$homepage = $tmp[0] . '?' . implode('&', $tmp3); // and redirect. $homepage = html_entity_decode($homepage); redirect($homepage); } } return; #redirect("index.php"); } else { if (isset($_POST['loginsubmit'])) { //No error if changing languages $error .= lang('usernameincorrect'); debug_buffer("Login failed. Error is: " . $error); Events::SendEvent('Core', 'LoginFailed', array('user' => $_POST['username'])); // put mention into the admin log $ip_login_failed = cms_utils::get_real_ip(); if ($ip_login_failed) { // <- Silently ignore audit if return values is not ture, had admin XSS vulne. audit('', '(IP: ' . $ip_login_failed . ') ' . "Admin Username: "******"loginsubmit"]); } } } // Language shizzle cms_admin_sendheaders(); header("Content-Language: " . CmsNlsOperations::get_current_language()); //CHANGED
/** * Put an event into the audit (admin) log. This should be * done on most admin events for consistency. * * @since 0.3 * @param integer The item id (perhaps a content id, or a record id from a module) * @param string The item name (perhaps Content, or the module name) * @param string The action that needs to be audited * @return void */ function audit($itemid, $itemname, $action) { $db = cmsms()->GetDb(); $userid = 0; $username = ''; $ip_addr = ''; if ($itemid == '') { $itemid = -1; } if (isset($_SESSION["cms_admin_user_id"])) { $userid = $_SESSION["cms_admin_user_id"]; $ip_addr = cms_utils::get_real_ip(); } else { if (isset($_SESSION['login_user_id'])) { $userid = $_SESSION['login_user_id']; $username = $_SESSION['login_user_username']; } } if (isset($_SESSION["cms_admin_username"])) { $username = $_SESSION["cms_admin_username"]; } if (!isset($userid) || $userid == "") { $userid = 0; } $query = "INSERT INTO " . cms_db_prefix() . "adminlog (timestamp, user_id, username, item_id, item_name, action, ip_addr) VALUES (?,?,?,?,?,?,?)"; $db->Execute($query, array(time(), $userid, $username, $itemid, $itemname, $action, $ip_addr)); }