Go to most recent revision | Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
1 | daniel-mar | 1 | <?php |
2 | |||
3 | if (!defined('WBLEGAL')) die('Kann nicht ohne Personal WebBase ausgeführt werden.'); |
||
4 | |||
5 | // Personal WebBase-Spezifischer Session-Abschnitt |
||
6 | |||
7 | // http://de3.php.net/md5: Alexander Valyalkin |
||
8 | |||
9 | function get_rnd_iv($iv_len) |
||
10 | { |
||
11 | $iv = ''; |
||
12 | while ($iv_len-- > 0) { |
||
13 | $iv .= chr(mt_rand() & 0xff); |
||
14 | } |
||
15 | return $iv; |
||
16 | } |
||
17 | |||
18 | function wb_encrypt($plain_text, $password, $iv_len = 16) |
||
19 | { |
||
20 | $plain_text .= "\x13"; |
||
21 | $n = strlen($plain_text); |
||
22 | if ($n % 16) $plain_text .= str_repeat("\0", 16 - ($n % 16)); |
||
23 | $i = 0; |
||
24 | $enc_text = get_rnd_iv($iv_len); |
||
25 | $iv = substr($password ^ $enc_text, 0, 512); |
||
26 | while ($i < $n) { |
||
27 | $block = substr($plain_text, $i, 16) ^ pack('H*', md5($iv)); |
||
28 | $enc_text .= $block; |
||
29 | $iv = substr($block . $iv, 0, 512) ^ $password; |
||
30 | $i += 16; |
||
31 | } |
||
32 | return base64_encode($enc_text); |
||
33 | } |
||
34 | |||
35 | function wb_decrypt($enc_text, $password, $iv_len = 16) |
||
36 | { |
||
37 | $enc_text = base64_decode($enc_text); |
||
38 | $n = strlen($enc_text); |
||
39 | $i = $iv_len; |
||
40 | $plain_text = ''; |
||
41 | $iv = substr($password ^ substr($enc_text, 0, $iv_len), 0, 512); |
||
42 | while ($i < $n) { |
||
43 | $block = substr($enc_text, $i, 16); |
||
44 | $plain_text .= $block ^ pack('H*', md5($iv)); |
||
45 | $iv = substr($block . $iv, 0, 512) ^ $password; |
||
46 | $i += 16; |
||
47 | } |
||
48 | return preg_replace('/\\x13\\x00*$/', '', $plain_text); |
||
49 | } |
||
50 | |||
51 | global $WBConfig; |
||
52 | |||
53 | if ($WBConfig->getLockFlag()) |
||
54 | { |
||
55 | die('<h1>Personal WebBase ist gesperrt</h1>Die Variable "$lock" in "includes/config.inc.php" steht auf 1 bzw. true. Setzen Sie diese Variable erst auf 0, wenn das Hochladen der Dateien beim Installations- bzw. Updateprozess beendet ist. Wenn Sie Personal WebBase freigeben, bevor der Upload abgeschlossen ist, kann es zu einer Beschädigung der Kundendatenbank kommen!'); |
||
56 | } |
||
57 | |||
58 | //@ini_set('session.auto_start', 0); |
||
59 | @ini_set('session.cache_expire', 180); |
||
60 | @ini_set('session.use_trans_sid', 0); |
||
61 | @ini_set('session.use_cookies', 1); |
||
62 | @ini_set('session.use_only_cookies', 1); |
||
63 | @ini_set('session.cookie_secure', $WBConfig->getForceSSLFlag()); |
||
64 | @ini_set('session.cookie_lifetime', 0); |
||
65 | @ini_set('session.gc_maxlifetime', 1440); |
||
66 | @ini_set('session.bug_compat_42', 0); |
||
67 | @ini_set('session.bug_compat_warn', 1); |
||
68 | if (version_compare(PHP_VERSION, '5.0.0', 'ge') && substr(PHP_OS, 0, 3) != 'WIN') |
||
69 | { |
||
70 | @ini_set('session.hash_function', 1); |
||
71 | @ini_set('session.hash_bits_per_character', 6); |
||
72 | } |
||
73 | @ini_set('session.save_handler', 'user'); |
||
74 | // @ini_set('session.save_path', '../../../includes/session/'); |
||
75 | // @ini_set('arg_separator.output', '&'); |
||
76 | // @ini_set('url_rewriter.tags', 'a=href,area=href,frame=src,input=src,fieldset='); |
||
77 | |||
78 | $wb_session_name = 'webbase'; |
||
79 | |||
80 | @session_unset(); |
||
81 | @session_destroy(); |
||
82 | |||
83 | // wb_newdatabasetable('sessions', $m2, 'session_id', "varchar(255) NOT NULL", |
||
84 | // 'last_updated', "datetime NOT NULL", |
||
85 | // 'data_value', "text"); |
||
86 | |||
87 | function sessao_open($aSavaPath, $aSessionName) |
||
88 | { |
||
89 | sessao_gc( ini_get('session.gc_maxlifetime') ); |
||
90 | return True; |
||
91 | } |
||
92 | |||
93 | function sessao_close() |
||
94 | { |
||
95 | return True; |
||
96 | } |
||
97 | |||
98 | function sessao_read( $aKey ) |
||
99 | { |
||
100 | global $WBConfig; |
||
101 | |||
102 | $wb_conn = @mysql_connect($WBConfig->getMySQLServer(), $WBConfig->getMySQLUsername(), $WBConfig->getMySQLPassword()); |
||
103 | $wb_selc = @mysql_select_db($WBConfig->getMySQLDatabase(), $wb_conn); |
||
104 | |||
105 | $busca = mysql_query("SELECT `data_value` FROM `".$WBConfig->getMySQLPrefix()."sessions` WHERE `session_id` = '".mysql_real_escape_string($aKey)."'"); |
||
106 | if (mysql_num_rows($busca) == 0) |
||
107 | { |
||
108 | mysql_query("INSERT INTO `".$WBConfig->getMySQLPrefix()."sessions` (`session_id`, `last_updated`, `data_value`) VALUES ('".mysql_real_escape_string($aKey)."', NOW(), '')"); |
||
109 | |||
110 | @mysql_close($wb_conn); |
||
111 | |||
112 | return ''; |
||
113 | } |
||
114 | else |
||
115 | { |
||
116 | $r = mysql_fetch_array($busca); |
||
117 | |||
118 | @mysql_close($wb_conn); |
||
119 | |||
120 | return wb_decrypt($r['data_value'], $WBConfig->getMySQLUsername().':'.$WBConfig->getMySQLPassword()); |
||
121 | } |
||
122 | } |
||
123 | |||
124 | function sessao_write( $aKey, $aVal ) |
||
125 | { |
||
126 | global $WBConfig; |
||
127 | |||
128 | $wb_conn = @mysql_connect($WBConfig->getMySQLServer(), $WBConfig->getMySQLUsername(), $WBConfig->getMySQLPassword()); |
||
129 | $wb_selc = @mysql_select_db($WBConfig->getMySQLDatabase(), $wb_conn); |
||
130 | |||
131 | mysql_query("UPDATE `".$WBConfig->getMySQLPrefix()."sessions` SET `data_value` = '".wb_encrypt($aVal, $WBConfig->getMySQLUsername().':'.$WBConfig->getMySQLPassword())."', `last_updated` = NOW() WHERE `session_id` = '".mysql_real_escape_string($aKey)."'"); |
||
132 | |||
133 | @mysql_close($wb_conn); |
||
134 | |||
135 | return True; |
||
136 | } |
||
137 | |||
138 | function sessao_destroy( $aKey ) |
||
139 | { |
||
140 | global $WBConfig; |
||
141 | |||
142 | $wb_conn = @mysql_connect($WBConfig->getMySQLServer(), $WBConfig->getMySQLUsername(), $WBConfig->getMySQLPassword()); |
||
143 | $wb_selc = @mysql_select_db($WBConfig->getMySQLDatabase(), $wb_conn); |
||
144 | |||
145 | mysql_query("DELETE FROM `".$WBConfig->getMySQLPrefix()."sessions` WHERE `session_id` = '".mysql_real_escape_string($aKey)."'"); |
||
146 | if (mysql_affected_rows() > 0) |
||
147 | mysql_query("OPTIMIZE TABLE `".$WBConfig->getMySQLPrefix()."sessions`"); |
||
148 | |||
149 | @mysql_close($wb_conn); |
||
150 | |||
151 | return True; |
||
152 | } |
||
153 | |||
154 | function sessao_gc( $aMaxLifeTime ) |
||
155 | { |
||
156 | global $WBConfig; |
||
157 | |||
158 | $wb_conn = @mysql_connect($WBConfig->getMySQLServer(), $WBConfig->getMySQLUsername(), $WBConfig->getMySQLPassword()); |
||
159 | $wb_selc = @mysql_select_db($WBConfig->getMySQLDatabase(), $wb_conn); |
||
160 | |||
161 | mysql_query("DELETE FROM `".$WBConfig->getMySQLPrefix()."sessions` WHERE UNIX_TIMESTAMP(NOW()) - UNIX_TIMESTAMP(`last_updated`) > ".mysql_real_escape_string($aMaxLifeTime)); |
||
162 | if (mysql_affected_rows() > 0) |
||
163 | mysql_query("OPTIMIZE TABLE `".$WBConfig->getMySQLPrefix()."sessions`"); |
||
164 | |||
165 | @mysql_close($wb_conn); |
||
166 | |||
167 | return True; |
||
168 | } |
||
169 | |||
170 | @session_set_save_handler("sessao_open", "sessao_close", "sessao_read", "sessao_write", "sessao_destroy", "sessao_gc"); |
||
171 | |||
172 | if (isset($_COOKIE[$wb_session_name])) @session_id($_COOKIE[$wb_session_name]); |
||
173 | @session_name($wb_session_name); |
||
174 | @session_start(); |
||
175 | |||
176 | if ((!isset($_SESSION['wb_user_type'])) || ((isset($_SESSION['wb_user_type'])) && ($_SESSION['wb_user_type'] == ''))) |
||
177 | { |
||
178 | die('<script language="JavaScript"> |
||
179 | <!-- |
||
180 | alert("Sie sind nicht mehr in Personal WebBase eingeloggt!"); |
||
181 | parent.window.close(); |
||
182 | // --> |
||
183 | </script>'); |
||
184 | |||
185 | } |
||
186 | |||
187 | if (version_compare(PHP_VERSION, '5.1.2', 'lt') && isset($_COOKIE[$session_name]) && eregi("\r|\n", $_COOKIE[$session_name])) |
||
188 | { |
||
189 | die('Angriff'); |
||
190 | } |
||
191 | |||
192 | // http://lists.phpbar.de/pipermail/php/Week-of-Mon-20040322/007749.html |
||
193 | // Entnommen von functions.inc.php |
||
194 | |||
195 | function fetchip() |
||
196 | { |
||
197 | $client_ip = (isset($_SERVER['HTTP_CLIENT_IP'])) ? $_SERVER['HTTP_CLIENT_IP'] : ''; |
||
198 | $x_forwarded_for = (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : ''; |
||
199 | $remote_addr = (isset($_SERVER['REMOTE_ADDR'])) ? $_SERVER['REMOTE_ADDR'] : ''; |
||
200 | |||
201 | if (!empty($client_ip)) |
||
202 | { |
||
203 | $ip_expl = explode('.',$client_ip); |
||
204 | $referer = explode('.',$remote_addr); |
||
205 | if($referer[0] != $ip_expl[0]) |
||
206 | { |
||
207 | $ip=array_reverse($ip_expl); |
||
208 | $return=implode('.',$ip); |
||
209 | } |
||
210 | else |
||
211 | { |
||
212 | $return = $client_ip; |
||
213 | } |
||
214 | } |
||
215 | else if (!empty($x_forwarded_for)) |
||
216 | { |
||
217 | if(strstr($x_forwarded_for,',')) |
||
218 | { |
||
219 | $ip_expl = explode(',',$x_forwarded_for); |
||
220 | $return = end($ip_expl); |
||
221 | } |
||
222 | else |
||
223 | { |
||
224 | $return = $x_forwarded_for; |
||
225 | } |
||
226 | } |
||
227 | else |
||
228 | { |
||
229 | $return = $remote_addr; |
||
230 | } |
||
231 | unset ($client_ip, $x_forwarded_for, $remote_addr, $ip_expl); |
||
232 | return $return; |
||
233 | } |
||
234 | |||
235 | $usedns = TRUE; |
||
236 | |||
237 | $useragent = $_SERVER['HTTP_USER_AGENT']; |
||
238 | $host = fetchip(); |
||
239 | |||
240 | if ($usedns) // <- war im Originalen $global['dns']... was soll das sein?! |
||
241 | $dns = @gethostbyaddr($host); |
||
242 | else |
||
243 | $dns = $host; |
||
244 | |||
245 | if ((isset($_SESSION['session_secured'])) && ($_SESSION['session_secured'])) |
||
246 | { |
||
247 | if ( |
||
248 | (($_SESSION['host'] != $host) && !$usedns) |
||
249 | || ($_SESSION['dns'] != $dns) |
||
250 | || ($_SESSION['useragent'] != $useragent) |
||
251 | ) { |
||
252 | session_regenerate_id(); |
||
253 | session_unset(); |
||
254 | } |
||
255 | } else { |
||
256 | $_SESSION['host'] = $host; |
||
257 | $_SESSION['dns'] = $dns; |
||
258 | $_SESSION['useragent'] = $useragent; |
||
259 | $_SESSION['session_secured'] = 1; |
||
260 | } |
||
261 | |||
262 | // Ende Personal WebBase-Abschnitt |
||
263 | |||
264 | ?> |