Project

General

Profile

« Previous | Next » 

Revision 1479

Added by Dietmar over 13 years ago

preparing backend for the new installer
add SecureFormSwitcher (Admintool)

View differences:

branches/2.8.x/CHANGELOG
11 11
! = Update/Change
12 12

  
13 13
------------------------------------- 2.8.2 ------------------------------------
14
22 Jul-2011 Build 1477 Dietmar Woellbrink (Luisehahne)
14
25 Jul-2011 Build 1479 Dietmar Woellbrink (Luisehahne)
15
! preparing backend for the new installer
16
+ add SecureFormSwitcher (Admintool)
17
22 Jul-2011 Build 1478 Dietmar Woellbrink (Luisehahne)
15 18
# fix mssing filename in intro.php
16 19
! inactive user in dropwonlist are show with line-through
17 20
21 Jul-2011 Build 1477 Dietmar Woellbrink (Luisehahne)
branches/2.8.x/wb/admin/start/index.php
19 19
require('../../config.php');
20 20
require_once(WB_PATH.'/framework/class.admin.php');
21 21
$admin = new admin('Start','start');
22

  
22
// ---------------------------------------
23
if(defined('FINALIZE_SETUP')) {
24
	require_once(WB_PATH.'/framework/functions.php');
25
	$dirs = array( 'modules'   => WB_PATH.'/modules/',
26
	               'templates' => WB_PATH.'/templates/',
27
	               'languages' => WB_PATH.'/languages/'
28
	             );
29
	foreach($dirs AS $type => $dir) {
30
		if( ($handle = opendir($dir)) ) {
31
			while(false !== ($file = readdir($handle))) {
32
				if($file != '' AND substr($file, 0, 1) != '.' AND $file != 'admin.php' AND $file != 'index.php') {
33
					// Get addon type
34
					if($type == 'modules') {
35
						load_module($dir.'/'.$file, true);
36
						// Pretty ugly hack to let modules run $admin->set_error
37
						// See dummy class definition admin_dummy above
38
						if(isset($admin->error) && $admin->error != '') {
39
							$admin->print_error($admin->error);
40
						}
41
					} elseif($type == 'templates') {
42
						load_template($dir.'/'.$file);
43
					} elseif($type == 'languages') {
44
						load_language($dir.'/'.$file);
45
					}
46
				}
47
			}
48
		closedir($handle);
49
		}
50
	}
51
	$sql = 'DELETE FROM `'.TABLE_PREFIX.'settings` WHERE `name`=\'FINALIZE_SETUP\'';
52
	$database->query($sql);
53
}
54
// ---------------------------------------
23 55
// Setup template object
24 56
$template = new Template(THEME_PATH.'/templates');
25 57
$template->set_file('page', 'start.htt');
branches/2.8.x/wb/admin/interface/version.php
52 52

  
53 53
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
54 54
if(!defined('VERSION')) define('VERSION', '2.8.2.RC7');
55
if(!defined('REVISION')) define('REVISION', '1478');
55
if(!defined('REVISION')) define('REVISION', '1479');
branches/2.8.x/wb/modules/SecureFormSwitcher/htt/switchform.htt
1
<!-- BEGIN main_block -->
2
<script language="JavaScript" type="text/javascript">
3
/*<![CDATA[*/
4
if('{BACKLINK}'!=false) {
5
	redirect_to_page ('{BACKLINK}', 0);
6
}
7
/*]]>*/
8
</script>
9
   <table class="switch-ftan-info" summary="" cellpadding="4" cellspacing="0" border="0">
10
	<thead>
11
		<tr>
12
			<th colspan="3">Status: <span class="{FTAN_COLOR}">{TXT_HEADING}</span></th>
13
		</tr>
14
	</thead>
15
	<tbody>
16
		<tr>
17
			<td colspan="2" class="module-info"><p>{TEXT_INFO}</p></td>
18
		</tr>
19
		<tr>
20
			<td colspan="2"><p {FILE_FORMTAB_WARNING}>{FILE_FORMTAB_NOT_GOUND}</p></td>
21
		</tr>
22
	</tbody>
23
   </table>
24

  
25
   <form class="secure_switch" name="store_settings" action="{SERVER_REQUEST_URI}" method="post" >
26
	{FTAN}
27
	<input type="hidden" name="{SUBMIT_TYPE}" value="true" />
28
	<div class="left-content">
29
	   <table class="switch-ftan-form" summary="" cellpadding="4" cellspacing="0" border="0">
30
		<tbody>
31
			<tr>
32
				<td width="20"><input type="radio" name="ftan_switch" id="ftan_switch" value=""{SELECTED}/></td>
33
				<td><label for="ftan_switch">{TXT_SUBMIT_FORM}</label></td>
34
			</tr>
35
			<tr>
36
				<td width="20"><input type="radio" name="ftan_switch" id="ftan_switch_tab" value="mtab"{SELECTED_TAB}/></td>
37
				<td><label for="ftan_switch_tab">{TXT_SUBMIT_FORMTAB}</label></td>
38
			</tr>
39
			<tr>
40
				<td colspan="2">&nbsp;</td>
41
			</tr>
42
<!-- BEGIN show_mtab_block -->
43
			<tr>
44
				<td colspan="2">&nbsp;</td>
45
			</tr>
46
			<tr>
47
				<td colspan="2">&nbsp;</td>
48
			</tr>
49
			<tr>
50
				<td colspan="2">&nbsp;</td>
51
			</tr>
52
			<tr>
53
				<td colspan="2">&nbsp;</td>
54
			</tr>
55
			<tr>
56
				<td colspan="2">&nbsp;</td>
57
			</tr>
58
<!-- END show_mtab_block -->
59
			<tr>
60
				<td colspan="2">
61
					<input type="submit" name="save_settings" value="{TEXT_SUBMIT}" />
62
					<input type="submit" name="cancel" value="{TEXT_CANCEL}" />
63
				</td>
64
			</tr>
65
		</tbody>
66
	   </table>
67
	</div>
68
	<div class="right-content">
69
	   <table class="switch-ftan-form" summary="" cellpadding="4" cellspacing="0" border="0">
70
		<tbody>
71
			<tr>
72
				<td colspan="2">
73
					<select name="fingerprint_with_ip_octets">
74
						<option value="{USEIP_DEFAULT}"{USEIP_DEFAULT_SELECTED}>{TEXT_DEFAULT_SETTINGS}</option>
75
	<!-- BEGIN useip_mtab_loop -->
76
						<option value="{USEIP_VALUE}"{USEIP_SELECTED}>{USEIP_VALUE}</option>
77
	<!-- END useip_mtab_loop -->
78
					</select>
79
				</td>
80
				<td><label for="fingerprint_with_ip_octets">{TXT_SECFORM_USEIP}
81
						<a class="tooltip" href="#">? {TXT_SECFORM_USEIP_TOOLTIP}</a>
82
				</label></td>
83
			</tr>
84
	<!-- BEGIN mtab_block -->
85
			<tr>
86
				<td colspan="2"><input type="text" name="wb_secform_tokenname" id="wb_secform_tokenname" value="{WB_SECFORM_TOKENNAME}"/></td>
87
				<td><label for="wb_secform_tokenname">{TXT_SECFORM_TOKENNAME}
88
					<a class="tooltip" href="#">? {TXT_SECFORM_TOKENNAME_TOOLTIP}</a>
89
				</label></td>
90
			</tr>
91
			<tr>
92
				<td colspan="2"><input type="text" name="wb_secform_secret" id="wb_secform_secret" value="{WB_SECFORM_SECRET}"/></td>
93
				<td><label for="wb_secform_secret">{TXT_SECFORM_SECRET}
94
					<a class="tooltip" href="#">? {TXT_SECFORM_SECRET_TOOLTIP}</a>
95
				</label></td>
96
			</tr>
97
			<tr>
98
				<td colspan="2"><input type="text" name="wb_secform_secrettime" id="wb_secform_secrettime" value="{WB_SECFORM_SECRETTIME}"/></td>
99
				<td><label for="wb_secform_secrettime">{TXT_SECFORM_SECRETTIME}
100
					<a class="tooltip" href="#">? {TXT_SECFORM_SECRETTIME_TOOLTIP}</a>
101
				</label></td>
102
			</tr>
103
			<tr>
104
				<td colspan="2"><input type="text" name="wb_secform_timeout" id="wb_secform_timeout" value="{WB_SECFORM_TIMEOUT}"/></td>
105
				<td><label for="wb_secform_timeout">{TXT_SECFORM_TIMEOUT}
106
					<a class="tooltip" href="#">? {TXT_SECFORM_TIMEOUT_TOOLTIP}</a>
107
				</label></td>
108
			</tr>
109
			<tr>
110
				<td>
111
					<label for="wb_secform_usefp_true">{TEXT_ENABLED}</label>
112
				</td>
113
				<td width="50">
114
					<input type="radio" value="true" id="wb_secform_usefp_true" name="wb_secform_usefp"{USEFP_CHECKED_TRUE} />
115
					<input type="radio" value="false" id="wb_secform_usefp_false" name="wb_secform_usefp"{USEFP_CHECKED_FALSE} />
116
				</td>
117
				<td><label for="wb_secform_usefp">{TXT_SECFORM_USEFP}
118
					<a class="tooltip" href="#">? {TXT_SECFORM_USEFP_TOOLTIP}</a>
119
				</label></td>
120
			</tr>
121
			<tr>
122
				<td>&nbsp;</td>
123
				<td>&nbsp;</td>
124
				<td>&nbsp;</td>
125
			</tr>
126

  
127
			<tr>
128
				<td colspan="4">&nbsp;</td>
129
			</tr>
130
			<tr>
131
				<td colspan="4">
132
					<input type="submit" name="save_settings_default" value="{TEXT_MSUBMIT}" />
133
				</td>
134
			</tr>
135
<!-- END mtab_block -->
136
		</tbody>
137
	   </table>
138
	</div>
139

  
140
   </form>
141
<!-- END main_block -->
branches/2.8.x/wb/modules/SecureFormSwitcher/uninstall.php
1
<?php
2
/**
3
 *
4
 * @category        modules
5
 * @package         SecureFormSwitcher
6
 * @author          WebsiteBaker Project
7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link            http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.2
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id$
14
 * @filesource      $HeadURL$
15
 * @lastmodified    $Date$
16
 *
17
 */
18

  
19
// Must include code to stop this file being access directly
20
if(defined('WB_PATH') == false) { exit("Cannot access this file directly"); }
21

  
22
require_once(WB_PATH.'/framework/class.database.php');
23
require_once(WB_PATH.'/framework/functions.php');
24

  
25
$sql  = 'DELETE FROM `'.TABLE_PREFIX.'settings` ';
26
$sql .= 'WHERE `name`=\'wb_secform_useip\' ';
27
$sql .=    'OR `name`=\'wb_secform_usefp\' ';
28
$sql .=    'OR `name`=\'wb_secform_tokenname\' ';
29
$sql .=    'OR `name`=\'wb_secform_timeout\' ';
30
$sql .=    'OR `name`=\'wb_secform_secrettime\' ';
31
$sql .=    'OR `name`=\'wb_secform_secret\' ';
32
$sql .=    'OR `name`=\'secure_form_module\' ';
33
$database->query($sql);
34
$dest_to_delete = WB_PATH.'/framework/SecureForm.mtab.php';
35
if(is_writeable(WB_PATH.'/framework') ) {
36
	@chmod($dest_to_delete, 0666);
37
	@unlink($dest_to_delete);
38
}
39

  
40

  
41

  
0 42

  
branches/2.8.x/wb/modules/SecureFormSwitcher/info.php
1
<?php
2
/**
3
 *
4
 * @category        modules
5
 * @package         SecureFormSwitcher
6
 * @author          WebsiteBaker Project
7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link            http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.2
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id$
14
 * @filesource      $HeadURL$
15
 * @lastmodified    $Date$
16
 *
17
 */
18

  
19
$module_directory = 'SecureFormSwitcher';
20
$module_name = 'SecureForm Switcher';
21
$module_function = 'tool';
22
$module_version = '0.6.6';
23
$module_platform = '2.8.2';
24
$module_author = 'D. W&ouml;llbrrink (Luisehahne),  Florian Meerwinck (instantflorian), Michael Tentschert (test&ouml;r)';
25
$module_license	= 'GNU General Public License';
26
$module_description = 'This module switch between the <strong>SingleTab SecureForm</strong> and <strong>MultiTab SecureForm</strong>.';
27

  
0 28

  
branches/2.8.x/wb/modules/SecureFormSwitcher/files/SecureForm.mtab.php
1
<?php
2
/**
3
 *
4
 * @category        framework
5
 * @package         SecureForm.mtab
6
 * @author          WebsiteBaker Community Project
7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link			http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.2
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id$
14
 * @filesource		$HeadURL$
15
 * @lastmodified    $Date$
16
 * @description
17
 */
18
##  Heavy patched version, idea for patches based on :
19
##  http://stackoverflow.com/questions/2695153/php-csrf-how-to-make-it-works-in-all-tabs/2695291#2695291
20
##  Whith this patch the token System now allows for multiple browser tabs but 
21
##  denies the use of multiple browsers.
22
##  You can configure this class by adding several constants to your config.php
23
##  All Patches are Copyright Norbert Heimsath released under GPLv3 
24
##  http://www.gnu.org/licenses/gpl.html
25
##  Take a look at  __construkt  for configuration options(constants).
26
##  Patch version 0.3.5
27

  
28
/**
29
 * If you want some special configuration put this somewhere in your config.php for
30
 * example or just uncomment the lines here
31
 *
32
 * This parameter now can be set with the admintool SecureForm Switcher coded by Luisehahne,
33
 * pls ask for it in the forum
34
 *
35
 * Secret can contain anything its the base for the secret part for the hash
36
 * define ('WB_SECFORM_SECRET','whatever you like');
37
 * after how many seconds a new secret is generated
38
 * define ('WB_SECFORM_SECRETTIME',86400);      #aprox one day
39
 * shall we use fingerprinting true/false
40
 * define ('WB_SECFORM_USEFP', true);
41
 * Timeout till the form token times out. Integer value between 0-86400 seconds (one day)
42
 * define ('WB_SECFORM_TIMEOUT', 3600);
43
 * Name for the token form element only alphanumerical string allowed that starts whith a charakter
44
 * define ('WB_SECFORM_TOKENNAME','my3form3');
45
 * how many blocks of the IP should be used in fingerprint 0=no ipcheck, possible values 0-4
46
 * define ('FINGERPRINT_WITH_IP_OCTETS',2);
47
 */
48

  
49
class SecureForm {
50

  
51
	const FRONTEND = 0;
52
	const BACKEND  = 1;      
53

  
54
        ## additional private data
55
	private $_secret      	 = '5609bnefg93jmgi99igjefg';
56
	private $_secrettime  	 = 86400;   #Approx. one day 
57
        private $_tokenname   	 = 'formtoken';
58
	private $_timeout	 = 7200;         
59
	private $_useipblocks	 = 2;
60
	private $_usefingerprint = true;
61
        ### additional private data
62

  
63
        private $_FTAN           = '';
64
	private $_IDKEYs         = array('0'=>'0');
65
	private $_idkey_name     = '';
66
	private $_salt           = '';
67
	private $_fingerprint    = '';
68
	private $_serverdata  	 = '';
69

  
70
	/* Construtor */
71
	protected function __construct($mode = self::FRONTEND){
72

  
73
        	## additional constants and stuff for global configuration
74

  
75
		# Secret can contain anything its the base for the secret part of the hash
76
                if (defined ('WB_SECFORM_SECRET')){ 	
77
			$this->_secret=WB_SECFORM_SECRET;
78
		}
79

  
80
		# shall we use fingerprinting
81
                if (defined ('WB_SECFORM_USEFP') AND WB_SECFORM_USEFP===false){
82
			$this->_usefingerprint	= false;
83
		}
84

  
85
                # Timeout till the form token times out. Integer value between 0-86400 seconds (one day)
86
                if (defined ('WB_SECFORM_TIMEOUT') AND is_numeric(WB_SECFORM_TIMEOUT) AND intval(WB_SECFORM_TIMEOUT) >=0 AND intval(WB_SECFORM_TIMEOUT) <=86400 ){
87
			$this->_timeout=intval(WB_SECFORM_TIMEOUT);
88
		}
89
		# Name for the token form element only alphanumerical string allowed that starts whith a charakter
90
                if (defined ('WB_SECFORM_TOKENNAME') AND !$this->_validate_alalnum(WB_SECFORM_TOKENNAME)){
91
			$this->_tokenname=WB_SECFORM_TOKENNAME;
92
		}
93
		# how many bloks of the IP should be used 0=no ipcheck 
94
                if (defined ('FINGERPRINT_WITH_IP_OCTETS') AND !$this->_is04(FINGERPRINT_WITH_IP_OCTETS)){
95
			$this->_useipblocks=FINGERPRINT_WITH_IP_OCTETS;
96
                }
97
		## additional stuff end 
98
		$this->_browser_fingerprint   = $this->_browser_fingerprint(true);
99
		$this->_fingerprint   = $this->_generate_fingerprint();
100
		$this->_serverdata    = $this->_generate_serverdata();
101
		$this->_secret        = $this->_generate_secret();
102
                $this->_salt          = $this->_generate_salt();
103

  
104
		$this->_idkey_name    = substr($this->_fingerprint, hexdec($this->_fingerprint[strlen($this->_fingerprint)-1]), 16);
105
		// make sure there is a alpha-letter at first position
106
		$this->_idkey_name[0] = dechex(10 + (hexdec($this->_idkey_name[0]) % 5));
107
		// takeover id_keys from session if available
108
		if(isset($_SESSION[$this->_idkey_name]) && is_array($_SESSION[$this->_idkey_name])){
109
			$this->_IDKEYs = $_SESSION[$this->_idkey_name];
110
		}else{
111
			$this->_IDKEYs = array('0'=>'0');
112
			$_SESSION[$this->_idkey_name] = $this->_IDKEYs;
113
		}
114
	}
115

  
116
	private function _generate_secret(){
117

  
118
                $secret= $this->_secret;
119
		$secrettime= $this->_secrettime;
120
		#create a different secret every day
121
		$TimeSeed= floor(time()/$secrettime)*$secrettime;  #round(floor) time() to whole days
122
		$DomainSeed =  $_SERVER['SERVER_NAME'];  # generate a numerical from server name.
123
		$Seed = $TimeSeed+$DomainSeed;
124
                $secret .=md5($Seed);  #
125

  
126
		$secret .= $this->_secret.$this->_serverdata.session_id();
127
		if ($this->_usefingerprint){$secret.= $this->_browser_fingerprint;}
128
		
129
	return $secret;
130
	}
131

  
132

  
133

  
134
	private function _generate_salt()
135
		{
136
			if(function_exists('microtime'))
137
			{
138
				list($usec, $sec) = explode(" ", microtime());
139
				$salt = (string)((float)$usec + (float)$sec);
140
			}else{
141
				$salt = (string)time();
142
			}
143
			$salt = (string)rand(10000, 99999) . $salt . (string)rand(10000, 99999);
144
			return md5($salt);
145
		}
146

  
147
	private function _generate_fingerprint()
148
	{
149
	// server depending values
150
 		$fingerprint  = $this->_generate_serverdata();
151
		
152
	// client depending values
153
		$fingerprint .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '17';
154
		$usedOctets = ( defined('FINGERPRINT_WITH_IP_OCTETS') ) ? intval(defined('FINGERPRINT_WITH_IP_OCTETS')) : 0;
155
		$clientIp = ( isset($_SERVER['REMOTE_ADDR'])  ? $_SERVER['REMOTE_ADDR'] : '' );
156
		if(($clientIp != '') && ($usedOctets > 0)){
157
			$ip = explode('.', $clientIp);
158
			while(sizeof($ip) > $usedOctets) { array_pop($ip); }
159
			$clientIp = implode('.', $ip);
160
		}else {
161
			$clientIp = 19;
162
		}
163
		$fingerprint .= $clientIp;
164
		return md5($fingerprint);
165
	}
166

  
167
	private function _generate_serverdata(){
168

  
169
	 	$serverdata  = ( isset($_SERVER['SERVER_SIGNATURE']) ) ? $_SERVER['SERVER_SIGNATURE'] : '2';
170
		$serverdata .= ( isset($_SERVER['SERVER_SOFTWARE']) ) ? $_SERVER['SERVER_SOFTWARE'] : '3';
171
		$serverdata .= ( isset($_SERVER['SERVER_NAME']) ) ? $_SERVER['SERVER_NAME'] : '5';
172
		$serverdata .= ( isset($_SERVER['SERVER_ADDR']) ) ? $_SERVER['SERVER_ADDR'] : '7';
173
		$serverdata .= ( isset($_SERVER['SERVER_PORT']) ) ? $_SERVER['SERVER_PORT'] : '11';
174
		$serverdata .= ( isset($_SERVER['SERVER_ADMIN']) ) ? $_SERVER['SERVER_ADMIN'] : '13';
175
		$serverdata .= PHP_VERSION;
176
	return  $serverdata;
177
	}
178

  
179
        // fake funktion , just exits to avoid error message 
180
        final protected function createFTAN(){}
181

  
182
	/*
183
	* creates selfsigning Formular transactionnumbers for unique use
184
	* @access public
185
	* @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default)
186
	*                     false returns an GET argument 'key=value'
187
	* @return mixed:      string
188
	*
189
	* requirements: an active session must not be available but it makes no sense whithout :-)
190
	*/
191
	final public function getFTAN( $as_tag = true)
192
	{
193
		$secret= $this->_secret;
194

  
195
		$timeout= time()+$this->_timeout;
196

  
197
		#mt_srand(hexdec(crc32(microtime()));
198
                $token= dechex(mt_rand());
199

  
200
                $hash= sha1($secret.'-'.$token.'-'.$timeout);
201
		$signed= $token.'-'.$timeout.'-'.$hash;
202

  
203
		if($as_tag == true)
204
		{ // by default return a complete, hidden <input>-tag
205
			return '<input type="hidden" name="'.$this->_tokenname.'" value="'.htmlspecialchars($signed).'" title="" alt="" />';
206
		}else{ // return an array with raw tokenname=value
207
			return $this->_tokenname.'='.$signed;
208
		}
209
	}
210

  
211
	/*
212
	* checks received form-transactionnumbers against itself
213
	* @access public
214
	* @param string $mode: requestmethode POST(default) or GET
215
	* @return bool:    true if numbers matches against stored ones
216
	*
217
	* requirements: no active session must be available but it makes no sense whithout.
218
	* this check will prevent from multiple sending a form. history.back() also will never work
219
	*/
220
	final public function checkFTAN( $mode = 'POST')
221
	{
222
		$mode = (strtoupper($mode) != 'POST' ? '_GET' : '_POST');
223

  
224
		$isok= false;
225
		$secret= $this->_secret;
226

  
227
		if (isset($GLOBALS[$mode][$this->_tokenname])) 	{$latoken=$GLOBALS[$mode][$this->_tokenname];}
228
                else 						{return $isok;}
229

  
230
		$parts= explode('-', $latoken);
231
		if (count($parts)==3) {
232
			list($token,$timeout, $hash)= $parts;
233
			if ($hash==sha1($secret.'-'.$token.'-'.$timeout) AND $timeout > time())
234
			{$isok= true;}
235
		}
236

  
237
		return $isok;
238
	}
239

  
240
	/*
241
	* save values in session and returns a ID-key
242
	* @access public
243
	* @param mixed $value: the value for witch a key shall be generated and memorized
244
	* @return string:      a MD5-Key to use instead of the real value
245
	*
246
	* @requirements: an active session must be available
247
	* @description: IDKEY can handle string/numeric/array - vars. Each key is a
248
	*/
249
	final public function getIDKEY($value)
250
	{
251
		if( is_array($value) == true )
252
		{ // serialize value, if it's an array
253
			$value = serialize($value);
254
		}
255
		// crypt value with salt into md5-hash
256
		// and return a 16-digit block from random start position
257
		$key = substr( md5($this->_salt.(string)$value), rand(0,15), 16);
258
		do{ // loop while key/value isn't added
259
			if( !array_key_exists($key, $this->_IDKEYs) )
260
			{ // the key is unique, so store it in list
261
				$this->_IDKEYs[$key] = $value;
262
				break;
263
			}else {
264
				// if key already exist, increment the last five digits until the key is unique
265
				$key = substr($key, 0, -5).dechex(('0x'.substr($key, -5)) + 1);
266
			}
267
		}while(0);
268
		// store key/value-pairs into session
269
		$_SESSION[$this->_idkey_name] = $this->_IDKEYs;
270
		return $key;
271
	}
272

  
273
	/*
274
	* search for key in session and returns the original value
275
	* @access public
276
	* @param string $fieldname: name of the POST/GET-Field containing the key or hex-key itself
277
	* @param mixed $default: returnvalue if key not exist (default 0)
278
	* @param string $request: requestmethode can be POST or GET or '' (default POST)
279
	* @return mixed: the original value (string, numeric, array) or DEFAULT if request fails
280
	*
281
	* @requirements: an active session must be available
282
	* @description: each IDKEY can be checked only once. Unused Keys stay in list until the
283
	*               session is destroyed.
284
	*/
285
 	final public function checkIDKEY( $fieldname, $default = 0, $request = 'POST' )
286
	{
287
		$return_value = $default; // set returnvalue to default
288
		switch( strtoupper($request) )
289
		{
290
			case 'POST':
291
				$key = isset($_POST[$fieldname]) ? $_POST[$fieldname] : $fieldname;
292
				break;
293
			case 'GET':
294
				$key = isset($_GET[$fieldname]) ? $_GET[$fieldname] : $fieldname;
295
				break;
296
			default:
297
				$key = $fieldname;
298
		}
299
		if( preg_match('/[0-9a-f]{16}$/', $key) )
300
		{ // key must be a 16-digit hexvalue
301
			if( array_key_exists($key, $this->_IDKEYs))
302
			{ // check if key is stored in IDKEYs-list
303
				$return_value = $this->_IDKEYs[$key]; // get stored value
304
				unset($this->_IDKEYs[$key]);   // remove from list to prevent multiuse
305
				$_SESSION[$this->_idkey_name] = $this->_IDKEYs; // save modified list into session again
306
				if( preg_match('/.*(?<!\{).*(\d:\{.*;\}).*(?!\}).*/', $return_value) )
307
				{ // if value is a serialized array, then deserialize it
308
					$return_value = unserialize($return_value);
309
				}
310
			}
311
		}
312
		return $return_value;
313
	}
314

  
315
	/* @access public
316
	* @return void
317
	*
318
	* @requirements: an active session must be available
319
	* @description: remove all entries from IDKEY-Array
320
	*
321
	*/
322
 	final public function clearIDKEY()
323
	{
324
		 $this->_IDKEYs = array('0'=>'0');
325
	}
326

  
327

  
328
	## additional Functions needed cause the original ones lack some functionality
329
	## all are Copyright Norbert Heimsath, heimsath.org
330
	## released under GPLv3  http://www.gnu.org/licenses/gpl.html
331

  
332
	/* Made because ctype_ gives strange results using mb Strings*/ 
333
 	private function _validate_alalnum($input){
334
	# alphanumerical string that starts whith a letter charakter 
335
		if (preg_match('/^[a-zA-Z][0-9a-zA-Z]+$/u', $input))
336
			{return false;}
337
	
338
	return "The given input is not an alphanumeric string.";
339
	} 
340

  
341
 	private function _is04($input){
342
	# integer value between 0-4
343
		if (preg_match('/^[0-4]$/', $input)) {return false;}
344
	
345
	return "The given input is not an alphanumeric string.";
346
	} 
347

  
348

  
349
	private function _getip($ipblocks=4){
350
	/*
351
	Just a function to get User ip even if hes behind a proxy
352
	*/
353
		$ip    	=   ""; //Ip address result
354
		$cutip	=   ""; //Ip address cut to limit
355
	
356
		# mabe user is behind a Proxy but we need his real ip address if we got a nice Proxyserver, 
357
		# it sends us the "HTTP_X_FORWARDED_FOR" Header. Sometimes there is more than one Proxy.
358
		# !!!!!! THIS PART WAS NEVER TESTED BECAUSE I ONLY GOT A DIRECT INTERNET CONNECTION !!!!!!
359
		# long2ip(ip2long($lastip)) makes sure we got nothing else than an ip into our script ;-)
360
		# !!!!! WARNING the 'HTTP_X_FORWARDED_FOR' Part is NOT TESTED !!!!!
361
		if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) AND !empty($_SERVER['HTTP_X_FORWARDED_FOR']))
362
		{
363
			$iplist= explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']);
364
			$lastip = array_pop($iplist);
365
			$ip.= long2ip(ip2long($lastip));
366
		}
367
		
368
		/* If theres no other supported info we just use REMOTE_ADDR
369
		If we have a fiendly proxy supporting  HTTP_X_FORWARDED_FOR its ok to use the full address.
370
		But if there is no HTTP_X_FORWARDED_FOR we can  not be sure if its a proxy or whatever, so we use the 
371
		blocklimit for IP address. 
372
		*/
373
		else 
374
		{
375
			$ip = long2ip(ip2long($_SERVER['REMOTE_ADDR']));
376
	
377
			# ipblocks used here defines how many blocks of the ip adress are checked xxx.xxx.xxx.xxx
378
			$blocks = explode('.', $ip);
379
			for ($i=0; $i<$ipblocks; $i++){
380
				$cutip.= $blocks[$i] . '.';
381
				}
382
			$ip=substr($cutip, 0, -1);
383
		}
384
		
385
	return $ip;
386
	}
387
	
388
	private function _browser_fingerprint($encode=true,$fpsalt="My Fingerprint: "){
389
	/*
390
	Creates a basic Browser Fingerprint for securing the session and forms.
391
	*/
392
	
393
		$fingerprint=$fpsalt;
394
		if (isset($_SERVER['HTTP_USER_AGENT'])){ $fingerprint .= $_SERVER['HTTP_USER_AGENT'];}
395
		if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];}
396
		if (isset($_SERVER['HTTP_ACCEPT_ENCODING'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_ENCODING'];}
397
		if (isset($_SERVER['HTTP_ACCEPT_CHARSET'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_CHARSET'];}
398
		
399
		$fingerprint.= $this->_getip($this->_useipblocks);
400
		
401
		if ($encode){$fingerprint=md5($fingerprint);}
402
	
403
	return $fingerprint;
404
	}
405
	##
406
	## additional Functions END
407
	##
408
}
0 409

  
branches/2.8.x/wb/modules/SecureFormSwitcher/tool.php
1
<?php
2
/**
3
 *
4
 * @category        modules
5
 * @package         SecureFormSwitcher
6
 * @author          WebsiteBaker Project
7
 * @copyright       (C) 2011, D Woellbrink
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link			http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.2
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id$
14
 * @filesource		$HeadURL$
15
 * @lastmodified    $Date$
16
 *
17
 */
18

  
19
// Must include code to stop this file being access directly
20
if(defined('WB_PATH') == false)
21
{
22
	die('<head><title>Access denied</title></head><body><h2 style="color:red;margin:3em auto;text-align:center;">Cannot access this file directly</h2></body></html>');
23
}
24

  
25
// load module language file
26
$mod_path = (dirname(__FILE__));
27
require_once( $mod_path.'/language_load.php' );
28
// callback function for settings name
29
function converttoupper($val, $key, $vars) {
30
	$vars[0][$key] = strtoupper($key);
31
	$vars[1][$vars[0][$key]] = ($val);
32
}
33

  
34
// create backlinks
35
$js_back =  ADMIN_URL.'/admintools/tool.php?tool=SecureFormSwitcher';
36
$backlink =  ADMIN_URL.'/admintools/index.php';
37
$FileNotFound = '&nbsp;';
38
// defaults settings
39
$default_cfg = array(
40
	'secure_form_module' => '',
41
	'wb_secform_secret' => '5609bnefg93jmgi99igjefg',
42
	'wb_secform_secrettime' => '86400',
43
	'wb_secform_timeout' => '7200',
44
	'wb_secform_tokenname' => 'formtoken',
45
	'wb_secform_usefp' => 'true',
46
	'fingerprint_with_ip_octets' => '2',
47
);
48
$setting = $default_cfg;
49
$MultitabTarget = WB_PATH.'/framework/SecureForm.mtab.php';
50
// get stored settings to set in mask
51
$sql  = 'SELECT * FROM `'.TABLE_PREFIX.'settings` ';
52
$sql .= 'WHERE `name` = \'secure_form_module\'';
53
$sql .=    'OR `name`=\'fingerprint_with_ip_octets\' ';
54
$sql .=    'OR `name`=\'wb_secform_usefp\' ';
55
$sql .=    'OR `name`=\'wb_secform_tokenname\' ';
56
$sql .=    'OR `name`=\'wb_secform_timeout\' ';
57
$sql .=    'OR `name`=\'wb_secform_secrettime\' ';
58
$sql .=    'OR `name`=\'wb_secform_secret\' ';
59
if($res = $database->query($sql) ) {
60
	if($res->numRows() > 0) {
61
		while($rec = $res->fetchRow(MYSQL_ASSOC)) {
62
	        $setting[$rec['name']] = $rec['value'];
63
		}
64
	} else {
65
		// add missing values
66
		db_update_key_value('settings', $setting );
67
	}
68
}
69

  
70
$action = 'show';
71
$action = isset($_POST['save_settings']) ? 'save_settings' : $action;
72
$action = isset($_POST['save_settings_default']) ? 'save_settings_default' : $action;
73

  
74
switch ($action) :
75
	case 'save_settings':
76
		$cfg = array(
77
			'secure_form_module' => (isset($_POST['ftan_switch']) ? $_POST['ftan_switch'] : 'mtab'),
78
			'wb_secform_secret' => (isset($_POST['wb_secform_secret']) ? $_POST['wb_secform_secret'] : $setting['wb_secform_secret'] ),
79
			'wb_secform_secrettime' => (isset($_POST['wb_secform_secrettime']) ? $_POST['wb_secform_secrettime'] : $setting['wb_secform_secrettime'] ),
80
			'wb_secform_timeout' => (isset($_POST['wb_secform_timeout']) ? $_POST['wb_secform_timeout'] : $setting['wb_secform_timeout'] ),
81
			'wb_secform_tokenname' => (isset($_POST['wb_secform_tokenname']) ? $_POST['wb_secform_tokenname'] : $setting['wb_secform_tokenname'] ),
82
			'wb_secform_usefp' => (isset($_POST['wb_secform_usefp']) ? $_POST['wb_secform_usefp'] : $setting['wb_secform_usefp'] ),
83
			'fingerprint_with_ip_octets' => (isset($_POST['fingerprint_with_ip_octets']) ? $_POST['fingerprint_with_ip_octets'] : $setting['fingerprint_with_ip_octets'] ),
84
		);
85
		// unset($_POST);
86
		$_SESSION['CFG'] = $cfg;
87
		break;
88
	case 'save_settings_default':
89
		$cfg = $default_cfg;
90
		$cfg['secure_form_module'] = $setting['secure_form_module'];
91
		break;
92
endswitch;
93

  
94

  
95
switch ($action) :
96
	case 'save_settings':
97
	case 'save_settings_default':
98
		if (!$admin->checkFTAN())
99
		{
100
			if(!$admin_header) { $admin->print_header(); }
101
			$admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$_SERVER['REQUEST_URI']);
102
		}
103
		if(file_exists($MultitabTarget)) {
104
			$val = ( isset($_POST['ftan_switch'])  ? ($_POST['ftan_switch']) : 'mtab');
105
		} else {
106
			$cfg['secure_form_module'] = '';
107
			$FileNotFound = $SFS_TEXT['FILE_FORMTAB_NOT_GOUND'];
108
		}
109

  
110
		db_update_key_value('settings', $cfg );
111
		// check if there is a database error, otherwise say successful
112
		if(!$admin_header) { $admin->print_header(); }
113
		if($database->is_error()) {
114
			$admin->print_error($database->get_error(), $js_back);
115
		} else {
116
            if(isset($_SESSION['CFG'])) { unset($_SESSION['CFG']);}
117
			$admin->print_success($MESSAGE['PAGES_SAVED'], $js_back);
118
		}
119
		break;
120
endswitch;
121

  
122
// set template file and assign module and template block
123
$tpl = new Template(WB_PATH.'/modules/SecureFormSwitcher/htt','keep');
124
$tpl->set_file('page', 'switchform.htt');
125
$tpl->debug = false; // false, true
126
$tpl->set_block('page', 'main_block', 'main');
127

  
128
$checked = ($setting['secure_form_module']!='');
129

  
130
$ftanMode = ($checked ? $SFS_TEXT['SECURE_FORM'] : $SFS_TEXT['SECURE_FORMMTAB']);
131
$target = ($checked) ? '.'.$setting['secure_form_module'] : '';
132
$target = WB_PATH.'/framework/SecureForm'.$target.'.php';
133

  
134
$SingleTabStatus = intval($checked==false);
135
$MultitabStatus = intval($checked==true);
136
$NotFoundClass = '';
137
if(!file_exists($MultitabTarget)) {
138
	$SingleTabStatus = true;
139
	$MultitabStatus = false;
140
	$FileNotFound = $SFS_TEXT['FILE_FORMTAB_NOT_GOUND'];
141
	$NotFoundClass = 'class="warning"';
142
} else {
143
}
144

  
145
// convert settings name to upper
146
array_walk($setting,'converttoupper', array(&$search, &$replace ));
147

  
148
$tpl->set_var($replace);
149
$tpl->set_var(array(
150
	'FTAN' => $admin->getFTAN(),
151
	'SERVER_REQUEST_URI' => $_SERVER['REQUEST_URI'],
152
	'TEXT_CANCEL' => $TEXT['CANCEL'],
153
	'BACKLINK' => (isset($_POST['cancel'])) ? $backlink : '#',
154
	'TEXT_INFO' => $SFS_TEXT['INFO'],
155
	'TEXT_SUBMIT' => $SFS_TEXT['SUBMIT'],
156
	'TEXT_MSUBMIT' => $SFS_TEXT['RESET_SETTINGS'],
157
	'TXT_HEADING' => $SFS_TEXT['SECURE_FORM'.strtoupper($setting['secure_form_module'])],
158
	'SELECTED' => ( ($SingleTabStatus) ? ' checked="checked"' : ''),
159
	'SELECTED_TAB' => ( ($MultitabStatus) ? ' checked="checked"' : ''),
160
	'SUBMIT_TYPE' => ($checked ? 'multitab' : 'singletab'),
161
	'MSELECTED' => '',
162
	'MSELECTED_TAB' => '',
163
	'FTAN_COLOR' => ($checked ? 'grey' : 'norm'),
164
	'TXT_SUBMIT_FORM' => $SFS_TEXT['SUBMIT_FORM'],
165
	'TXT_SUBMIT_FORMTAB' => $SFS_TEXT['SUBMIT_FORMTAB'],
166
	'FILE_FORMTAB_WARNING' => $NotFoundClass,
167
	'FILE_FORMTAB_NOT_GOUND' => $FileNotFound,
168
	)
169
);
170

  
171
$tpl->set_var(array(
172
		'USEIP_SELECTED' => '',
173
		'TXT_SECFORM_USEIP' => $SFS_TEXT['WB_SECFORM_USEIP'],
174
        'TXT_SECFORM_USEIP_TOOLTIP' => $SFS_TEXT['WB_SECFORM_USEIP_TOOLTIP'], // Tooltip
175
		'TEXT_DEFAULT_SETTINGS' => $HEADING['DEFAULT_SETTINGS'],
176
		'USEIP_DEFAULT' => $default_cfg['fingerprint_with_ip_octets'],
177
		'USEFP_CHECKED_TRUE' => (($setting['wb_secform_usefp']=='true') ? ' checked="checked"' : ''),
178
		'USEFP_CHECKED_FALSE' => (($setting['wb_secform_usefp']=='false') ? ' checked="checked"' : ''),
179
		'TEXT_DEFAULT_SETTINGS' => $HEADING['DEFAULT_SETTINGS'],
180
	)
181
);
182

  
183
$tpl->set_block('main_block', 'useip_mtab_loop', 'mtab_loop');
184
	for($x=0; $x < 5; $x++) {
185
		// iu value == default set first option with standardtext
186
		if(intval($default_cfg['fingerprint_with_ip_octets'])==$x ) {
187
			$tpl->set_var(array(
188
					'USEIP_VALUE' => $x,
189
					'USEIP_DEFAULT_SELECTED' => ((intval($setting['fingerprint_with_ip_octets'])==$x) ? ' selected="selected"' : ''),
190
					'USEIP_SELECTED' => '',
191
					)
192
			);
193
		} else {
194
			$tpl->set_var(array(
195
					'USEIP_VALUE' => $x,
196
					'USEIP_SELECTED' => ((intval($setting['fingerprint_with_ip_octets'])==$x) && (intval($setting['fingerprint_with_ip_octets'])!=intval($default_cfg['fingerprint_with_ip_octets'])) ? ' selected="selected"' : ''),
197
				)
198
			);
199
		}
200
		$tpl->parse('mtab_loop','useip_mtab_loop', true);
201
	}
202

  
203
$tpl->set_block('main_block', 'show_mtab_block', 'show_mtab');
204
$tpl->set_block('main_block', 'mtab_block', 'mtab');
205
if($checked) {
206
	$tpl->set_var(array(
207
			'TEXT_ENABLED' => $SFS_TEXT['ON_OFF'],
208
			'TXT_SECFORM_TOKENNAME' => $SFS_TEXT['WB_SECFORM_TOKENNAME'],
209
            'TXT_SECFORM_TOKENNAME_TOOLTIP' => $SFS_TEXT['WB_SECFORM_TOKENNAME_TOOLTIP'],
210
			'TXT_SECFORM_TIMEOUT' => $SFS_TEXT['WB_SECFORM_TIMEOUT'],
211
            'TXT_SECFORM_TIMEOUT_TOOLTIP' => $SFS_TEXT['WB_SECFORM_TIMEOUT_TOOLTIP'],
212
			'TXT_SECFORM_SECRETTIME' => $SFS_TEXT['WB_SECFORM_SECRETTIME'],
213
            'TXT_SECFORM_SECRETTIME_TOOLTIP' => $SFS_TEXT['WB_SECFORM_SECRETTIME_TOOLTIP'],
214
			'TXT_SECFORM_SECRET' => $SFS_TEXT['WB_SECFORM_SECRET'],
215
            'TXT_SECFORM_SECRET_TOOLTIP' => $SFS_TEXT['WB_SECFORM_SECRET_TOOLTIP'],
216
			'TXT_SECFORM_USEFP' => $SFS_TEXT['WB_SECFORM_USEFP'],
217
			'SECFORM_USEFP' => 'true',
218
            'TXT_SECFORM_USEFP_TOOLTIP' => $SFS_TEXT['WB_SECFORM_USEFP_TOOLTIP'],
219
		)
220
	);
221
	$tpl->parse('mtab','mtab_block', true);
222
	$tpl->parse('show_mtab','show_mtab_block', true);
223
} else  {
224
	$tpl->parse('mtab', '');
225
	$tpl->parse('show_mtab', '');
226
}
227

  
228
// Parse template object
229
$tpl->parse('main', 'main_block', false);
230
$output = $tpl->finish($tpl->parse('output', 'page'));
231
unset($tpl);
232
print $output;
233

  
0 234

  
branches/2.8.x/wb/modules/SecureFormSwitcher/languages/EN.php
1
<?php
2
/**
3
 *
4
 * @category        modules
5
 * @package         SecureFormSwitcher
6
 * @author          WebsiteBaker Project
7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link			http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.2
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id$
14
 * @filesource		$HeadURL$
15
 * @lastmodified    $Date$
16
 *
17
*/
18

  
19
//Module description
20
$module_description = 'This module switch between the <strong>SingleTab SecureForm</strong> and <strong>MultiTab SecureForm</strong>.';
21

  
22
// Backend variables
23
$SFS_TEXT['TEXT_SWITCH'] = 'Change';
24
$SFS_TEXT['TXT_FTAN_SWITCH'] = 'Change to ';
25
$SFS_TEXT['SECURE_FORM'] = 'SingleTab SecureForm';
26
$SFS_TEXT['SECURE_FORMMTAB'] = 'Multitab SecureForm';
27
$SFS_TEXT['FILE_FORMTAB_NOT_GOUND'] = '<strong>Multitab not possible!<br />Needed file \'/framework/SecureForm.mtab.php\' not found!</strong><br />
28
<span>You have to upload the file manually via FTP</span>';
29
$SFS_TEXT['SUBMIT_FORM'] = 'Single Tab (recommended)';
30
$SFS_TEXT['SUBMIT_FORMTAB'] = 'Multi Tab';
31
$SFS_TEXT['SUBMIT'] = 'Accept';
32
$SFS_TEXT['INFO'] = 'Please select if you want to use the default security settings or the settings for working with several WebsiteBaker instances in parallel browser tabs.';
33
$SFS_TEXT['RESET_SETTINGS'] = 'Default setting';
34
$SFS_TEXT['ON_OFF'] = 'On/OFF';
35

  
36
// Variablen fuer AdminTool Optionen
37
$SFS_TEXT['WB_SECFORM_USEIP'] = 'IP-Blocks (1-4, 0=no check)';
38
$SFS_TEXT['WB_SECFORM_USEIP_TOOLTIP'] = '<span class="custom help"><em>Help</em>
39
These number of segments of an IP address can be used for the fingerprint. "4" means the whole IP address (this makes sense e.g. for servers with a stable IP address). "2" is a good compromise, because at home there\'s often the 24-hour reset and therefore only the first two segments keep constant.
40
<ul>
41
<li>4= xxx.xxx.xxx.xxx</li>
42
<li>3= xxx.xxx.xxx</li>
43
<li>2= xxx.xxx</li>
44
<li>1= xxx</li>
45
<li>0= no usage of the IP</li></ul></span>';
46
$SFS_TEXT['WB_SECFORM_TOKENNAME'] = 'Tokenname';
47
$SFS_TEXT['WB_SECFORM_TOKENNAME_TOOLTIP'] = '<span class="custom help"><em>Help</em>The name of the token. Coll. a token is often called TAN.</span>';
48
$SFS_TEXT['WB_SECFORM_SECRET'] = 'Secret (whatever you like)';
49
$SFS_TEXT['WB_SECFORM_SECRET_TOOLTIP'] = '<span class="custom help"><em>Help</em>A random key, that is being used for creating a TAN. Recommend are at least 20 digits.</span>';
50
$SFS_TEXT['WB_SECFORM_SECRETTIME'] = 'Secrettime';
51
$SFS_TEXT['WB_SECFORM_SECRETTIME_TOOLTIP'] = '<span class="custom help"><em>Help</em>Time (in seconds), until the secret-key will be renewed.</span>';
52
$SFS_TEXT['WB_SECFORM_TIMEOUT'] = 'Timeout';
53
$SFS_TEXT['WB_SECFORM_TIMEOUT_TOOLTIP'] = '<span class="custom help"><em>Help</em>Time (in seconds), until the form-token is void.</span>';
54
$SFS_TEXT['WB_SECFORM_USEFP'] = 'Fingerprinting';
55
$SFS_TEXT['WB_SECFORM_USEFP_TOOLTIP'] = '<span class="custom help"><em>Help</em>Require OS and browser for every TAN-validation additionally to the IP-address.</span>';
0 56

  
branches/2.8.x/wb/modules/SecureFormSwitcher/languages/DE.php
1
<?php
2
/**
3
 *
4
 * @category        modules
5
 * @package         SecureFormSwitcher
6
 * @author          WebsiteBaker Project
7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link			http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.2
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id$
14
 * @filesource		$HeadURL$
15
 * @lastmodified    $Date$
16
 *
17
*/
18

  
19
//Module description
20
$module_description = 'Dieses Modul wechselt zwischen <strong>SingleTab SecureForm</strong> und <strong>MultiTab SecureForm</strong>.';
21

  
22
// Backend variables
23
$SFS_TEXT['TEXT_SWITCH'] = 'Wechseln';
24
$SFS_TEXT['TXT_FTAN_SWITCH'] = 'Wechsel zu ';
25
$SFS_TEXT['SECURE_FORM'] = 'SingleTab SecureForm';
26
$SFS_TEXT['SECURE_FORMMTAB'] = 'Multitab SecureForm';
27
$SFS_TEXT['FILE_FORMTAB_NOT_GOUND'] = '<strong>Multitab nicht ausführbar!<br />Benötigte Datei \'/framework/SecureForm.mtab.php\' nicht gefunden!</strong><br />
28
<span>Sie müssen die Datei manuell über FTP hochspielen</span>';
29
$SFS_TEXT['SUBMIT_FORM'] = 'SingleTab (empfohlen)';
30
$SFS_TEXT['SUBMIT_FORMTAB'] = 'Multi Tab';
31
$SFS_TEXT['SUBMIT'] = 'Übernehmen';
32
$SFS_TEXT['INFO'] = 'Hier können Sie auswählen, ob die Standard-Sicherheitseinstellung oder die Sicherheitseinstellung zur Verwendung von mehreren WebsiteBaker-Instanzen in parallelen Browser-Tabs aktiviert werden soll.';
33
$SFS_TEXT['RESET_SETTINGS'] = 'Standardeinstellung';
34
$SFS_TEXT['ON_OFF'] = 'Ein/Aus';
35

  
36
// Variablen fuer AdminTool Optionen
37
$SFS_TEXT['WB_SECFORM_USEIP'] = 'IP-Blocks (1-4, 0=kein Check)';
38
$SFS_TEXT['WB_SECFORM_USEIP_TOOLTIP'] = '<span class="custom help"><em>Hilfe</em>
39
Diese Anzahl der Segmente einer IP-Adresse werden für den Fingerprint genutzt. "4" heißt die gesamte IP-Adresse (dies macht nur bei festen IPs wie z.B. Servern Sinn). "2" ist ein guter Kompromiss, da im Heimbereich durch 24-Stunden Resets nur die ersten beiden Segmente konstant bleiben. 
40
<ul>
41
<li>4= xxx.xxx.xxx.xxx</li>
42
<li>3= xxx.xxx.xxx</li>
43
<li>2= xxx.xxx</li>
44
<li>1= xxx</li>
45
<li>0=keine Nutzung der IP</li></ul></span>';
46
$SFS_TEXT['WB_SECFORM_TOKENNAME'] = 'Tokenname';
47
$SFS_TEXT['WB_SECFORM_TOKENNAME_TOOLTIP'] = '<span class="custom help"><em>Hilfe</em>Der Name des Tokens. Umgangssprachlich wird Token auch TAN genannt.</span>';
48
$SFS_TEXT['WB_SECFORM_SECRET'] = 'Secret (Beliebige Zeichen)';
49
$SFS_TEXT['WB_SECFORM_SECRET_TOOLTIP'] = '<span class="custom help"><em>Hilfe</em>Ein zufälliger Schlüssel, der für die Token-Erstellung verwendet wird. Empfohlen sind mind. 20 Zeichen.</span>';
50
$SFS_TEXT['WB_SECFORM_SECRETTIME'] = 'Secrettime';
51
$SFS_TEXT['WB_SECFORM_SECRETTIME_TOOLTIP'] = '<span class="custom help"><em>Hilfe</em>Zeit (in Sekunden), bis der Secret-Schlüssel sich erneuert.</span>';
52
$SFS_TEXT['WB_SECFORM_TIMEOUT'] = 'Timeout';
53
$SFS_TEXT['WB_SECFORM_TIMEOUT_TOOLTIP'] = '<span class="custom help"><em>Hilfe</em>Zeit (in Sekunden), bis ein Formular-Token nicht mehr gilt.</span>';
54
$SFS_TEXT['WB_SECFORM_USEFP'] = 'Fingerprinting';
55
$SFS_TEXT['WB_SECFORM_USEFP_TOOLTIP'] = '<span class="custom help"><em>Hilfe</em>Zusätzlich zur IP-Adresse wird Betriebssystem und Browser zu jeder TAN-Validierung hinzugezogen.</span>';
0 56

  
branches/2.8.x/wb/modules/SecureFormSwitcher/language_load.php
1
<?php
2
/**
3
 *
4
 * @category        modules
5
 * @package         SecureFormSwitcher
6
 * @author          WebsiteBaker Project
7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link			http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.2
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id$
14
 * @filesource		$HeadURL$
15
 * @lastmodified    $Date$
16
 * @description
17
 *
18
 */
19
/* ************************************************************************** */
20

  
21
if(defined('WB_PATH') == false)
22
{
23
	die(" <head><title>Access denied</title></head><body><h2 style=\"color:red;margin:3em auto;text-align:center;\">Cannot access this file directly.</h2></body>");
24
}
25

  
26
$mod_path = (dirname(__FILE__));
27
$dlg_lang_dir = $mod_path.'/languages/';
28
if(file_exists($dlg_lang_dir)){
29
	$dlg_lang = file_exists($dlg_lang_dir.LANGUAGE.'.php') ? LANGUAGE : 'EN';
30
	require_once($dlg_lang_dir.$dlg_lang.'.php');
31
}
32

  
33
//  iconv_set_encoding("output_encoding", "ISO-8859-1");
34
if(!function_exists('convert_charset'))
35
{
36
	function convert_charset(&$val, $key, $vars) {
37
		$val = iconv($vars['0'], $vars['1'].'//TRANSLIT', ($val));
38
	}
39
}
40
if( strtolower(DEFAULT_CHARSET) != 'utf-8') {
41
	$in_charset = 'utf-8';
42
	$out_charset = DEFAULT_CHARSET;
43
	array_walk_recursive($SFS_TEXT,'convert_charset',array($in_charset, $out_charset));
44
}
45

  
0 46

  
branches/2.8.x/wb/modules/SecureFormSwitcher/install.php
1
<?php
2
/**
3
 *
4
 * @category        modules
5
 * @package         SecureFormSwitcher
6
 * @author          WebsiteBaker Project
7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link            http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.2
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id$
14
 * @filesource      $HeadURL$
15
 * @lastmodified    $Date$
16
 *
17
 */
18

  
19
// Must include code to stop this file being access directly
20
if(defined('WB_PATH') == false) { exit("Cannot access this file directly"); }
21

  
22
require_once(WB_PATH.'/framework/class.database.php');
23
require_once(WB_PATH.'/framework/functions.php');
24

  
25
$mod_path = (dirname(__FILE__));
26
require_once( $mod_path.'/language_load.php' );
27

  
28
$aDefault = array(
29
	'secure_form_module' => '',
30
	'wb_secform_secret' => '5609bnefg93jmgi99igjefg',
31
	'wb_secform_secrettime' => '86400',
32
	'wb_secform_timeout' => '7200',
33
	'wb_secform_tokenname' => 'formtoken',
34
	'wb_secform_usefp' => 'true',
35
	'wb_secform_useip' => '2',
36
);
37

  
38
db_update_key_value('settings', $aDefault );
39

  
40

  
0 41

  
branches/2.8.x/wb/modules/SecureFormSwitcher/upgrade.php
1
<?php
2
/**
3
 *
4
 * @category        modules
5
 * @package         SecureFormSwitcher
6
 * @author          WebsiteBaker Project
7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link            http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.8.2
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id$
14
 * @filesource      $HeadURL$
15
 * @lastmodified    $Date$
16
 *
17
 */
18

  
19
// Must include code to stop this file being access directly
20
if(defined('WB_PATH') == false) { exit("Cannot access this file directly"); }
21
global $i;
22
// load module language file
23
$mod_path = (dirname(__FILE__));
24
require_once( $mod_path.'/language_load.php' );
25
$i = (!isset($i) ? 1 : $i);
26
print "<div style=\"margin:1em auto;font-size:1.1em;\">";
27
print "<h4>Step $i: Updating SecureForm Switcher</h4>\n";
28
$i++;
29
$OK   = "<span class=\"ok\">OK</span>";
30
$FAIL = "<span class=\"error\">FAILED</span>";
31
$target = $mod_path.'/files/SecureForm.mtab.php';
32
$dest = WB_PATH.'/framework/SecureForm.mtab.php';
33

  
34
if(is_writeable(WB_PATH.'/framework')) {
35
	if((copy($target,$dest) && change_mode($dest)) || file_exists($target)) {
36
		print "<br /><strong>Updating secure_form_module</strong> $OK<br />\n";
37
	} else {
38
		print "<br /><strong>Updating secure_form_module</strong> $FAIL<br />\n";
39
	}
40
}
41
print "</div>";
0 42

  
branches/2.8.x/wb/modules/SecureFormSwitcher/index.php
1
<?php
2
/**
3
 *
4
 * @category        modules
5
 * @package         SecureFormSwitcher
6
 * @author          WebsiteBaker Project
7
 * @copyright       2004-2009, Ryan Djurovich
8
 * @copyright       2009-2011, Website Baker Org. e.V.
9
 * @link            http://www.websitebaker2.org/
10
 * @license         http://www.gnu.org/licenses/gpl.html
11
 * @platform        WebsiteBaker 2.9.x
12
 * @requirements    PHP 5.2.2 and higher
13
 * @version         $Id$
14
 * @filesource      $HeadURL$
15
 * @lastmodified    $Date$
16
 *
17
 */
18

  
19
header('Location: ../index.php');
20
exit();
0 21

  
branches/2.8.x/wb/modules/SecureFormSwitcher/FTAN_SUPPORTED
1
This module supports the FTAN-System
branches/2.8.x/wb/modules/SecureFormSwitcher/backend.css
1
@charset "UTF-8";
2

  
3
td.content form.secure_switch .left-content { width :49%; float :left; }
4
td.content form.secure_switch .right-content { width :49%; float :right; }
5

  
6
form.secure_switch { border :0px #484 solid; margin :1em 0; width :100%; }
7

  
8
table.switch-ftan-info,
9
table.switch-ftan-form { width :100%; background-color :transparent; }
10
table.switch-ftan-info tbody,
11
table.switch-ftan-form tbody { margin :10px 0; }
12
table.switch-ftan-form tbody td label { font-weight :bold; font-size :1.0em; color :#000000; }
13
table.switch-ftan-info thead tr th { margin :20px 0; font-weight :bold; font-size :1.4em; background-color :transparent; color :#000000; text-align :left; }
14

  
15
table.switch-ftan-info thead tr th span.norm { color : #003300; }
16
table.switch-ftan-info thead tr th span.grey { color : #666666; }
17

  
18
table.switch-ftan-form tbody td { height :30px; vertical-align :middle; }
19
table.switch-ftan-form tbody td input[type="submit"] { font-size :1.0em; width : 40%; }
20
table.switch-ftan-form tbody td input[type="text"] { font-size :1.0em; width : 100%; }
21
table.switch-ftan-form tbody td select { font-size :1.0em; width : 101.5%; }
22

  
23
.ok, .error { font-weight:bold; }
24
.ok { color:green; }
25
.error { color:red; }
26
.check { color:#555; }
27

  
28
.module-info { padding :10px; margin :0px auto; background :transparent; color :#000000; font-size :1.0em; }
29
.module-info p { margin :0.2em auto; }
30
.warning { border-radius :10px; -khtml-border-radius :10px; -webkit-border-radius :10px; -moz-border-radius :10px; background :#fee; border :0.2em #844 solid; color :#990000; margin :0.2em auto; padding :0.63em; width :60%; text-align :center; }
31
.warning strong { font-size :1.2em; }
32
.warning span { font-size :1.2em; line-height :1.5em; color :#333333; }
33

  
34
/* Tooltip CSS */
35
.tooltip {
36
	border-bottom: 1px dotted #000000;
37
	color: #000000;
38
	outline: none;
39
	cursor: help;
40
	text-decoration: none;
41
	position: relative;
42
}
43
.tooltip span { margin-left: -999em; position: absolute; }
44
.tooltip:hover em {
45
	font-family: Candara, Tahoma, Geneva, sans-serif;
46
	font-size: 1.2em;
47
	font-weight: bold;
48
	display: block;
49
	padding: 0.2em 0 0.6em 0;
50
}
51
.tooltip:hover span {
52
	border-radius: 5px 5px;
53
	box-shadow: 5px 5px 5px rgba(0, 0, 0, 0.1);
54
	font-family: Calibri, Tahoma, Geneva, sans-serif;
55
	position: absolute;
56
	left: -15em;
57
	top: 2em;
58
	z-index: 99;
59
	margin-left: 1em;
60
	padding: 10px 10px 10px 50px;
61
	width: 250px;
... This diff was truncated because it exceeds the maximum size that can be displayed.

Also available in: Unified diff