$value) { if (strpos($value, 'index.php') !== false || $flag_url) { $flag_url = 1; unset($url[$key]); } else if (strpos($value, 'enterprise') !== false || $flag_url) { $flag_url = 1; unset($url[$key]); } } $config['homeurl'] = rtrim(join('/', $url), '/'); $config['homeurl_static'] = $config['homeurl']; $login_screen = 'error_noconfig'; $ownDir = dirname(__FILE__).DIRECTORY_SEPARATOR; $config['homedir'] = $ownDir; include 'general/error_screen.php'; exit; } else { include 'install.php'; exit; } } if (filesize('include/config.php') == 0) { include 'install.php'; exit; } if (isset($_POST['rename_file']) === true) { $rename_file_install = (bool) $_POST['rename_file']; if ($rename_file_install === true) { $salida_rename = rename('install.php', 'install_old.php'); } } // Check installer presence. if (file_exists('install.php') === true) { $login_screen = 'error_install'; include 'general/error_screen.php'; exit; } // Check perms for config.php. if (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') { if ((substr(sprintf('%o', fileperms('include/config.php')), -4) !== '0600') && (substr(sprintf('%o', fileperms('include/config.php')), -4) !== '0660') && (substr(sprintf('%o', fileperms('include/config.php')), -4) !== '0640') ) { $url = explode('/', $_SERVER['REQUEST_URI']); $flag_url = 0; foreach ($url as $key => $value) { if (strpos($value, 'index.php') !== false || $flag_url) { $flag_url = 1; unset($url[$key]); } else if (strpos($value, 'enterprise') !== false || $flag_url) { $flag_url = 1; unset($url[$key]); } } $config['homeurl'] = rtrim(join('/', $url), '/'); $config['homeurl_static'] = $config['homeurl']; $ownDir = dirname(__FILE__).DIRECTORY_SEPARATOR; $config['homedir'] = $ownDir; $login_screen = 'error_perms'; include 'general/error_screen.php'; exit; } } } if ((file_exists('include/config.php') === false) || (is_readable('include/config.php') === false) ) { $login_screen = 'error_noconfig'; include 'general/error_screen.php'; exit; } /* * DO NOT CHANGE ORDER OF FOLLOWING REQUIRES. */ require_once 'include/config.php'; require_once 'include/functions_config.php'; if (isset($config['console_log_enabled']) === true && (int) $config['console_log_enabled'] === 1) { ini_set('log_errors', 1); ini_set('error_log', $config['homedir'].'/log/console.log'); } else { ini_set('log_errors', 0); ini_set('error_log', ''); } if (isset($config['error']) === true) { $login_screen = $config['error']; include 'general/error_screen.php'; exit; } // If metaconsole activated, redirect to it. if (is_metaconsole() === true) { header('Location: '.ui_get_full_url('index.php')); // Always exit after sending location headers. exit; } if (file_exists(ENTERPRISE_DIR.'/include/functions_login.php') === true) { include_once ENTERPRISE_DIR.'/include/functions_login.php'; } if (empty($config['https']) === false && empty($_SERVER['HTTPS']) === true) { $query = ''; if (count($_REQUEST) > 0) { // Some (old) browsers don't like the ?&key=var. $query .= '?1=1'; } // We don't clean these variables up as they're only being passed along. foreach ($_GET as $key => $value) { if ($key == 1) { continue; } $query .= '&'.$key.'='.$value; } foreach ($_POST as $key => $value) { $query .= '&'.$key.'='.$value; } $url = ui_get_full_url($query); // Prevent HTTP response splitting attacks // http://en.wikipedia.org/wiki/HTTP_response_splitting. $url = str_replace("\n", '', $url); header('Location: '.$url); // Always exit after sending location headers. exit; } // Pure mode (without menu, header and footer). $config['pure'] = (bool) get_parameter('pure'); // Auto Refresh page (can now be disabled anywhere in the script). if (get_parameter('refr') != null) { $config['refr'] = (int) get_parameter('refr'); } // Get possible errors with files. $errorFileOutput = (string) get_parameter('errorFileOutput'); $delete_file = get_parameter('del_file'); if ($delete_file === 'yes_delete') { $salida_delete = shell_exec('rm /var/www/html/pandora_console/install.php'); } ob_start(); echo ''."\n"; echo ''."\n"; echo '
'."\n"; // This starts the page head. In the callback function, // $page['head'] array content will be processed into the head. ob_start('ui_process_page_head'); // Enterprise main. enterprise_include_once('index.php'); // Load event.css to display the about section dialog with correct styles. echo ''; echo ''; // This tag is included in the buffer passed to ui_process_page_head so // technically it can be stripped. echo ''."\n"; require_once 'include/functions_themes.php'; ob_start('ui_process_page_body'); ui_require_javascript_file('pandora'); $config['remote_addr'] = $_SERVER['REMOTE_ADDR']; $sec2 = get_parameter_get('sec2'); $sec2 = safe_url_extraclean($sec2); $page = $sec2; // Reference variable for old time sake. $sec = get_parameter_get('sec'); $sec = safe_url_extraclean($sec); // CSRF Validation. $validatedCSRF = validate_csrf_code(); $process_login = false; // Update user password. $change_pass = (int) get_parameter_post('renew_password'); if ($change_pass === 1) { $password_old = (string) get_parameter_post('old_password', ''); $password_new = (string) get_parameter_post('new_password', ''); $password_confirm = (string) get_parameter_post('confirm_new_password', ''); $id = (string) get_parameter_post('login', ''); $changed_pass = login_update_password_check($password_old, $password_new, $password_confirm, $id); } $minor_release_message = false; $searchPage = false; $search = get_parameter_get('head_search_keywords'); if (strlen($search) > 0) { $config['search_keywords'] = io_safe_input(trim(io_safe_output(get_parameter('keywords')))); // If not search category providad, we'll use an agent search. $config['search_category'] = get_parameter('search_category', 'all'); if (($config['search_keywords'] !== 'Enter keywords to search') && (strlen($config['search_keywords']) > 0)) { $searchPage = true; } } // Login process. enterprise_include_once('include/auth/saml.php'); if (isset($config['id_user']) === false) { // Clear error messages. unset($_COOKIE['errormsg']); setcookie('errormsg', null, -1); if (isset($_GET['login']) === true) { include_once 'include/functions_db.php'; // Include it to use escape_string_sql function. $config['auth_error'] = ''; // Set this to the error message from the authorization mechanism. $nick = get_parameter_post('nick'); // This is the variable with the login. $pass = get_parameter_post('pass'); // This is the variable with the password. $nick = db_escape_string_sql($nick); $pass = db_escape_string_sql($pass); // Since now, only the $pass variable are needed. unset($_GET['pass'], $_POST['pass'], $_REQUEST['pass']); // IP allowed check. $user_info = users_get_user_by_id($nick); if ((bool) $user_info['allowed_ip_active'] === true) { $userIP = $_SERVER['REMOTE_ADDR']; $allowedIP = false; $arrayIP = explode(',', $user_info['allowed_ip_list']); // By default, if the IP definition is no correct, allows all. if (empty($arrayIP) === true) { $allowedIP = true; } else { $allowedIP = checkIPInRange($arrayIP, $userIP); } if ($allowedIP === false) { $config['auth_error'] = 'IP not allowed'; $login_failed = true; include_once 'general/login_page.php'; db_pandora_audit( AUDIT_LOG_USER_REGISTRATION, sprintf( 'IP %s not allowed for user %s', $userIP, $nick ), $nick ); while (ob_get_length() > 0) { ob_end_flush(); } exit(''); } } // If the auth_code exists, we assume the user has come from // double authorization page. if (isset($_POST['auth_code']) === true) { $double_auth_success = false; // The double authentication is activated and the user has // surpassed the first step (the login). // Now the authentication code provided will be checked. if (isset($_SESSION['prepared_login_da']) === true) { if (isset($_SESSION['prepared_login_da']['id_user']) === true && isset($_SESSION['prepared_login_da']['timestamp']) === true ) { // The user has a maximum of 5 minutes to introduce // the double auth code. $dauth_period = SECONDS_2MINUTES; $now = time(); $dauth_time = $_SESSION['prepared_login_da']['timestamp']; if (($now - $dauth_period) < $dauth_time) { // Nick. $nick = $_SESSION['prepared_login_da']['id_user']; // Code. $code = (string) get_parameter_post('auth_code'); if (empty($code) === false) { $result = validate_double_auth_code($nick, $code); if ($result === true) { // Double auth success. $double_auth_success = true; } else { // Screen. $login_screen = 'double_auth'; // Error message. $config['auth_error'] = __('Invalid code'); if (isset($_SESSION['prepared_login_da']['attempts']) === false) { $_SESSION['prepared_login_da']['attempts'] = 0; } $_SESSION['prepared_login_da']['attempts']++; } } else { // Screen. $login_screen = 'double_auth'; // Error message. $config['auth_error'] = __("The code shouldn't be empty"); if (isset($_SESSION['prepared_login_da']['attempts']) !== false) { $_SESSION['prepared_login_da']['attempts'] = 0; } $_SESSION['prepared_login_da']['attempts']++; } } else { // Expired login. unset($_SESSION['prepared_login_da']); // Error message. $config['auth_error'] = __('Expired login'); } } else { // If the code doesn't exist, remove the prepared login. unset($_SESSION['prepared_login_da']); // Error message. $config['auth_error'] = __('Login error'); } } else { // If $_SESSION['prepared_login_da'] doesn't exist, the user // must login again. // Error message. $config['auth_error'] = __('Login error'); } // Remove the authenticator code. unset($_POST['auth_code'], $code); if (!$double_auth_success) { $config['auth_error'] = __('Double auth error'); $login_failed = true; include_once 'general/login_page.php'; db_pandora_audit( AUDIT_LOG_USER_REGISTRATION, 'Invalid double auth login: '.$_SERVER['REMOTE_ADDR'], $_SERVER['REMOTE_ADDR'] ); while (ob_get_length() > 0) { ob_end_flush(); } exit('