$value) { if (strpos($value, 'index.php') !== false || $flag_url) { $flag_url = 1; unset($url[$key]); } else if (strpos($value, 'enterprise') !== false || $flag_url) { $flag_url = 1; unset($url[$key]); } } $config['homeurl'] = rtrim(join('/', $url), '/'); $config['homeurl_static'] = $config['homeurl']; $login_screen = 'error_noconfig'; $ownDir = dirname(__FILE__).DIRECTORY_SEPARATOR; $config['homedir'] = $ownDir; include 'general/error_screen.php'; exit; } else { include 'install.php'; exit; } } if (filesize('include/config.php') == 0) { include 'install.php'; exit; } if (isset($_POST['rename_file'])) { $rename_file_install = (bool) $_POST['rename_file']; if ($rename_file_install) { $salida_rename = rename('install.php', 'install_old.php'); } } // Check installer presence. if (file_exists('install.php')) { $login_screen = 'error_install'; include 'general/error_screen.php'; exit; } // Check perms for config.php. if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') { if ((substr(sprintf('%o', fileperms('include/config.php')), -4) != '0600') && (substr(sprintf('%o', fileperms('include/config.php')), -4) != '0660') && (substr(sprintf('%o', fileperms('include/config.php')), -4) != '0640') ) { $url = explode('/', $_SERVER['REQUEST_URI']); $flag_url = 0; foreach ($url as $key => $value) { if (strpos($value, 'index.php') !== false || $flag_url) { $flag_url = 1; unset($url[$key]); } else if (strpos($value, 'enterprise') !== false || $flag_url) { $flag_url = 1; unset($url[$key]); } } $config['homeurl'] = rtrim(join('/', $url), '/'); $config['homeurl_static'] = $config['homeurl']; $ownDir = dirname(__FILE__).DIRECTORY_SEPARATOR; $config['homedir'] = $ownDir; $login_screen = 'error_perms'; include 'general/error_screen.php'; exit; } } } if ((! file_exists('include/config.php')) || (! is_readable('include/config.php')) ) { $login_screen = 'error_noconfig'; include 'general/error_screen.php'; exit; } /* * DO NOT CHANGE ORDER OF FOLLOWING REQUIRES. */ require_once 'include/config.php'; require_once 'include/functions_config.php'; if (isset($config['error'])) { $login_screen = $config['error']; include 'general/error_screen.php'; exit; } // If metaconsole activated, redirect to it. if (is_metaconsole()) { header('Location: '.ui_get_full_url('index.php')); // Always exit after sending location headers. exit; } if (file_exists(ENTERPRISE_DIR.'/include/functions_login.php')) { include_once ENTERPRISE_DIR.'/include/functions_login.php'; } if (!empty($config['https']) && empty($_SERVER['HTTPS'])) { $query = ''; if (count($_REQUEST)) { // Some (old) browsers don't like the ?&key=var. $query .= '?1=1'; } // We don't clean these variables up as they're only being passed along. foreach ($_GET as $key => $value) { if ($key == 1) { continue; } $query .= '&'.$key.'='.$value; } foreach ($_POST as $key => $value) { $query .= '&'.$key.'='.$value; } $url = ui_get_full_url($query); // Prevent HTTP response splitting attacks // http://en.wikipedia.org/wiki/HTTP_response_splitting. $url = str_replace("\n", '', $url); header('Location: '.$url); // Always exit after sending location headers. exit; } // Pure mode (without menu, header and footer). $config['pure'] = (bool) get_parameter('pure'); // Auto Refresh page (can now be disabled anywhere in the script). if (get_parameter('refr') != null) { $config['refr'] = (int) get_parameter('refr'); } $delete_file = get_parameter('del_file'); if ($delete_file == 'yes_delete') { $salida_delete = shell_exec('rm /var/www/html/pandora_console/install.php'); } ob_start(); echo ''."\n"; echo ''."\n"; echo '
'."\n"; // This starts the page head. In the callback function, // $page['head'] array content will be processed into the head. ob_start('ui_process_page_head'); // Enterprise main. enterprise_include('index.php'); echo ''; // This tag is included in the buffer passed to ui_process_page_head so // technically it can be stripped. echo ''."\n"; require_once 'include/functions_themes.php'; ob_start('ui_process_page_body'); $config['remote_addr'] = $_SERVER['REMOTE_ADDR']; $sec2 = get_parameter_get('sec2'); $sec2 = safe_url_extraclean($sec2); $page = $sec2; // Reference variable for old time sake. $sec = get_parameter_get('sec'); $sec = safe_url_extraclean($sec); $process_login = false; // Update user password. $change_pass = get_parameter_post('renew_password', 0); if ($change_pass == 1) { $password_old = (string) get_parameter_post('old_password', ''); $password_new = (string) get_parameter_post('new_password', ''); $password_confirm = (string) get_parameter_post('confirm_new_password', ''); $id = (string) get_parameter_post('login', ''); $changed_pass = login_update_password_check($password_old, $password_new, $password_confirm, $id); } $minor_release_message = false; $searchPage = false; $search = get_parameter_get('head_search_keywords'); if (strlen($search) > 0) { $config['search_keywords'] = io_safe_input(trim(io_safe_output(get_parameter('keywords')))); // If not search category providad, we'll use an agent search. $config['search_category'] = get_parameter('search_category', 'all'); if (($config['search_keywords'] != 'Enter keywords to search') && (strlen($config['search_keywords']) > 0)) { $searchPage = true; } } // Login process. if (! isset($config['id_user'])) { // Clear error messages. unset($_COOKIE['errormsg']); setcookie('errormsg', null, -1); if (isset($_GET['login'])) { include_once 'include/functions_db.php'; // Include it to use escape_string_sql function. $config['auth_error'] = ''; // Set this to the error message from the authorization mechanism. $nick = get_parameter_post('nick'); // This is the variable with the login. $pass = get_parameter_post('pass'); // This is the variable with the password. $nick = db_escape_string_sql($nick); $pass = db_escape_string_sql($pass); // Since now, only the $pass variable are needed. unset($_GET['pass'], $_POST['pass'], $_REQUEST['pass']); // If the auth_code exists, we assume the user has come from // double authorization page. if (isset($_POST['auth_code'])) { $double_auth_success = false; // The double authentication is activated and the user has // surpassed the first step (the login). // Now the authentication code provided will be checked. if (isset($_SESSION['prepared_login_da'])) { if (isset($_SESSION['prepared_login_da']['id_user']) && isset($_SESSION['prepared_login_da']['timestamp']) ) { // The user has a maximum of 5 minutes to introduce // the double auth code. $dauth_period = SECONDS_2MINUTES; $now = time(); $dauth_time = $_SESSION['prepared_login_da']['timestamp']; if (($now - $dauth_period) < $dauth_time) { // Nick. $nick = $_SESSION['prepared_login_da']['id_user']; // Code. $code = (string) get_parameter_post('auth_code'); if (!empty($code)) { $result = validate_double_auth_code($nick, $code); if ($result === true) { // Double auth success. $double_auth_success = true; } else { // Screen. $login_screen = 'double_auth'; // Error message. $config['auth_error'] = __('Invalid code'); if (!isset($_SESSION['prepared_login_da']['attempts'])) { $_SESSION['prepared_login_da']['attempts'] = 0; } $_SESSION['prepared_login_da']['attempts']++; } } else { // Screen. $login_screen = 'double_auth'; // Error message. $config['auth_error'] = __("The code shouldn't be empty"); if (!isset($_SESSION['prepared_login_da']['attempts'])) { $_SESSION['prepared_login_da']['attempts'] = 0; } $_SESSION['prepared_login_da']['attempts']++; } } else { // Expired login. unset($_SESSION['prepared_login_da']); // Error message. $config['auth_error'] = __('Expired login'); } } else { // If the code doesn't exist, remove the prepared login. unset($_SESSION['prepared_login_da']); // Error message. $config['auth_error'] = __('Login error'); } } else { // If $_SESSION['prepared_login_da'] doesn't exist, the user // must login again. // Error message. $config['auth_error'] = __('Login error'); } // Remove the authenticator code. unset($_POST['auth_code'], $code); if (!$double_auth_success) { $login_failed = true; include_once 'general/login_page.php'; db_pandora_audit( 'Logon Failed', 'Invalid double auth login: '.$_SERVER['REMOTE_ADDR'], $_SERVER['REMOTE_ADDR'] ); while (@ob_end_flush()) { // Dumping... continue; } exit(''); } } $login_button_saml = get_parameter('login_button_saml', false); if (isset($double_auth_success) && $double_auth_success) { // This values are true cause there are checked before complete // the 2nd auth step. $nick_in_db = $_SESSION['prepared_login_da']['id_user']; $expired_pass = false; } else if (($config['auth'] == 'saml') && ($login_button_saml)) { $saml_configured = include_once $config['homedir'].'/'.ENTERPRISE_DIR.'/include/auth/saml.php'; if (!$saml_configured) { include_once 'general/noaccesssaml.php'; } $saml_user_id = saml_process_user_login(); if (!$saml_user_id) { include_once 'general/noaccesssaml.php'; } $nick_in_db = $saml_user_id; if (!$nick_in_db) { include_once $config['saml_path'].'simplesamlphp/lib/_autoload.php'; $as = new SimpleSAML_Auth_Simple($config['saml_source']); $as->logout(); } } else { // process_user_login is a virtual function which should be defined in each auth file. // It accepts username and password. The rest should be internal to the auth file. // The auth file can set $config["auth_error"] to an informative error output or reference their internal error messages to it // process_user_login should return false in case of errors or invalid login, the nickname if correct $nick_in_db = process_user_login($nick, $pass); $expired_pass = false; if (($nick_in_db != false) && ((!is_user_admin($nick) || $config['enable_pass_policy_admin'])) && (file_exists(ENTERPRISE_DIR.'/load_enterprise.php')) && ($config['enable_pass_policy']) ) { include_once ENTERPRISE_DIR.'/include/auth/mysql.php'; $blocked = login_check_blocked($nick); if ($blocked) { include_once 'general/login_page.php'; db_pandora_audit('Password expired', 'Password expired: '.$nick, $nick); while (@ob_end_flush()) { // Dumping... continue; } exit('