfItems":""}]';
break;
}
//change all passwords in DB
$rows = DB::query("\n SELECT id, pw, pw_iv\n FROM " . prefix_table("items") . "\n WHERE perso = %s\n LIMIT " . filter_var($_POST['start'], FILTER_SANITIZE_NUMBER_INT) . ", " . filter_var($_POST['length'], FILTER_SANITIZE_NUMBER_INT), "0");
foreach ($rows as $record) {
$pw = cryption($record['pw'], SALT, $record['pw_iv'], "decrypt");
//encrypt with new SALT
$encrypt = cryption($pw['string'], $new_salt_key, "", "encrypt");
DB::update(prefix_table("items"), array('pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv']), "id = %i", $record['id']);
}
$nextStart = intval($_POST['start']) + intval($_POST['length']);
// check if last item to change has been treated
if ($nextStart >= intval($_POST['nbItems'])) {
$nextAction = "finishing";
} else {
$nextAction = "encrypting";
}
echo '[{"nextAction":"' . $nextAction . '" , "nextStart":"' . $nextStart . '", "error":"' . $error . '"}]';
break;
/*
* Change SALT Key - END
*/
/*
$counter = DB::count();
if ($counter == 0) {
$pw = $item[KP_PASSWORD];
//Get folder label
if (count($foldersArray) == 0 || empty($item[KP_PATH])) {
$folderId = $_POST['destination'];
} else {
$folderId = $foldersArray[$item[KP_PATH]]['id'];
}
$data = DB::queryFirstRow("SELECT title FROM " . prefix_table("nested_tree") . " WHERE id = %i", intval($folderId));
$results .= " - Inserting\n";
// prepare PW
if ($import_perso == true) {
$encrypt = cryption($pw, $_SESSION['my_sk'], "", "encrypt");
} else {
$encrypt = cryption($pw, SALT, "", "encrypt");
}
//ADD item
DB::insert(prefix_table("items"), array('label' => stripslashes($item[KP_TITLE]), 'description' => stripslashes(str_replace($lineEndSeparator, '<br />', $item[KP_NOTES])), 'pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv'], 'url' => stripslashes($item[KP_URL]), 'id_tree' => $folderId, 'login' => stripslashes($item[KP_USERNAME]), 'anyone_can_modify' => $_POST['import_kps_anyone_can_modify'] == "true" ? 1 : 0));
$newId = DB::insertId();
//if asked, anyone in role can modify
if (isset($_POST['import_kps_anyone_can_modify_in_role']) && $_POST['import_kps_anyone_can_modify_in_role'] == "true") {
foreach ($_SESSION['arr_roles'] as $role) {
DB::insert(prefix_table("restriction_to_roles"), array('role_id' => $role['id'], 'item_id' => $newId));
}
}
//Add log
DB::insert(prefix_table("log_items"), array('id_item' => $newId, 'date' => time(), 'id_user' => $_SESSION['user_id'], 'action' => 'at_creation', 'raison' => 'at_import'));
//Add entry to cache table
DB::insert(prefix_table("cache"), array('id' => $newId, 'label' => stripslashes($item[KP_TITLE]), 'description' => stripslashes(str_replace($lineEndSeparator, '<br />', $item[KP_NOTES])), 'id_tree' => $folderId, 'perso' => $personalFolder == 0 ? 0 : 1, 'login' => stripslashes($item[KP_USERNAME]), 'folder' => $data['title'], 'author' => $_SESSION['user_id']));
//show
// COMPLETE RE-ENCRYPTION
$personal_sk = $_SESSION['my_sk'];
// get data about pw
$data = DB::queryfirstrow("SELECT id, pw, pw_iv\n FROM " . prefix_table("items") . "\n WHERE id = %i", $_POST['currentId']);
if (empty($data['pw_iv'])) {
// check if pw encrypted with protocol #2
$pw = decrypt($data['pw'], $_SESSION['my_sk']);
if (empty($pw)) {
// used protocol is #1
$pw = decryptOld($data['pw'], $_SESSION['my_sk']);
// decrypt using protocol #1
} else {
// used protocol is #2
// get key for this pw
$dataItem = DB::queryfirstrow("SELECT rand_key\n FROM " . prefix_table("keys") . "\n WHERE `sql_table` = %s AND id = %i", "items", $data['id']);
if (!empty($dataItem['rand_key'])) {
// remove key from pw
$pw = substr($pw, strlen($dataTemp['rand_key']));
}
}
// encrypt it
$encrypt = cryption($pw, $personal_sk, "", "encrypt");
// store Password
DB::update(prefix_table('items'), array('pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv']), "id = %i", $data['id']);
} else {
// already re-encrypted
}
}
echo '[{"error" : ""}]';
break;
}
if (!empty($settings['enable_server_password_change']) && $settings['enable_server_password_change'] == 1) {
$log = "Start date " . date($_SESSION['settings']['date_format'] . " " . $_SESSION['settings']['time_format'], time()) . "\n";
// loop on items
$rows = DB::query("SELECT label, login, pw, pw_iv, url, auto_update_pwd_next_date, auto_update_pwd_frequency\n FROM " . prefix_table("items") . "\n WHERE auto_update_pwd_next_date > %i", time());
foreach ($rows as $record) {
$log .= "* Item '" . $record['label'] . "'\n";
// decrypt password
$oldPwClear = cryption($record['pw'], SALT, $record['pw_iv'], "decrypt");
// generate password
$pwgen->setLength(10);
$pwgen->setSecure(true);
$pwgen->setCapitalize(true);
$pwgen->setNumerals(true);
$new_pwd = $pwgen->generate();
// encrypt new password
$encrypt = cryption($new_pwd, SALT, "", "encrypt");
$parse = parse_url($record['url']);
$ssh = new Net_SSH2($parse['host'], $parse['port']);
if (!$ssh->login($record['login'], $oldPwClear['string'])) {
$log .= " ERR - Login failed.\n Error description:" . $_SESSION['sshError'] . "\n\n";
} else {
// send ssh script for user change
$ret_server = $ssh->exec('echo -e "' . $new_pwd . '\\n' . $new_pwd . '" | passwd ' . $record['login']);
if (strpos($ret_server, "updated successfully") !== false) {
$err = false;
} else {
$err = true;
}
$log .= " Answer: " . $ret_server . "\n\n";
}
if ($err == false) {
function rest_get()
{
$_SESSION['user_id'] = "'api'";
if (!@count($GLOBALS['request']) == 0) {
$request_uri = $GLOBALS['_SERVER']['REQUEST_URI'];
preg_match('/\\/api(\\/index.php|)\\/(.*)\\?apikey=(.*)/', $request_uri, $matches);
if (count($matches) == 0) {
rest_error('REQUEST_SENT_NOT_UNDERSTANDABLE');
}
$GLOBALS['request'] = explode('/', $matches[2]);
}
if (apikey_checker($GLOBALS['apikey'])) {
global $server, $user, $pass, $database, $pre, $link;
teampass_connect();
$category_query = "";
if ($GLOBALS['request'][0] == "read") {
if ($GLOBALS['request'][1] == "category") {
// get ids
if (strpos($GLOBALS['request'][2], ";") > 0) {
$condition = "id_tree IN %ls";
$condition_value = explode(';', $GLOBALS['request'][2]);
} else {
$condition = "id_tree = %s";
$condition_value = $GLOBALS['request'][2];
}
DB::debugMode(false);
// get items in this module
$response = DB::query("SELECT id,label,login,pw, pw_iv FROM " . prefix_table("items") . " WHERE " . $condition, $condition_value);
foreach ($response as $data) {
// prepare output
$id = $data['id'];
$json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json[$id]['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
}
/* load folders */
$response = DB::query("SELECT id,parent_id,title,nleft,nright,nlevel FROM " . prefix_table("nested_tree") . " WHERE parent_id=%i ORDER BY `title` ASC", $GLOBALS['request'][2]);
$rows = array();
$i = 0;
foreach ($response as $row) {
$response = DB::query("SELECT id,label,login,pw, pw_iv FROM " . prefix_table("items") . " WHERE id_tree=%i", $row['id']);
foreach ($response as $data) {
// prepare output
$id = $data['id'];
$json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json[$id]['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
}
}
} elseif ($GLOBALS['request'][1] == "items") {
$array_items = explode(';', $GLOBALS['request'][2]);
// check if not empty
if (count($array_items) == 0) {
rest_error('NO_ITEM');
}
// only accepts numeric
foreach ($array_items as $item) {
if (!is_numeric($item)) {
rest_error('ITEM_MALFORMED');
}
}
$response = DB::query("select id,label,login,pw, pw_iv, id_tree from " . prefix_table("items") . " where id IN %ls", $array_items);
foreach ($response as $data) {
// prepare output
$id = $data['id'];
$json[$id]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$id]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json[$id]['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
}
}
if (isset($json) && $json) {
echo json_encode($json);
} else {
rest_error('EMPTY');
}
} elseif ($GLOBALS['request'][0] == "find") {
if ($GLOBALS['request'][1] == "item") {
$array_category = explode(';', $GLOBALS['request'][2]);
$item = $GLOBALS['request'][3];
foreach ($array_category as $category) {
if (!preg_match_all("/^([\\w\\:\\'\\-\\sàáâãäåçèéêëìíîïðòóôõöùúûüýÿ]+)\$/i", $category, $result)) {
rest_error('CATEGORY_MALFORMED');
}
}
if (!preg_match_all("/^([\\w\\:\\'\\-\\sàáâãäåçèéêëìíîïðòóôõöùúûüýÿ]+)\$/i", $item, $result)) {
rest_error('ITEM_MALFORMED');
} elseif (empty($item) || count($array_category) == 0) {
rest_error('MALFORMED');
}
if (count($array_category) > 1 && count($array_category) < 5) {
for ($i = count($array_category); $i > 0; $i--) {
$slot = $i - 1;
if (!$slot) {
$category_query .= "select id from " . prefix_table("nested_tree") . " where title LIKE '" . $array_category[$slot] . "' AND parent_id = 0";
} else {
$category_query .= "select id from " . prefix_table("nested_tree") . " where title LIKE '" . $array_category[$slot] . "' AND parent_id = (";
}
}
for ($i = 1; $i < count($array_category); $i++) {
$category_query .= ")";
}
} elseif (count($array_category) == 1) {
$category_query = "select id from " . prefix_table("nested_tree") . " where title LIKE '" . $array_category[0] . "' AND parent_id = 0";
} else {
rest_error('NO_CATEGORY');
}
DB::debugMode(false);
$response = DB::query("select id, label, login, pw, pw_iv, id_tree\n from " . prefix_table("items") . "\n where id_tree = (%s)\n and label LIKE %ss", $category_query, $item);
foreach ($response as $data) {
// prepare output
$json['id'] = mb_convert_encoding($data['id'], mb_detect_encoding($data['id']), 'UTF-8');
$json['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
$json['folder_id'] = $data['id_tree'];
$json['status'] = utf8_encode("OK");
}
if (isset($json) && $json) {
echo json_encode($json);
} else {
rest_error('EMPTY');
}
}
} elseif ($GLOBALS['request'][0] == "add") {
if ($GLOBALS['request'][1] == "item") {
// get item definition
$array_item = explode(';', urldecode($GLOBALS['request'][2]));
if (count($array_item) != 9) {
rest_error('ITEMBADDEFINITION');
}
$item_label = $array_item[0];
$item_pwd = $array_item[1];
$item_desc = $array_item[2];
$item_folder_id = $array_item[3];
$item_login = $array_item[4];
$item_email = $array_item[5];
$item_url = $array_item[6];
$item_tags = $array_item[7];
$item_anyonecanmodify = $array_item[8];
// added so one can sent data including the http or https !
// anyway we have to urlencode this data
$item_url = urldecode($item_url);
// same for the email
$item_email = urldecode($item_email);
// do some checks
if (!empty($item_label) && !empty($item_pwd) && !empty($item_folder_id)) {
// Check length
if (strlen($item_pwd) > 50) {
rest_error('PASSWORDTOOLONG');
}
// Check Folder ID
DB::query("SELECT * FROM " . prefix_table("nested_tree") . " WHERE id = %i", $item_folder_id);
$counter = DB::count();
if ($counter == 0) {
rest_error('NOSUCHFOLDER');
}
// check if element doesn't already exist
DB::query("SELECT * FROM " . prefix_table("items") . " WHERE label = %s AND inactif = %i", addslashes($item_label), "0");
$counter = DB::count();
if ($counter != 0) {
$itemExists = 1;
// prevent the error if the label already exists
// so lets just add the time() as a random factor
$item_label .= " (" . time() . ")";
} else {
$itemExists = 0;
}
if ($itemExists == 0) {
$encrypt = cryption($item_pwd, SALT, "", "encrypt");
if (empty($encrypt['string'])) {
rest_error('PASSWORDEMPTY');
}
// ADD item
try {
DB::insert(prefix_table("items"), array("label" => $item_label, "description" => $item_desc, 'pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv'], "email" => $item_email, "url" => $item_url, "id_tree" => intval($item_folder_id), "login" => $item_login, "inactif" => 0, "restricted_to" => "", "perso" => 0, "anyone_can_modify" => intval($item_anyonecanmodify)));
$newID = DB::InsertId();
// log
DB::insert(prefix_table("log_items"), array("id_item" => $newID, "date" => time(), "id_user" => "9999999", "action" => "at_creation"));
// Add tags
$tags = explode(' ', $item_tags);
foreach ((array) $tags as $tag) {
if (!empty($tag)) {
DB::insert(prefix_table("tags"), array("item_id" => $newID, "tag" => strtolower($tag)));
}
}
// Update CACHE table
DB::insert(prefix_table("cache"), array("id" => $newID, "label" => $item_label, "description" => $item_desc, "tags" => $item_tags, "id_tree" => $item_folder_id, "perso" => "0", "restricted_to" => "", "login" => $item_login, "folder" => "", "author" => "9999999"));
echo '{"status":"item added"}';
} catch (PDOException $ex) {
echo '<br />' . $ex->getMessage();
}
} else {
rest_error('ITEMEXISTS');
}
} else {
rest_error('ITEMMISSINGDATA');
}
} elseif ($GLOBALS['request'][1] == "user") {
// get user definition
$array_user = explode(';', $GLOBALS['request'][2]);
if (count($array_user) != 11) {
rest_error('USERBADDEFINITION');
}
$login = $array_user[0];
$name = $array_user[1];
$lastname = $array_user[2];
$password = $array_user[3];
$email = $array_user[4];
$adminby = $array_user[5];
$isreadonly = $array_user[6];
$roles = $array_user[7];
$isadmin = $array_user[8];
$ismanager = $array_user[9];
$haspf = $array_user[10];
// Empty user
if (mysqli_escape_string($link, htmlspecialchars_decode($login)) == "") {
rest_error('USERLOGINEMPTY');
}
// Check if user already exists
$data = DB::query("SELECT id, fonction_id, groupes_interdits, groupes_visibles FROM " . prefix_table("users") . "\n WHERE login LIKE %ss", mysqli_escape_string($link, stripslashes($login)));
if (DB::count() == 0) {
try {
// find AdminRole code in DB
$resRole = DB::queryFirstRow("SELECT id\n FROM " . prefix_table("roles_title") . "\n WHERE title LIKE %ss", mysqli_escape_string($link, stripslashes($adminby)));
// get default language
$lang = DB::queryFirstRow("SELECT `valeur` FROM " . prefix_table("misc") . " WHERE type = %s AND intitule = %s", "admin", "default_language");
// prepare roles list
$rolesList = "";
foreach (explode('|', $roles) as $role) {
echo $role . "-";
$tmp = DB::queryFirstRow("SELECT `id` FROM " . prefix_table("roles_title") . " WHERE title = %s", $role);
if (empty($rolesList)) {
$rolesList = $tmp['id'];
} else {
$rolesList .= ";" . $tmp['id'];
}
}
// Add user in DB
DB::insert(prefix_table("users"), array('login' => $login, 'name' => $name, 'lastname' => $lastname, 'pw' => bCrypt(stringUtf8Decode($password), COST), 'email' => $email, 'admin' => intval($isadmin), 'gestionnaire' => intval($ismanager), 'read_only' => intval($isreadonly), 'personal_folder' => intval($haspf), 'user_language' => $lang['valeur'], 'fonction_id' => $rolesList, 'groupes_interdits' => '0', 'groupes_visibles' => '0', 'isAdministratedByRole' => empty($resRole) ? '0' : $resRole['id']));
$new_user_id = DB::insertId();
// Create personnal folder
if (intval($haspf) == 1) {
DB::insert(prefix_table("nested_tree"), array('parent_id' => '0', 'title' => $new_user_id, 'bloquer_creation' => '0', 'bloquer_modification' => '0', 'personal_folder' => '1'));
}
// Send email to new user
@sendEmail($LANG['email_subject_new_user'], str_replace(array('#tp_login#', '#tp_pw#', '#tp_link#'), array(" " . addslashes($login), addslashes($password), $_SESSION['settings']['email_server_url']), $LANG['email_new_user_mail']), $email);
// update LOG
logEvents('user_mngt', 'at_user_added', 'api - ' . $GLOBALS['apikey'], $new_user_id);
echo '{"status":"user added"}';
} catch (PDOException $ex) {
echo '<br />' . $ex->getMessage();
}
} else {
rest_error('USERALREADYEXISTS');
}
}
} elseif ($GLOBALS['request'][0] == "auth") {
/*
** FOR SECURITY PURPOSE, it is mandatory to use SSL to connect your teampass instance. The user password is not encrypted!
**
**
** Expected call format: .../api/index.php/auth/<PROTOCOL>/<URL>/<login>/<password>?apikey=<VALID API KEY>
** Example: https://127.0.0.1/teampass/api/index.php/auth/http/www.zadig-tge.adp.com/U1/test/76?apikey=chahthait5Aidood6johh6Avufieb6ohpaixain
** RESTRICTIONS:
** - <PROTOCOL> ==> http|https|ftp|...
** - <URL> ==> encode URL without protocol (example: http://www.teampass.net becomes www.teampass.net)
** - <login> ==> user's login
** - <password> ==> currently clear password
**
** RETURNED ANSWER:
** - format sent back is JSON
** - Example: {"<item_id>":{"label":"<pass#1>","login":"******","pw":"<pwd#1>"},"<item_id>":{"label":"<pass#2>","login":"******","pw":"<pwd#2>"}}
**
*/
// get user credentials
if (isset($GLOBALS['request'][3]) && isset($GLOBALS['request'][4])) {
// get url
if (isset($GLOBALS['request'][1]) && isset($GLOBALS['request'][2])) {
// is user granted?
$user = DB::queryFirstRow("SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM " . $pre . "users WHERE login = %s", $GLOBALS['request'][3]);
// load passwordLib library
$_SESSION['settings']['cpassman_dir'] = "..";
require_once '../sources/SplClassLoader.php';
$pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
$pwdlib->register();
$pwdlib = new PasswordLib\PasswordLib();
if ($pwdlib->verifyPasswordHash($GLOBALS['request'][4], $user['pw']) === true) {
// define the restriction of "id_tree" of this user
$userDef = DB::queryOneColumn('folder_id', "SELECT DISTINCT folder_id \n FROM " . prefix_table("roles_values") . "\n WHERE type IN ('R', 'W') ", empty($user['groupes_interdits']) ? "" : "\n AND folder_id NOT IN (" . str_replace(";", ",", $user['groupes_interdits']) . ")", " \n AND role_id IN %ls \n GROUP BY folder_id", explode(";", $user['groupes_interdits']));
// complete with "groupes_visibles"
foreach (explode(";", $user['groupes_visibles']) as $v) {
array_push($userDef, $v);
}
// find the item associated to the url
$response = DB::query("SELECT id, label, login, pw, pw_iv, id_tree, restricted_to\n FROM " . prefix_table("items") . " \n WHERE url LIKE %s\n AND id_tree IN (" . implode(",", $userDef) . ")\n ORDER BY id DESC", $GLOBALS['request'][1] . "://" . urldecode($GLOBALS['request'][2] . '%'));
$counter = DB::count();
if ($counter > 0) {
$json = "";
foreach ($response as $data) {
// check if item visible
if (empty($data['restricted_to']) || $data['restricted_to'] != "" && in_array($user['id'], explode(";", $data['restricted_to']))) {
// prepare export
$json[$data['id']]['label'] = mb_convert_encoding($data['label'], mb_detect_encoding($data['label']), 'UTF-8');
$json[$data['id']]['login'] = mb_convert_encoding($data['login'], mb_detect_encoding($data['login']), 'UTF-8');
$json[$data['id']]['pw'] = cryption($data['pw'], SALT, $data['pw_iv'], "decrypt");
}
}
// prepare answer. If no access then inform
if (empty($json)) {
rest_error('AUTH_NO_DATA');
} else {
echo json_encode($json);
}
} else {
rest_error('AUTH_NO_DATA');
}
} else {
rest_error('AUTH_NOT_GRANTED');
}
} else {
rest_error('AUTH_NO_URL');
}
} else {
rest_error('AUTH_NO_IDENTIFIER');
}
} elseif ($GLOBALS['request'][0] == "set") {
/*
* Expected call format: .../api/index.php/set/<login_to_save>/<password_to_save>/<url>/<user_login>/<user_password>?apikey=<VALID API KEY>
* Example: https://127.0.0.1/teampass/api/index.php/auth/myLogin/myPassword/USER1/test/76?apikey=chahthait5Aidood6johh6Avufieb6ohpaixain
*
* NEW ITEM WILL BE STORED IN SPECIFIC FOLDER
*/
// get user credentials
if (isset($GLOBALS['request'][4]) && isset($GLOBALS['request'][5])) {
// get url
if (isset($GLOBALS['request'][1]) && isset($GLOBALS['request'][2]) && isset($GLOBALS['request'][3])) {
// is user granted?
$user = DB::queryFirstRow("SELECT `id`, `pw`, `groupes_interdits`, `groupes_visibles`, `fonction_id` FROM " . $pre . "users WHERE login = %s", $GLOBALS['request'][4]);
// load passwordLib library
$_SESSION['settings']['cpassman_dir'] = "..";
require_once '../sources/SplClassLoader.php';
$pwdlib = new SplClassLoader('PasswordLib', '../includes/libraries');
$pwdlib->register();
$pwdlib = new PasswordLib\PasswordLib();
// is user identified?
if ($pwdlib->verifyPasswordHash($GLOBALS['request'][5], $user['pw']) === true) {
// does the personal folder of this user exists?
DB::queryFirstRow("SELECT `id`\n FROM " . $pre . "nested_tree\n WHERE title = %s AND personal_folder = 1", $user['id']);
if (DB::count() > 0) {
// check if "teampass-connect" folder exists
// if not create it
$folder = DB::queryFirstRow("SELECT `id`\n FROM " . $pre . "nested_tree\n WHERE title = %s", "teampass-connect");
if (DB::count() == 0) {
DB::insert(prefix_table("nested_tree"), array('parent_id' => '0', 'title' => "teampass-connect"));
$tpc_folder_id = DB::insertId();
//Add complexity
DB::insert(prefix_table("misc"), array('type' => 'complex', 'intitule' => $tpc_folder_id, 'valeur' => '0'));
// rebuild tree
$tree = new Tree\NestedTree\NestedTree(prefix_table("nested_tree"), 'id', 'parent_id', 'title');
$tree->rebuild();
} else {
$tpc_folder_id = $folder['id'];
}
// encrypt password
$encrypt = cryption($GLOBALS['request'][2], SALT, "", "encrypt");
// add new item
DB::insert(prefix_table("items"), array('label' => "Credentials for " . urldecode($GLOBALS['request'][3] . '%'), 'description' => "Imported with Teampass-Connect", 'pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv'], 'email' => "", 'url' => urldecode($GLOBALS['request'][3] . '%'), 'id_tree' => $tpc_folder_id, 'login' => $GLOBALS['request'][1], 'inactif' => '0', 'restricted_to' => $user['id'], 'perso' => '0', 'anyone_can_modify' => '0', 'complexity_level' => '0'));
$newID = DB::insertId();
// log
logItems($newID, "Credentials for " . urldecode($GLOBALS['request'][3] . '%'), $user['id'], 'at_creation', $GLOBALS['request'][1]);
$json['status'] = "ok";
// prepare answer. If no access then inform
if (empty($json)) {
rest_error('AUTH_NO_DATA');
} else {
echo json_encode($json);
}
} else {
rest_error('NO_PF_EXIST_FOR_USER');
}
} else {
rest_error('AUTH_NOT_GRANTED');
}
} else {
rest_error('SET_NO_DATA');
}
} else {
rest_error('AUTH_NO_IDENTIFIER');
}
} else {
rest_error('METHOD');
}
}
}
DB::$encoding = $encoding;
DB::$error_handler = 'db_error_handler';
$link = mysqli_connect($server, $user, $pass, $database, $port);
$link->set_charset($encoding);
// check user's token
$dataUser = DB::queryfirstrow("SELECT key_tempo\n FROM " . prefix_table("users") . "\n WHERE id=%i", $_SESSION['user_id']);
if ($dataUser['key_tempo'] !== $_GET['key']) {
$_SESSION['error']['code'] = ERR_NOT_ALLOWED;
//not allowed page
include $_SESSION['settings']['cpassman_dir'] . '/error.php';
exit;
}
// get data about item
$dataItem = DB::queryfirstrow("SELECT label, login, pw, pw_iv, url, auto_update_pwd_frequency\n FROM " . prefix_table("items") . "\n WHERE id=%i", $_GET['id']);
// decrypt password
$oldPwClear = cryption($dataItem['pw'], SALT, $dataItem['pw_iv'], "decrypt");
echo '
<div id="tabs">
<ul>
<li><a href="#tabs-1">' . $LANG['ssh_one_shot_change'] . '</a></li>
<li><a href="#tabs-2">' . $LANG['ssh_scheduled_change'] . '</a></li>
</ul>
<div id="tabs-1">
<div>
<label for="ausp_ssh_root">' . $LANG['ssh_user'] . ':</label>
<input type="text" id="ausp_ssh_root" class="menu_250 text ui-widget-content ui-corner-all" style="padding:3px;" value="' . $dataItem['login'] . '" />
</div>
<div>
<label for="ausp_ssh_pwd">' . $LANG['ssh_pwd'] . ':</label>
<input type="password" id="ausp_ssh_pwd" class="menu_250 text ui-widget-content ui-corner-all" style="padding:3px;" value="' . $oldPwClear['string'] . '" />
</div>
$dataDestination = DB::queryfirstrow("SELECT personal_folder, title FROM " . prefix_table("nested_tree") . " WHERE id = %i", $_POST['folder_id']);
// update item
DB::update(prefix_table("items"), array('id_tree' => $_POST['folder_id']), "id=%i", $_POST['item_id']);
// previous is non personal folder and new too
if ($dataSource['personal_folder'] == 0 && $dataDestination['personal_folder'] == 0) {
// just update is needed. Item key is the same
} elseif ($dataSource['personal_folder'] == 0 && $dataDestination['personal_folder'] == 1) {
$decrypt = cryption($dataSource['pw'], mysqli_escape_string($link, stripslashes($_SESSION['my_sk'])), $dataSource['pw_iv'], "decrypt");
$encrypt = cryption($decrypt, mysqli_escape_string($link, stripslashes($_SESSION['my_sk'])), "", "encrypt");
// update pw
DB::update(prefix_table("items"), array('pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv'], 'perso' => 1), "id=%i", $_POST['item_id']);
} elseif ($dataSource['personal_folder'] == 1 && $dataDestination['personal_folder'] == 1) {
// NOTHING TO DO => just update is needed. Item key is the same
} elseif ($dataSource['personal_folder'] == 1 && $dataDestination['personal_folder'] == 0) {
$decrypt = cryption($dataSource['pw'], SALT, $dataSource['pw_iv'], "decrypt");
$encrypt = cryption($decrypt, SALT, "", "encrypt");
// update item
DB::update(prefix_table("items"), array('pw' => $encrypt['string'], 'pw_iv' => $encrypt['iv'], 'perso' => 0), "id=%i", $_POST['item_id']);
}
// Log item moved
DB::insert(prefix_table("log_items"), array('id_item' => $_POST['item_id'], 'date' => time(), 'id_user' => $_SESSION['user_id'], 'action' => 'at_modification', 'raison' => 'at_moved : ' . $dataSource['title'] . ' -> ' . $dataDestination['title']));
echo '[{"from_folder":"' . $dataSource['id_tree'] . '" , "to_folder":"' . $_POST['folder_id'] . '"}]';
break;
/*
* CASE
* Send email
*/
/*
* CASE
* Send email
*/
break;
#CASE auto update server password
#CASE auto update server password
case "server_auto_update_password":
if ($_POST['key'] != $_SESSION['key']) {
echo '[{"error" : "something_wrong"}]';
break;
}
// decrypt and retreive data in JSON format
$dataReceived = prepareExchangedData($_POST['data'], "decode");
// get data about item
$dataItem = DB::queryfirstrow("SELECT label, login, pw, pw_iv, url\n FROM " . prefix_table("items") . "\n WHERE id=%i", $dataReceived['currentId']);
// decrypt password
$oldPwClear = cryption($dataItem['pw'], SALT, $dataItem['pw_iv'], "decrypt");
// encrypt new password
$encrypt = cryption($dataReceived['new_pwd'], SALT, "", "encrypt");
// connect ot server with ssh
$ret = "";
stream_resolve_include_path($_SESSION['settings']['cpassman_dir'] . '/includes/libraries/Authentication/phpseclib/Crypt/RC4.php');
include $_SESSION['settings']['cpassman_dir'] . '/includes/libraries/Authentication/phpseclib/Net/SSH2.php';
$parse = parse_url($dataItem['url']);
if (!isset($parse['host']) || empty($parse['host']) || !isset($parse['host']) || empty($parse['host'])) {
// error in parsing the url
echo prepareExchangedData(array("error" => "Parsing URL failed.<br />Ensure the URL is well written!</i>", "text" => ""), "encode");
break;
} else {
$ssh = new Net_SSH2($parse['host'], $parse['port']);
if (!$ssh->login($dataReceived['ssh_root'], $dataReceived['ssh_pwd'])) {
echo prepareExchangedData(array("error" => "Login failed.<br />Error description: <i>" . $_SESSION['sshError'] . "</i>", "text" => ""), "encode");
break;
} else {
$dataReceived = prepareExchangedData($_POST['data'], "decode");
// Prepare variables
$id = noHTML(htmlspecialchars_decode($dataReceived['id']));
// get item info
$dataItem = DB::queryFirstRow("SELECT *\n FROM " . prefix_table("items") . "\n WHERE id=%i", $id);
// get item history
$history = '<table style="margin:0px; width:100%; border-collapse: collapse; background-color:#D4D5D5;" cellspacing="0" cellpadding="1">';
$rows = DB::query("SELECT l.date as date, l.action as action, l.raison as raison, l.raison_iv AS raison_iv,\n u.login as login, u.avatar_thumb as avatar_thumb\n FROM " . prefix_table("log_items") . " as l\n LEFT JOIN " . prefix_table("users") . " as u ON (l.id_user=u.id)\n WHERE id_item=%i AND action <> %s\n ORDER BY date ASC", $id, "at_shown");
foreach ($rows as $record) {
$reason = explode(':', $record['raison']);
if ($record['action'] == "at_modification" && $reason[0] == "at_pw ") {
// check if item is PF
if ($dataItem['perso'] != 1) {
$reason[1] = cryption($reason[1], SALT, $record['raison_iv'], "decrypt");
} else {
$reason[1] = cryption($reason[1], $_SESSION['my_sk'], $record['raison_iv'], "decrypt");
}
$reason[1] = @$reason[1]['string'];
// if not UTF8 then cleanup and inform that something is wrong with encrytion/decryption
if (!isUTF8($reason[1]) || is_array($reason[1])) {
$reason[1] = "";
}
}
// imported via API
if ($record['login'] == "") {
$record['login'] = $LANG['imported_via_api'];
}
if (!empty($reason[1]) || $record['action'] == "at_copy" || $record['action'] == "at_creation" || $record['action'] == "at_manual" || $record['action'] == "at_modification" || $record['action'] == "at_delete" || $record['action'] == "at_restored") {
$avatar = isset($record['avatar_thumb']) && !empty($record['avatar_thumb']) ? $_SESSION['settings']['cpassman_url'] . '/includes/avatars/' . $record['avatar_thumb'] : $_SESSION['settings']['cpassman_url'] . '/includes/images/photo.jpg';
$history .= '<tr style="">' . '<td rowspan="2" style="width:40px;"><img src="' . $avatar . '" style="border-radius:20px; height:35px;"></td>' . '<td colspan="2" style="font-size:11px;"><i>' . $LANG['by'] . ' ' . $record['login'] . ' ' . $LANG['at'] . ' ' . date($_SESSION['settings']['date_format'] . ' ' . $_SESSION['settings']['time_format'], $record['date']) . '</i></td></tr>' . '<tr style="border-bottom:3px solid #C9C9C9;"><td style="width:100px;"><b>' . $LANG[$record['action']] . '</b></td>' . '<td style="">' . (!empty($record['raison']) ? count($reason) > 1 ? $LANG[trim($reason[0])] . ' : ' . handleBackslash($reason[1]) : ($record['action'] == "at_manual" ? $reason[0] : $LANG[trim($reason[0])]) : '') . '</td>' . '</tr>' . '<tr></tr>';
}