$value) { if (strpos($value, 'index.php') !== false || $flag_url) { $flag_url=1; unset($url[$key]); } else if(strpos($value, 'enterprise') !== false || $flag_url){ $flag_url=1; unset($url[$key]); } } $config["homeurl"] = rtrim(join("/", $url),"/"); $config["homeurl_static"] = $config["homeurl"]; $login_screen = 'error_noconfig'; $ownDir = dirname(__FILE__) . DIRECTORY_SEPARATOR; $config['homedir'] = $ownDir; require('general/error_screen.php'); exit; } else { include ("install.php"); exit; } } if (filesize("include/config.php") == 0) { include ("install.php"); exit; } if (isset($_POST["rename_file"])){ $rename_file_install = (bool)$_POST["rename_file"]; if ($rename_file_install) { $salida_rename = rename("install.php", "install_old.php"); } } // Check for installer presence if (file_exists ("install.php")) { $login_screen = 'error_install'; require('general/error_screen.php'); exit; } // Check perms for config.php if (strtoupper(substr(PHP_OS, 0, 3)) != 'WIN') { if ((substr (sprintf ('%o', fileperms('include/config.php')), -4) != "0600") && (substr (sprintf ('%o', fileperms('include/config.php')), -4) != "0660") && (substr (sprintf ('%o', fileperms('include/config.php')), -4) != "0640")) { $url = explode('/', $_SERVER['REQUEST_URI']); $flag_url =0; foreach ($url as $key => $value) { if (strpos($value, 'index.php') !== false || $flag_url) { $flag_url=1; unset($url[$key]); } else if(strpos($value, 'enterprise') !== false || $flag_url){ $flag_url=1; unset($url[$key]); } } $config["homeurl"] = rtrim(join("/", $url),"/"); $config["homeurl_static"] = $config["homeurl"]; $ownDir = dirname(__FILE__) . DIRECTORY_SEPARATOR; $config['homedir'] = $ownDir; $login_screen = 'error_perms'; require('general/error_screen.php'); exit; } } } if ((! file_exists ("include/config.php")) || (! is_readable ("include/config.php"))) { $login_screen = 'error_noconfig'; require('general/error_screen.php'); exit; } ////////////////////////////////////// //// PLEASE DO NOT CHANGE ORDER ////// ////////////////////////////////////// require_once ("include/config.php"); require_once ("include/functions_config.php"); if (isset($config["error"])) { $login_screen = $config["error"]; require('general/error_screen.php'); exit; } // If metaconsole activated, redirect to it if ($config['metaconsole'] == 1 && $config['enterprise_installed'] == 1) { header ("Location: " . $config['homeurl'] . "enterprise/meta"); exit; //Always exit after sending location headers } if (file_exists (ENTERPRISE_DIR . "/include/functions_login.php")) { include_once (ENTERPRISE_DIR . "/include/functions_login.php"); } //////////////////////////////////////// if (!empty ($config["https"]) && empty ($_SERVER['HTTPS'])) { $query = ''; if (sizeof ($_REQUEST)) //Some (old) browsers don't like the ?&key=var $query .= '?1=1'; //We don't clean these variables up as they're only being passed along foreach ($_GET as $key => $value) { if ($key == 1) continue; $query .= '&'.$key.'='.$value; } foreach ($_POST as $key => $value) { $query .= '&'.$key.'='.$value; } $url = ui_get_full_url($query); // Prevent HTTP response splitting attacks // http://en.wikipedia.org/wiki/HTTP_response_splitting $url = str_replace ("\n", "", $url); header ('Location: '.$url); exit; //Always exit after sending location headers } // Pure mode (without menu, header and footer). $config["pure"] = (bool) get_parameter ("pure"); // Auto Refresh page (can now be disabled anywhere in the script) if (get_parameter ("refr")) $config["refr"] = (int) get_parameter ("refr"); $delete_file = get_parameter("del_file"); if ($delete_file == 'yes_delete'){ $salida_delete = shell_exec('rm /var/www/html/pandora_console/install.php'); } ob_start (); echo '' . "\n"; echo '' . "\n"; echo '
' . "\n"; //This starts the page head. In the call back function, things from $page['head'] array will be processed into the head ob_start ('ui_process_page_head'); // Enterprise main enterprise_include ('index.php'); echo ''; // This tag is included in the buffer passed to ui_process_page_head so // technically it can be stripped echo '' . "\n"; require_once ("include/functions_themes.php"); ob_start ('ui_process_page_body'); $config["remote_addr"] = $_SERVER['REMOTE_ADDR']; $sec2 = get_parameter_get ('sec2'); $sec2 = safe_url_extraclean ($sec2); $page = $sec2; //Reference variable for old time sake $sec = get_parameter_get ('sec'); $sec = safe_url_extraclean ($sec); $process_login = false; // Update user password $change_pass = get_parameter_post('renew_password', 0); if ($change_pass == 1) { $password_old = (string) get_parameter_post ('old_password', ''); $password_new = (string) get_parameter_post ('new_password', ''); $password_confirm = (string) get_parameter_post ('confirm_new_password', ''); $id = (string) get_parameter_post ('login', ''); $changed_pass = login_update_password_check ($password_old, $password_new, $password_confirm, $id); } $minor_release_message = false; $searchPage = false; $search = get_parameter_get("head_search_keywords"); if (strlen($search) > 0) { $config['search_keywords'] = io_safe_input(trim(io_safe_output(get_parameter('keywords')))); // If not search category providad, we'll use an agent search $config['search_category'] = get_parameter('search_category', 'all'); if (($config['search_keywords'] != 'Enter keywords to search') && (strlen($config['search_keywords']) > 0)) $searchPage = true; } // Login process if (! isset ($config['id_user'])) { if (isset ($_GET["login"])) { include_once('include/functions_db.php'); //Include it to use escape_string_sql function $config["auth_error"] = ""; //Set this to the error message from the authorization mechanism $nick = get_parameter_post ("nick"); //This is the variable with the login $pass = get_parameter_post ("pass"); //This is the variable with the password $nick = db_escape_string_sql($nick); $pass = db_escape_string_sql($pass); //Since now, only the $pass variable are needed unset ($_GET['pass'], $_POST['pass'], $_REQUEST['pass']); // If the auth_code exists, we assume the user has come through the double auth page if (isset ($_POST['auth_code'])) { $double_auth_success = false; // The double authentication is activated and the user has surpassed the first step (the login). // Now the authentication code provided will be checked. if (isset ($_SESSION['prepared_login_da'])) { if (isset ($_SESSION['prepared_login_da']['id_user']) && isset ($_SESSION['prepared_login_da']['timestamp'])) { // The user has a maximum of 5 minutes to introduce the double auth code $dauth_period = SECONDS_2MINUTES; $now = time(); $dauth_time = $_SESSION['prepared_login_da']['timestamp']; if ($now - $dauth_period < $dauth_time) { // Nick $nick = $_SESSION["prepared_login_da"]['id_user']; // Code $code = (string) get_parameter_post ("auth_code"); if (!empty($code)) { $result = validate_double_auth_code($nick, $code); if ($result === true) { // Double auth success $double_auth_success = true; } else { // Screen $login_screen = 'double_auth'; // Error message $config["auth_error"] = __("Invalid code"); if (!isset($_SESSION['prepared_login_da']['attempts'])) $_SESSION['prepared_login_da']['attempts'] = 0; $_SESSION['prepared_login_da']['attempts']++; } } else { // Screen $login_screen = 'double_auth'; // Error message $config["auth_error"] = __("The code shouldn't be empty"); if (!isset($_SESSION['prepared_login_da']['attempts'])) $_SESSION['prepared_login_da']['attempts'] = 0; $_SESSION['prepared_login_da']['attempts']++; } } else { // Expired login unset ($_SESSION['prepared_login_da']); // Error message $config["auth_error"] = __('Expired login'); } } else { // If the code doesn't exist, remove the prepared login unset ($_SESSION['prepared_login_da']); // Error message $config["auth_error"] = __('Login error'); } } // If $_SESSION['prepared_login_da'] doesn't exist, the user have to do the login again else { // Error message $config["auth_error"] = __('Login error'); } // Remove the authenticator code unset ($_POST['auth_code'], $code); if (!$double_auth_success) { $login_failed = true; require_once ('general/login_page.php'); db_pandora_audit("Logon Failed", "Invalid double auth login: " .$_SERVER['REMOTE_ADDR'], $_SERVER['REMOTE_ADDR']); while (@ob_end_flush ()); exit (""); } } $login_button_saml = get_parameter("login_button_saml", false); if (isset ($double_auth_success) && $double_auth_success) { // This values are true cause there are checked before complete the 2nd auth step $nick_in_db = $_SESSION["prepared_login_da"]['id_user']; $expired_pass = false; } else if (($config['auth'] == 'saml') && ($login_button_saml)) { include_once(ENTERPRISE_DIR . "/include/auth/saml.php"); $saml_user_id = saml_process_user_login(); $nick_in_db = $saml_user_id; if (!$nick_in_db) { require_once($config['saml_path'] . 'simplesamlphp/lib/_autoload.php'); $as = new SimpleSAML_Auth_Simple('PandoraFMS'); $as->logout(); } } else { // process_user_login is a virtual function which should be defined in each auth file. // It accepts username and password. The rest should be internal to the auth file. // The auth file can set $config["auth_error"] to an informative error output or reference their internal error messages to it // process_user_login should return false in case of errors or invalid login, the nickname if correct $nick_in_db = process_user_login ($nick, $pass); $expired_pass = false; if (($nick_in_db != false) && ((!is_user_admin($nick) || $config['enable_pass_policy_admin'])) && (file_exists (ENTERPRISE_DIR . "/load_enterprise.php")) && ($config['enable_pass_policy'])) { include_once(ENTERPRISE_DIR . "/include/auth/mysql.php"); $blocked = login_check_blocked($nick); if ($blocked) { require_once ('general/login_page.php'); db_pandora_audit("Password expired", "Password expired: ".io_safe_output($nick), io_safe_output($nick)); while (@ob_end_flush ()); exit ("