Access denied

Index: branches/2.8.x/CHANGELOG =================================================================== --- branches/2.8.x/CHANGELOG (revision 1478) +++ branches/2.8.x/CHANGELOG (revision 1479) @@ -11,7 +11,10 @@ ! = Update/Change ------------------------------------- 2.8.2 ------------------------------------ -22 Jul-2011 Build 1477 Dietmar Woellbrink (Luisehahne) +25 Jul-2011 Build 1479 Dietmar Woellbrink (Luisehahne) +! preparing backend for the new installer ++ add SecureFormSwitcher (Admintool) +22 Jul-2011 Build 1478 Dietmar Woellbrink (Luisehahne) # fix mssing filename in intro.php ! inactive user in dropwonlist are show with line-through 21 Jul-2011 Build 1477 Dietmar Woellbrink (Luisehahne) Index: branches/2.8.x/wb/admin/start/index.php =================================================================== --- branches/2.8.x/wb/admin/start/index.php (revision 1478) +++ branches/2.8.x/wb/admin/start/index.php (revision 1479) @@ -19,7 +19,39 @@ require('../../config.php'); require_once(WB_PATH.'/framework/class.admin.php'); $admin = new admin('Start','start'); - +// --------------------------------------- +if(defined('FINALIZE_SETUP')) { + require_once(WB_PATH.'/framework/functions.php'); + $dirs = array( 'modules' => WB_PATH.'/modules/', + 'templates' => WB_PATH.'/templates/', + 'languages' => WB_PATH.'/languages/' + ); + foreach($dirs AS $type => $dir) { + if( ($handle = opendir($dir)) ) { + while(false !== ($file = readdir($handle))) { + if($file != '' AND substr($file, 0, 1) != '.' AND $file != 'admin.php' AND $file != 'index.php') { + // Get addon type + if($type == 'modules') { + load_module($dir.'/'.$file, true); + // Pretty ugly hack to let modules run $admin->set_error + // See dummy class definition admin_dummy above + if(isset($admin->error) && $admin->error != '') { + $admin->print_error($admin->error); + } + } elseif($type == 'templates') { + load_template($dir.'/'.$file); + } elseif($type == 'languages') { + load_language($dir.'/'.$file); + } + } + } + closedir($handle); + } + } + $sql = 'DELETE FROM `'.TABLE_PREFIX.'settings` WHERE `name`=\'FINALIZE_SETUP\''; + $database->query($sql); +} +// --------------------------------------- // Setup template object $template = new Template(THEME_PATH.'/templates'); $template->set_file('page', 'start.htt'); Index: branches/2.8.x/wb/admin/interface/version.php =================================================================== --- branches/2.8.x/wb/admin/interface/version.php (revision 1478) +++ branches/2.8.x/wb/admin/interface/version.php (revision 1479) @@ -52,4 +52,4 @@ // check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled) if(!defined('VERSION')) define('VERSION', '2.8.2.RC7'); -if(!defined('REVISION')) define('REVISION', '1478'); +if(!defined('REVISION')) define('REVISION', '1479'); Index: branches/2.8.x/wb/modules/SecureFormSwitcher/htt/switchform.htt =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/htt/switchform.htt (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/htt/switchform.htt (revision 1479) @@ -0,0 +1,141 @@ + + + + + + + + + + + + + + + + +

Status: {TXT_HEADING}
{TEXT_INFO}
{FILE_FORMTAB_NOT_GOUND}

+ +

+ {FTAN} + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

	{TXT_SUBMIT_FORM}
	{TXT_SUBMIT_FORMTAB}






+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

+ +		{TXT_SECFORM_USEIP} + ? {TXT_SECFORM_USEIP_TOOLTIP} +
		{TXT_SECFORM_TOKENNAME} + ? {TXT_SECFORM_TOKENNAME_TOOLTIP} +
		{TXT_SECFORM_SECRET} + ? {TXT_SECFORM_SECRET_TOOLTIP} +
		{TXT_SECFORM_SECRETTIME} + ? {TXT_SECFORM_SECRETTIME_TOOLTIP} +
		{TXT_SECFORM_TIMEOUT} + ? {TXT_SECFORM_TIMEOUT_TOOLTIP} +
+ {TEXT_ENABLED} +	+ + +	{TXT_SECFORM_USEFP} + ? {TXT_SECFORM_USEFP_TOOLTIP} +


+ +

+ +

+ Index: branches/2.8.x/wb/modules/SecureFormSwitcher/htt/help.png =================================================================== Cannot display: file marked as a binary type. svn:mime-type = image/png Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/htt/help.png ___________________________________________________________________ Added: svn:mime-type ## -0,0 +1 ## +image/png \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/htt =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/htt (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/htt (revision 1479) Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/htt ___________________________________________________________________ Added: bugtraq:number ## -0,0 +1 ## +true \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/uninstall.php =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/uninstall.php (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/uninstall.php (revision 1479) @@ -0,0 +1,41 @@ +query($sql); +$dest_to_delete = WB_PATH.'/framework/SecureForm.mtab.php'; +if(is_writeable(WB_PATH.'/framework') ) { + @chmod($dest_to_delete, 0666); + @unlink($dest_to_delete); +} + + + Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/uninstall.php ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +Date Revision Id HeadURL \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/info.php =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/info.php (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/info.php (revision 1479) @@ -0,0 +1,27 @@ +SingleTab SecureForm and MultiTab SecureForm.'; + Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/info.php ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +Date Revision Id HeadURL \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/files/SecureForm.mtab.php =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/files/SecureForm.mtab.php (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/files/SecureForm.mtab.php (revision 1479) @@ -0,0 +1,408 @@ +'0'); + private $_idkey_name = ''; + private $_salt = ''; + private $_fingerprint = ''; + private $_serverdata = ''; + + /* Construtor */ + protected function __construct($mode = self::FRONTEND){ + + ## additional constants and stuff for global configuration + + # Secret can contain anything its the base for the secret part of the hash + if (defined ('WB_SECFORM_SECRET')){ + $this->_secret=WB_SECFORM_SECRET; + } + + # shall we use fingerprinting + if (defined ('WB_SECFORM_USEFP') AND WB_SECFORM_USEFP===false){ + $this->_usefingerprint = false; + } + + # Timeout till the form token times out. Integer value between 0-86400 seconds (one day) + if (defined ('WB_SECFORM_TIMEOUT') AND is_numeric(WB_SECFORM_TIMEOUT) AND intval(WB_SECFORM_TIMEOUT) >=0 AND intval(WB_SECFORM_TIMEOUT) <=86400 ){ + $this->_timeout=intval(WB_SECFORM_TIMEOUT); + } + # Name for the token form element only alphanumerical string allowed that starts whith a charakter + if (defined ('WB_SECFORM_TOKENNAME') AND !$this->_validate_alalnum(WB_SECFORM_TOKENNAME)){ + $this->_tokenname=WB_SECFORM_TOKENNAME; + } + # how many bloks of the IP should be used 0=no ipcheck + if (defined ('FINGERPRINT_WITH_IP_OCTETS') AND !$this->_is04(FINGERPRINT_WITH_IP_OCTETS)){ + $this->_useipblocks=FINGERPRINT_WITH_IP_OCTETS; + } + ## additional stuff end + $this->_browser_fingerprint = $this->_browser_fingerprint(true); + $this->_fingerprint = $this->_generate_fingerprint(); + $this->_serverdata = $this->_generate_serverdata(); + $this->_secret = $this->_generate_secret(); + $this->_salt = $this->_generate_salt(); + + $this->_idkey_name = substr($this->_fingerprint, hexdec($this->_fingerprint[strlen($this->_fingerprint)-1]), 16); + // make sure there is a alpha-letter at first position + $this->_idkey_name[0] = dechex(10 + (hexdec($this->_idkey_name[0]) % 5)); + // takeover id_keys from session if available + if(isset($_SESSION[$this->_idkey_name]) && is_array($_SESSION[$this->_idkey_name])){ + $this->_IDKEYs = $_SESSION[$this->_idkey_name]; + }else{ + $this->_IDKEYs = array('0'=>'0'); + $_SESSION[$this->_idkey_name] = $this->_IDKEYs; + } + } + + private function _generate_secret(){ + + $secret= $this->_secret; + $secrettime= $this->_secrettime; + #create a different secret every day + $TimeSeed= floor(time()/$secrettime)*$secrettime; #round(floor) time() to whole days + $DomainSeed = $_SERVER['SERVER_NAME']; # generate a numerical from server name. + $Seed = $TimeSeed+$DomainSeed; + $secret .=md5($Seed); # + + $secret .= $this->_secret.$this->_serverdata.session_id(); + if ($this->_usefingerprint){$secret.= $this->_browser_fingerprint;} + + return $secret; + } + + + + private function _generate_salt() + { + if(function_exists('microtime')) + { + list($usec, $sec) = explode(" ", microtime()); + $salt = (string)((float)$usec + (float)$sec); + }else{ + $salt = (string)time(); + } + $salt = (string)rand(10000, 99999) . $salt . (string)rand(10000, 99999); + return md5($salt); + } + + private function _generate_fingerprint() + { + // server depending values + $fingerprint = $this->_generate_serverdata(); + + // client depending values + $fingerprint .= ( isset($_SERVER['HTTP_USER_AGENT']) ) ? $_SERVER['HTTP_USER_AGENT'] : '17'; + $usedOctets = ( defined('FINGERPRINT_WITH_IP_OCTETS') ) ? intval(defined('FINGERPRINT_WITH_IP_OCTETS')) : 0; + $clientIp = ( isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '' ); + if(($clientIp != '') && ($usedOctets > 0)){ + $ip = explode('.', $clientIp); + while(sizeof($ip) > $usedOctets) { array_pop($ip); } + $clientIp = implode('.', $ip); + }else { + $clientIp = 19; + } + $fingerprint .= $clientIp; + return md5($fingerprint); + } + + private function _generate_serverdata(){ + + $serverdata = ( isset($_SERVER['SERVER_SIGNATURE']) ) ? $_SERVER['SERVER_SIGNATURE'] : '2'; + $serverdata .= ( isset($_SERVER['SERVER_SOFTWARE']) ) ? $_SERVER['SERVER_SOFTWARE'] : '3'; + $serverdata .= ( isset($_SERVER['SERVER_NAME']) ) ? $_SERVER['SERVER_NAME'] : '5'; + $serverdata .= ( isset($_SERVER['SERVER_ADDR']) ) ? $_SERVER['SERVER_ADDR'] : '7'; + $serverdata .= ( isset($_SERVER['SERVER_PORT']) ) ? $_SERVER['SERVER_PORT'] : '11'; + $serverdata .= ( isset($_SERVER['SERVER_ADMIN']) ) ? $_SERVER['SERVER_ADMIN'] : '13'; + $serverdata .= PHP_VERSION; + return $serverdata; + } + + // fake funktion , just exits to avoid error message + final protected function createFTAN(){} + + /* + * creates selfsigning Formular transactionnumbers for unique use + * @access public + * @param bool $asTAG: true returns a complete prepared, hidden HTML-Input-Tag (default) + * false returns an GET argument 'key=value' + * @return mixed: string + * + * requirements: an active session must not be available but it makes no sense whithout :-) + */ + final public function getFTAN( $as_tag = true) + { + $secret= $this->_secret; + + $timeout= time()+$this->_timeout; + + #mt_srand(hexdec(crc32(microtime())); + $token= dechex(mt_rand()); + + $hash= sha1($secret.'-'.$token.'-'.$timeout); + $signed= $token.'-'.$timeout.'-'.$hash; + + if($as_tag == true) + { // by default return a complete, hidden -tag + return ''; + }else{ // return an array with raw tokenname=value + return $this->_tokenname.'='.$signed; + } + } + + /* + * checks received form-transactionnumbers against itself + * @access public + * @param string $mode: requestmethode POST(default) or GET + * @return bool: true if numbers matches against stored ones + * + * requirements: no active session must be available but it makes no sense whithout. + * this check will prevent from multiple sending a form. history.back() also will never work + */ + final public function checkFTAN( $mode = 'POST') + { + $mode = (strtoupper($mode) != 'POST' ? '_GET' : '_POST'); + + $isok= false; + $secret= $this->_secret; + + if (isset($GLOBALS[$mode][$this->_tokenname])) {$latoken=$GLOBALS[$mode][$this->_tokenname];} + else {return $isok;} + + $parts= explode('-', $latoken); + if (count($parts)==3) { + list($token,$timeout, $hash)= $parts; + if ($hash==sha1($secret.'-'.$token.'-'.$timeout) AND $timeout > time()) + {$isok= true;} + } + + return $isok; + } + + /* + * save values in session and returns a ID-key + * @access public + * @param mixed $value: the value for witch a key shall be generated and memorized + * @return string: a MD5-Key to use instead of the real value + * + * @requirements: an active session must be available + * @description: IDKEY can handle string/numeric/array - vars. Each key is a + */ + final public function getIDKEY($value) + { + if( is_array($value) == true ) + { // serialize value, if it's an array + $value = serialize($value); + } + // crypt value with salt into md5-hash + // and return a 16-digit block from random start position + $key = substr( md5($this->_salt.(string)$value), rand(0,15), 16); + do{ // loop while key/value isn't added + if( !array_key_exists($key, $this->_IDKEYs) ) + { // the key is unique, so store it in list + $this->_IDKEYs[$key] = $value; + break; + }else { + // if key already exist, increment the last five digits until the key is unique + $key = substr($key, 0, -5).dechex(('0x'.substr($key, -5)) + 1); + } + }while(0); + // store key/value-pairs into session + $_SESSION[$this->_idkey_name] = $this->_IDKEYs; + return $key; + } + + /* + * search for key in session and returns the original value + * @access public + * @param string $fieldname: name of the POST/GET-Field containing the key or hex-key itself + * @param mixed $default: returnvalue if key not exist (default 0) + * @param string $request: requestmethode can be POST or GET or '' (default POST) + * @return mixed: the original value (string, numeric, array) or DEFAULT if request fails + * + * @requirements: an active session must be available + * @description: each IDKEY can be checked only once. Unused Keys stay in list until the + * session is destroyed. + */ + final public function checkIDKEY( $fieldname, $default = 0, $request = 'POST' ) + { + $return_value = $default; // set returnvalue to default + switch( strtoupper($request) ) + { + case 'POST': + $key = isset($_POST[$fieldname]) ? $_POST[$fieldname] : $fieldname; + break; + case 'GET': + $key = isset($_GET[$fieldname]) ? $_GET[$fieldname] : $fieldname; + break; + default: + $key = $fieldname; + } + if( preg_match('/[0-9a-f]{16}$/', $key) ) + { // key must be a 16-digit hexvalue + if( array_key_exists($key, $this->_IDKEYs)) + { // check if key is stored in IDKEYs-list + $return_value = $this->_IDKEYs[$key]; // get stored value + unset($this->_IDKEYs[$key]); // remove from list to prevent multiuse + $_SESSION[$this->_idkey_name] = $this->_IDKEYs; // save modified list into session again + if( preg_match('/.*(?_IDKEYs = array('0'=>'0'); + } + + + ## additional Functions needed cause the original ones lack some functionality + ## all are Copyright Norbert Heimsath, heimsath.org + ## released under GPLv3 http://www.gnu.org/licenses/gpl.html + + /* Made because ctype_ gives strange results using mb Strings*/ + private function _validate_alalnum($input){ + # alphanumerical string that starts whith a letter charakter + if (preg_match('/^[a-zA-Z][0-9a-zA-Z]+$/u', $input)) + {return false;} + + return "The given input is not an alphanumeric string."; + } + + private function _is04($input){ + # integer value between 0-4 + if (preg_match('/^[0-4]$/', $input)) {return false;} + + return "The given input is not an alphanumeric string."; + } + + + private function _getip($ipblocks=4){ + /* + Just a function to get User ip even if hes behind a proxy + */ + $ip = ""; //Ip address result + $cutip = ""; //Ip address cut to limit + + # mabe user is behind a Proxy but we need his real ip address if we got a nice Proxyserver, + # it sends us the "HTTP_X_FORWARDED_FOR" Header. Sometimes there is more than one Proxy. + # !!!!!! THIS PART WAS NEVER TESTED BECAUSE I ONLY GOT A DIRECT INTERNET CONNECTION !!!!!! + # long2ip(ip2long($lastip)) makes sure we got nothing else than an ip into our script ;-) + # !!!!! WARNING the 'HTTP_X_FORWARDED_FOR' Part is NOT TESTED !!!!! + if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) AND !empty($_SERVER['HTTP_X_FORWARDED_FOR'])) + { + $iplist= explode(',',$_SERVER['HTTP_X_FORWARDED_FOR']); + $lastip = array_pop($iplist); + $ip.= long2ip(ip2long($lastip)); + } + + /* If theres no other supported info we just use REMOTE_ADDR + If we have a fiendly proxy supporting HTTP_X_FORWARDED_FOR its ok to use the full address. + But if there is no HTTP_X_FORWARDED_FOR we can not be sure if its a proxy or whatever, so we use the + blocklimit for IP address. + */ + else + { + $ip = long2ip(ip2long($_SERVER['REMOTE_ADDR'])); + + # ipblocks used here defines how many blocks of the ip adress are checked xxx.xxx.xxx.xxx + $blocks = explode('.', $ip); + for ($i=0; $i<$ipblocks; $i++){ + $cutip.= $blocks[$i] . '.'; + } + $ip=substr($cutip, 0, -1); + } + + return $ip; + } + + private function _browser_fingerprint($encode=true,$fpsalt="My Fingerprint: "){ + /* + Creates a basic Browser Fingerprint for securing the session and forms. + */ + + $fingerprint=$fpsalt; + if (isset($_SERVER['HTTP_USER_AGENT'])){ $fingerprint .= $_SERVER['HTTP_USER_AGENT'];} + if (isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];} + if (isset($_SERVER['HTTP_ACCEPT_ENCODING'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_ENCODING'];} + if (isset($_SERVER['HTTP_ACCEPT_CHARSET'])){ $fingerprint .= $_SERVER['HTTP_ACCEPT_CHARSET'];} + + $fingerprint.= $this->_getip($this->_useipblocks); + + if ($encode){$fingerprint=md5($fingerprint);} + + return $fingerprint; + } + ## + ## additional Functions END + ## +} \ No newline at end of file Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/files/SecureForm.mtab.php ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +Date Revision Id HeadURL \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/files =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/files (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/files (revision 1479) Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/files ___________________________________________________________________ Added: bugtraq:number ## -0,0 +1 ## +true \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/tool.php =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/tool.php (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/tool.php (revision 1479) @@ -0,0 +1,233 @@ +Access denied

Cannot access this file directly

'); +} + +// load module language file +$mod_path = (dirname(__FILE__)); +require_once( $mod_path.'/language_load.php' ); +// callback function for settings name +function converttoupper($val, $key, $vars) { + $vars[0][$key] = strtoupper($key); + $vars[1][$vars[0][$key]] = ($val); +} + +// create backlinks +$js_back = ADMIN_URL.'/admintools/tool.php?tool=SecureFormSwitcher'; +$backlink = ADMIN_URL.'/admintools/index.php'; +$FileNotFound = ' '; +// defaults settings +$default_cfg = array( + 'secure_form_module' => '', + 'wb_secform_secret' => '5609bnefg93jmgi99igjefg', + 'wb_secform_secrettime' => '86400', + 'wb_secform_timeout' => '7200', + 'wb_secform_tokenname' => 'formtoken', + 'wb_secform_usefp' => 'true', + 'fingerprint_with_ip_octets' => '2', +); +$setting = $default_cfg; +$MultitabTarget = WB_PATH.'/framework/SecureForm.mtab.php'; +// get stored settings to set in mask +$sql = 'SELECT * FROM `'.TABLE_PREFIX.'settings` '; +$sql .= 'WHERE `name` = \'secure_form_module\''; +$sql .= 'OR `name`=\'fingerprint_with_ip_octets\' '; +$sql .= 'OR `name`=\'wb_secform_usefp\' '; +$sql .= 'OR `name`=\'wb_secform_tokenname\' '; +$sql .= 'OR `name`=\'wb_secform_timeout\' '; +$sql .= 'OR `name`=\'wb_secform_secrettime\' '; +$sql .= 'OR `name`=\'wb_secform_secret\' '; +if($res = $database->query($sql) ) { + if($res->numRows() > 0) { + while($rec = $res->fetchRow(MYSQL_ASSOC)) { + $setting[$rec['name']] = $rec['value']; + } + } else { + // add missing values + db_update_key_value('settings', $setting ); + } +} + +$action = 'show'; +$action = isset($_POST['save_settings']) ? 'save_settings' : $action; +$action = isset($_POST['save_settings_default']) ? 'save_settings_default' : $action; + +switch ($action) : + case 'save_settings': + $cfg = array( + 'secure_form_module' => (isset($_POST['ftan_switch']) ? $_POST['ftan_switch'] : 'mtab'), + 'wb_secform_secret' => (isset($_POST['wb_secform_secret']) ? $_POST['wb_secform_secret'] : $setting['wb_secform_secret'] ), + 'wb_secform_secrettime' => (isset($_POST['wb_secform_secrettime']) ? $_POST['wb_secform_secrettime'] : $setting['wb_secform_secrettime'] ), + 'wb_secform_timeout' => (isset($_POST['wb_secform_timeout']) ? $_POST['wb_secform_timeout'] : $setting['wb_secform_timeout'] ), + 'wb_secform_tokenname' => (isset($_POST['wb_secform_tokenname']) ? $_POST['wb_secform_tokenname'] : $setting['wb_secform_tokenname'] ), + 'wb_secform_usefp' => (isset($_POST['wb_secform_usefp']) ? $_POST['wb_secform_usefp'] : $setting['wb_secform_usefp'] ), + 'fingerprint_with_ip_octets' => (isset($_POST['fingerprint_with_ip_octets']) ? $_POST['fingerprint_with_ip_octets'] : $setting['fingerprint_with_ip_octets'] ), + ); + // unset($_POST); + $_SESSION['CFG'] = $cfg; + break; + case 'save_settings_default': + $cfg = $default_cfg; + $cfg['secure_form_module'] = $setting['secure_form_module']; + break; +endswitch; + + +switch ($action) : + case 'save_settings': + case 'save_settings_default': + if (!$admin->checkFTAN()) + { + if(!$admin_header) { $admin->print_header(); } + $admin->print_error($MESSAGE['GENERIC_SECURITY_ACCESS'],$_SERVER['REQUEST_URI']); + } + if(file_exists($MultitabTarget)) { + $val = ( isset($_POST['ftan_switch']) ? ($_POST['ftan_switch']) : 'mtab'); + } else { + $cfg['secure_form_module'] = ''; + $FileNotFound = $SFS_TEXT['FILE_FORMTAB_NOT_GOUND']; + } + + db_update_key_value('settings', $cfg ); + // check if there is a database error, otherwise say successful + if(!$admin_header) { $admin->print_header(); } + if($database->is_error()) { + $admin->print_error($database->get_error(), $js_back); + } else { + if(isset($_SESSION['CFG'])) { unset($_SESSION['CFG']);} + $admin->print_success($MESSAGE['PAGES_SAVED'], $js_back); + } + break; +endswitch; + +// set template file and assign module and template block +$tpl = new Template(WB_PATH.'/modules/SecureFormSwitcher/htt','keep'); +$tpl->set_file('page', 'switchform.htt'); +$tpl->debug = false; // false, true +$tpl->set_block('page', 'main_block', 'main'); + +$checked = ($setting['secure_form_module']!=''); + +$ftanMode = ($checked ? $SFS_TEXT['SECURE_FORM'] : $SFS_TEXT['SECURE_FORMMTAB']); +$target = ($checked) ? '.'.$setting['secure_form_module'] : ''; +$target = WB_PATH.'/framework/SecureForm'.$target.'.php'; + +$SingleTabStatus = intval($checked==false); +$MultitabStatus = intval($checked==true); +$NotFoundClass = ''; +if(!file_exists($MultitabTarget)) { + $SingleTabStatus = true; + $MultitabStatus = false; + $FileNotFound = $SFS_TEXT['FILE_FORMTAB_NOT_GOUND']; + $NotFoundClass = 'class="warning"'; +} else { +} + +// convert settings name to upper +array_walk($setting,'converttoupper', array(&$search, &$replace )); + +$tpl->set_var($replace); +$tpl->set_var(array( + 'FTAN' => $admin->getFTAN(), + 'SERVER_REQUEST_URI' => $_SERVER['REQUEST_URI'], + 'TEXT_CANCEL' => $TEXT['CANCEL'], + 'BACKLINK' => (isset($_POST['cancel'])) ? $backlink : '#', + 'TEXT_INFO' => $SFS_TEXT['INFO'], + 'TEXT_SUBMIT' => $SFS_TEXT['SUBMIT'], + 'TEXT_MSUBMIT' => $SFS_TEXT['RESET_SETTINGS'], + 'TXT_HEADING' => $SFS_TEXT['SECURE_FORM'.strtoupper($setting['secure_form_module'])], + 'SELECTED' => ( ($SingleTabStatus) ? ' checked="checked"' : ''), + 'SELECTED_TAB' => ( ($MultitabStatus) ? ' checked="checked"' : ''), + 'SUBMIT_TYPE' => ($checked ? 'multitab' : 'singletab'), + 'MSELECTED' => '', + 'MSELECTED_TAB' => '', + 'FTAN_COLOR' => ($checked ? 'grey' : 'norm'), + 'TXT_SUBMIT_FORM' => $SFS_TEXT['SUBMIT_FORM'], + 'TXT_SUBMIT_FORMTAB' => $SFS_TEXT['SUBMIT_FORMTAB'], + 'FILE_FORMTAB_WARNING' => $NotFoundClass, + 'FILE_FORMTAB_NOT_GOUND' => $FileNotFound, + ) +); + +$tpl->set_var(array( + 'USEIP_SELECTED' => '', + 'TXT_SECFORM_USEIP' => $SFS_TEXT['WB_SECFORM_USEIP'], + 'TXT_SECFORM_USEIP_TOOLTIP' => $SFS_TEXT['WB_SECFORM_USEIP_TOOLTIP'], // Tooltip + 'TEXT_DEFAULT_SETTINGS' => $HEADING['DEFAULT_SETTINGS'], + 'USEIP_DEFAULT' => $default_cfg['fingerprint_with_ip_octets'], + 'USEFP_CHECKED_TRUE' => (($setting['wb_secform_usefp']=='true') ? ' checked="checked"' : ''), + 'USEFP_CHECKED_FALSE' => (($setting['wb_secform_usefp']=='false') ? ' checked="checked"' : ''), + 'TEXT_DEFAULT_SETTINGS' => $HEADING['DEFAULT_SETTINGS'], + ) +); + +$tpl->set_block('main_block', 'useip_mtab_loop', 'mtab_loop'); + for($x=0; $x < 5; $x++) { + // iu value == default set first option with standardtext + if(intval($default_cfg['fingerprint_with_ip_octets'])==$x ) { + $tpl->set_var(array( + 'USEIP_VALUE' => $x, + 'USEIP_DEFAULT_SELECTED' => ((intval($setting['fingerprint_with_ip_octets'])==$x) ? ' selected="selected"' : ''), + 'USEIP_SELECTED' => '', + ) + ); + } else { + $tpl->set_var(array( + 'USEIP_VALUE' => $x, + 'USEIP_SELECTED' => ((intval($setting['fingerprint_with_ip_octets'])==$x) && (intval($setting['fingerprint_with_ip_octets'])!=intval($default_cfg['fingerprint_with_ip_octets'])) ? ' selected="selected"' : ''), + ) + ); + } + $tpl->parse('mtab_loop','useip_mtab_loop', true); + } + +$tpl->set_block('main_block', 'show_mtab_block', 'show_mtab'); +$tpl->set_block('main_block', 'mtab_block', 'mtab'); +if($checked) { + $tpl->set_var(array( + 'TEXT_ENABLED' => $SFS_TEXT['ON_OFF'], + 'TXT_SECFORM_TOKENNAME' => $SFS_TEXT['WB_SECFORM_TOKENNAME'], + 'TXT_SECFORM_TOKENNAME_TOOLTIP' => $SFS_TEXT['WB_SECFORM_TOKENNAME_TOOLTIP'], + 'TXT_SECFORM_TIMEOUT' => $SFS_TEXT['WB_SECFORM_TIMEOUT'], + 'TXT_SECFORM_TIMEOUT_TOOLTIP' => $SFS_TEXT['WB_SECFORM_TIMEOUT_TOOLTIP'], + 'TXT_SECFORM_SECRETTIME' => $SFS_TEXT['WB_SECFORM_SECRETTIME'], + 'TXT_SECFORM_SECRETTIME_TOOLTIP' => $SFS_TEXT['WB_SECFORM_SECRETTIME_TOOLTIP'], + 'TXT_SECFORM_SECRET' => $SFS_TEXT['WB_SECFORM_SECRET'], + 'TXT_SECFORM_SECRET_TOOLTIP' => $SFS_TEXT['WB_SECFORM_SECRET_TOOLTIP'], + 'TXT_SECFORM_USEFP' => $SFS_TEXT['WB_SECFORM_USEFP'], + 'SECFORM_USEFP' => 'true', + 'TXT_SECFORM_USEFP_TOOLTIP' => $SFS_TEXT['WB_SECFORM_USEFP_TOOLTIP'], + ) + ); + $tpl->parse('mtab','mtab_block', true); + $tpl->parse('show_mtab','show_mtab_block', true); +} else { + $tpl->parse('mtab', ''); + $tpl->parse('show_mtab', ''); +} + +// Parse template object +$tpl->parse('main', 'main_block', false); +$output = $tpl->finish($tpl->parse('output', 'page')); +unset($tpl); +print $output; + Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/tool.php ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +Date Revision Id HeadURL \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/languages/EN.php =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/languages/EN.php (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/languages/EN.php (revision 1479) @@ -0,0 +1,55 @@ +SingleTab SecureForm and MultiTab SecureForm.'; + +// Backend variables +$SFS_TEXT['TEXT_SWITCH'] = 'Change'; +$SFS_TEXT['TXT_FTAN_SWITCH'] = 'Change to '; +$SFS_TEXT['SECURE_FORM'] = 'SingleTab SecureForm'; +$SFS_TEXT['SECURE_FORMMTAB'] = 'Multitab SecureForm'; +$SFS_TEXT['FILE_FORMTAB_NOT_GOUND'] = 'Multitab not possible!
Needed file \'/framework/SecureForm.mtab.php\' not found!
+You have to upload the file manually via FTP'; +$SFS_TEXT['SUBMIT_FORM'] = 'Single Tab (recommended)'; +$SFS_TEXT['SUBMIT_FORMTAB'] = 'Multi Tab'; +$SFS_TEXT['SUBMIT'] = 'Accept'; +$SFS_TEXT['INFO'] = 'Please select if you want to use the default security settings or the settings for working with several WebsiteBaker instances in parallel browser tabs.'; +$SFS_TEXT['RESET_SETTINGS'] = 'Default setting'; +$SFS_TEXT['ON_OFF'] = 'On/OFF'; + +// Variablen fuer AdminTool Optionen +$SFS_TEXT['WB_SECFORM_USEIP'] = 'IP-Blocks (1-4, 0=no check)'; +$SFS_TEXT['WB_SECFORM_USEIP_TOOLTIP'] = 'Help +These number of segments of an IP address can be used for the fingerprint. "4" means the whole IP address (this makes sense e.g. for servers with a stable IP address). "2" is a good compromise, because at home there\'s often the 24-hour reset and therefore only the first two segments keep constant. +

4= xxx.xxx.xxx.xxx
3= xxx.xxx.xxx
2= xxx.xxx
1= xxx
0= no usage of the IP

'; +$SFS_TEXT['WB_SECFORM_TOKENNAME'] = 'Tokenname'; +$SFS_TEXT['WB_SECFORM_TOKENNAME_TOOLTIP'] = 'HelpThe name of the token. Coll. a token is often called TAN.'; +$SFS_TEXT['WB_SECFORM_SECRET'] = 'Secret (whatever you like)'; +$SFS_TEXT['WB_SECFORM_SECRET_TOOLTIP'] = 'HelpA random key, that is being used for creating a TAN. Recommend are at least 20 digits.'; +$SFS_TEXT['WB_SECFORM_SECRETTIME'] = 'Secrettime'; +$SFS_TEXT['WB_SECFORM_SECRETTIME_TOOLTIP'] = 'HelpTime (in seconds), until the secret-key will be renewed.'; +$SFS_TEXT['WB_SECFORM_TIMEOUT'] = 'Timeout'; +$SFS_TEXT['WB_SECFORM_TIMEOUT_TOOLTIP'] = 'HelpTime (in seconds), until the form-token is void.'; +$SFS_TEXT['WB_SECFORM_USEFP'] = 'Fingerprinting'; +$SFS_TEXT['WB_SECFORM_USEFP_TOOLTIP'] = 'HelpRequire OS and browser for every TAN-validation additionally to the IP-address.'; Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/languages/EN.php ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +Date Revision Id HeadURL \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/languages/DE.php =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/languages/DE.php (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/languages/DE.php (revision 1479) @@ -0,0 +1,55 @@ +SingleTab SecureForm und MultiTab SecureForm.'; + +// Backend variables +$SFS_TEXT['TEXT_SWITCH'] = 'Wechseln'; +$SFS_TEXT['TXT_FTAN_SWITCH'] = 'Wechsel zu '; +$SFS_TEXT['SECURE_FORM'] = 'SingleTab SecureForm'; +$SFS_TEXT['SECURE_FORMMTAB'] = 'Multitab SecureForm'; +$SFS_TEXT['FILE_FORMTAB_NOT_GOUND'] = 'Multitab nicht ausführbar!
Benötigte Datei \'/framework/SecureForm.mtab.php\' nicht gefunden!
+Sie müssen die Datei manuell über FTP hochspielen'; +$SFS_TEXT['SUBMIT_FORM'] = 'SingleTab (empfohlen)'; +$SFS_TEXT['SUBMIT_FORMTAB'] = 'Multi Tab'; +$SFS_TEXT['SUBMIT'] = 'Übernehmen'; +$SFS_TEXT['INFO'] = 'Hier können Sie auswählen, ob die Standard-Sicherheitseinstellung oder die Sicherheitseinstellung zur Verwendung von mehreren WebsiteBaker-Instanzen in parallelen Browser-Tabs aktiviert werden soll.'; +$SFS_TEXT['RESET_SETTINGS'] = 'Standardeinstellung'; +$SFS_TEXT['ON_OFF'] = 'Ein/Aus'; + +// Variablen fuer AdminTool Optionen +$SFS_TEXT['WB_SECFORM_USEIP'] = 'IP-Blocks (1-4, 0=kein Check)'; +$SFS_TEXT['WB_SECFORM_USEIP_TOOLTIP'] = 'Hilfe +Diese Anzahl der Segmente einer IP-Adresse werden für den Fingerprint genutzt. "4" heißt die gesamte IP-Adresse (dies macht nur bei festen IPs wie z.B. Servern Sinn). "2" ist ein guter Kompromiss, da im Heimbereich durch 24-Stunden Resets nur die ersten beiden Segmente konstant bleiben. +

4= xxx.xxx.xxx.xxx
3= xxx.xxx.xxx
2= xxx.xxx
1= xxx
0=keine Nutzung der IP

'; +$SFS_TEXT['WB_SECFORM_TOKENNAME'] = 'Tokenname'; +$SFS_TEXT['WB_SECFORM_TOKENNAME_TOOLTIP'] = 'HilfeDer Name des Tokens. Umgangssprachlich wird Token auch TAN genannt.'; +$SFS_TEXT['WB_SECFORM_SECRET'] = 'Secret (Beliebige Zeichen)'; +$SFS_TEXT['WB_SECFORM_SECRET_TOOLTIP'] = 'HilfeEin zufälliger Schlüssel, der für die Token-Erstellung verwendet wird. Empfohlen sind mind. 20 Zeichen.'; +$SFS_TEXT['WB_SECFORM_SECRETTIME'] = 'Secrettime'; +$SFS_TEXT['WB_SECFORM_SECRETTIME_TOOLTIP'] = 'HilfeZeit (in Sekunden), bis der Secret-Schlüssel sich erneuert.'; +$SFS_TEXT['WB_SECFORM_TIMEOUT'] = 'Timeout'; +$SFS_TEXT['WB_SECFORM_TIMEOUT_TOOLTIP'] = 'HilfeZeit (in Sekunden), bis ein Formular-Token nicht mehr gilt.'; +$SFS_TEXT['WB_SECFORM_USEFP'] = 'Fingerprinting'; +$SFS_TEXT['WB_SECFORM_USEFP_TOOLTIP'] = 'HilfeZusätzlich zur IP-Adresse wird Betriebssystem und Browser zu jeder TAN-Validierung hinzugezogen.'; Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/languages/DE.php ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +Date Revision Id HeadURL \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/languages =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/languages (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/languages (revision 1479) Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/languages ___________________________________________________________________ Added: bugtraq:number ## -0,0 +1 ## +true \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/language_load.php =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/language_load.php (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/language_load.php (revision 1479) @@ -0,0 +1,45 @@ +Access denied

Cannot access this file directly.

"); +} + +$mod_path = (dirname(__FILE__)); +$dlg_lang_dir = $mod_path.'/languages/'; +if(file_exists($dlg_lang_dir)){ + $dlg_lang = file_exists($dlg_lang_dir.LANGUAGE.'.php') ? LANGUAGE : 'EN'; + require_once($dlg_lang_dir.$dlg_lang.'.php'); +} + +// iconv_set_encoding("output_encoding", "ISO-8859-1"); +if(!function_exists('convert_charset')) +{ + function convert_charset(&$val, $key, $vars) { + $val = iconv($vars['0'], $vars['1'].'//TRANSLIT', ($val)); + } +} +if( strtolower(DEFAULT_CHARSET) != 'utf-8') { + $in_charset = 'utf-8'; + $out_charset = DEFAULT_CHARSET; + array_walk_recursive($SFS_TEXT,'convert_charset',array($in_charset, $out_charset)); +} + Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/language_load.php ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +Date Revision Id HeadURL \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/install.php =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/install.php (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/install.php (revision 1479) @@ -0,0 +1,40 @@ + '', + 'wb_secform_secret' => '5609bnefg93jmgi99igjefg', + 'wb_secform_secrettime' => '86400', + 'wb_secform_timeout' => '7200', + 'wb_secform_tokenname' => 'formtoken', + 'wb_secform_usefp' => 'true', + 'wb_secform_useip' => '2', +); + +db_update_key_value('settings', $aDefault ); + + Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/install.php ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +Date Revision Id HeadURL \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/upgrade.php =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/upgrade.php (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/upgrade.php (revision 1479) @@ -0,0 +1,41 @@ +"; +print "

Step $i: Updating SecureForm Switcher

\n"; +$i++; +$OK = "OK"; +$FAIL = "FAILED"; +$target = $mod_path.'/files/SecureForm.mtab.php'; +$dest = WB_PATH.'/framework/SecureForm.mtab.php'; + +if(is_writeable(WB_PATH.'/framework')) { + if((copy($target,$dest) && change_mode($dest)) || file_exists($target)) { + print "
Updating secure_form_module $OK
\n"; + } else { + print "
Updating secure_form_module $FAIL
\n"; + } +} +print ""; Property changes on: branches/2.8.x/wb/modules/SecureFormSwitcher/upgrade.php ___________________________________________________________________ Added: svn:eol-style ## -0,0 +1 ## +native \ No newline at end of property Added: svn:keywords ## -0,0 +1 ## +Date Revision Id HeadURL \ No newline at end of property Added: svn:mime-type ## -0,0 +1 ## +text/plain \ No newline at end of property Index: branches/2.8.x/wb/modules/SecureFormSwitcher/index.php =================================================================== --- branches/2.8.x/wb/modules/SecureFormSwitcher/index.php (nonexistent) +++ branches/2.8.x/wb/modules/SecureFormSwitcher/index.php (revision 1479) @@ -0,0 +1,20 @@ +