"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "interface/lib/classes/remoting.inc.php" between
ISPConfig-3.2.6.tar.gz and ISPConfig-3.2.7.tar.gz

About: ISPConfig is an ISP management and Hosting Control Panel (for different Managed Services).

[ To the main ISPConfig source changes report ]

remoting.inc.php  (ISPConfig-3.2.6):remoting.inc.php  (ISPConfig-3.2.7)
skipping to change at line 89 skipping to change at line 89
if(empty($password)) { if(empty($password)) {
throw new SoapFault('login_password_empty', 'The login pa ssword is empty.'); throw new SoapFault('login_password_empty', 'The login pa ssword is empty.');
return false; return false;
} }
//* Delete old remoting sessions //* Delete old remoting sessions
$sql = "DELETE FROM remote_session WHERE tstamp < UNIX_TIMESTAMP( )"; $sql = "DELETE FROM remote_session WHERE tstamp < UNIX_TIMESTAMP( )";
$app->db->query($sql); $app->db->query($sql);
//* Check for max. login attempts
$ip_md5 = md5($_SERVER['REMOTE_ADDR']);
$sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_
time` > (NOW() - INTERVAL 5 MINUTE) LIMIT 1";
$alreadyfailed = $app->db->queryOneRecord($sql, $ip_md5);
if($alreadyfailed['times'] >= 10) {
throw new SoapFault('login_failure_limit', 'The login fai
lure limit has been reached.');
return false;
}
if($client_login == true) { if($client_login == true) {
$sql = "SELECT * FROM sys_user WHERE USERNAME = ?"; $sql = "SELECT * FROM sys_user WHERE USERNAME = ?";
$user = $app->db->queryOneRecord($sql, $username); $user = $app->db->queryOneRecord($sql, (string)$username) ;
if($user) { if($user) {
$saved_password = stripslashes($user['passwort']) ; $saved_password = stripslashes($user['passwort']) ;
if(preg_match('/^\$[156]\$/', $saved_password)) { if(preg_match('/^\$[156]\$/', $saved_password)) {
//* The password is crypt-md5 encrypted //* The password is crypt-md5 encrypted
if(crypt(stripslashes($password), $saved_ password) != $saved_password) { if(crypt(stripslashes($password), $saved_ password) != $saved_password) {
throw new SoapFault('client_login _failed', 'The login failed. Username or password wrong.'); throw new SoapFault('client_login _failed', 'The login failed. Username or password wrong.');
} }
} else { } else {
//* The password is md5 encrypted //* The password is md5 encrypted
if(md5($password) != $saved_password) { if(md5($password) != $saved_password) {
throw new SoapFault('client_login _failed', 'The login failed. Username or password wrong.'); throw new SoapFault('client_login _failed', 'The login failed. Username or password wrong.');
} }
} }
} else { } else {
if(!$alreadyfailed['times'] )
{
//* user login the first time wrong
$sql = "INSERT INTO `attempts_login` (`ip
`, `times`, `login_time`) VALUES (?, 1, NOW())";
$app->db->query($sql, $ip_md5);
} elseif($alreadyfailed['times'] >= 1) {
//* update times wrong
$sql = "UPDATE `attempts_login` SET `time
s`=`times`+1, `login_time`=NOW() WHERE `ip` = ? ORDER BY `login_time` DESC LIMIT
1";
$app->db->query($sql, $ip_md5);
}
throw new SoapFault('client_login_failed', 'The l ogin failed. Username or password wrong.'); throw new SoapFault('client_login_failed', 'The l ogin failed. Username or password wrong.');
} }
if($user['active'] != 1) { if($user['active'] != 1) {
throw new SoapFault('client_login_failed', 'The l ogin failed. User is blocked.'); throw new SoapFault('client_login_failed', 'The l ogin failed. User is blocked.');
} }
// now we need the client data // now we need the client data
$client = $app->db->queryOneRecord("SELECT client.can_use _api FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys _group.groupid = ?", $user['default_group']); $client = $app->db->queryOneRecord("SELECT client.can_use _api FROM sys_group, client WHERE sys_group.client_id = client.client_id and sys _group.groupid = ?", $user['default_group']);
if(!$client || $client['can_use_api'] != 'y') { if(!$client || $client['can_use_api'] != 'y') {
throw new SoapFault('client_login_failed', 'The l ogin failed. Client may not use api.'); throw new SoapFault('client_login_failed', 'The l ogin failed. Client may not use api.');
return false; return false;
} }
//* Create a remote user session //* Create a remote user session
//srand ((double)microtime()*1000000); //srand ((double)microtime()*1000000);
$remote_session = md5(mt_rand().uniqid('ispco')); $remote_session = substr(str_shuffle('abcdefghijklmnopqrs tuvwxyz'),0,1).sha1(mt_rand().uniqid('ispco',true));
$remote_userid = $user['userid']; $remote_userid = $user['userid'];
$remote_functions = ''; $remote_functions = '';
$tstamp = time() + $this->session_timeout; $tstamp = time() + $this->session_timeout;
$sql = 'INSERT INTO remote_session (remote_session,remote $ip = $_SERVER['REMOTE_ADDR'];
_userid,remote_functions,client_login,tstamp' $sql = 'INSERT INTO remote_session (remote_session,remote
.') VALUES (?, ?, ?, 1, ?)'; _userid,remote_functions,client_login,tstamp,remote_ip'
$app->db->query($sql, $remote_session,$remote_userid,$rem .') VALUES (?, ?, ?, 1, ?, ?)';
ote_functions,$tstamp); $app->db->query($sql, $remote_session,$remote_userid,$rem
ote_functions,$tstamp,$ip);
//* Delete login attempts after successful login
$sql = "DELETE FROM `attempts_login` WHERE `ip`=?";
$app->db->query($sql, $ip_md5);
return $remote_session; return $remote_session;
} else { } else {
$sql = "SELECT * FROM remote_user WHERE remote_username = ?"; $sql = "SELECT * FROM remote_user WHERE remote_username = ?";
$remote_user = $app->db->queryOneRecord($sql, $username); $remote_user = $app->db->queryOneRecord($sql, (string)$us ername);
if($remote_user) { if($remote_user) {
if(substr($remote_user['remote_password'], 0, 1) === '$') { if(substr($remote_user['remote_password'], 0, 1) === '$') {
if(crypt(stripslashes($password), $remote _user['remote_password']) != $remote_user['remote_password']) { if(crypt(stripslashes($password), $remote _user['remote_password']) != $remote_user['remote_password']) {
$remote_user = null; $remote_user = null;
} }
} elseif(md5($password) == $remote_user['remote_p assword']) { } elseif(md5($password) == $remote_user['remote_p assword']) {
// update hash algo // update hash algo
$sql = 'UPDATE `remote_user` SET `remote_ password` = ? WHERE `remote_username` = ?'; $sql = 'UPDATE `remote_user` SET `remote_ password` = ? WHERE `remote_username` = ?';
$app->db->query($sql, $app->auth->crypt_p assword($password), $username); $app->db->query($sql, $app->auth->crypt_p assword($password), (string)$username);
} else { } else {
$remote_user = null; $remote_user = null;
} }
} }
if($remote_user && $remote_user['remote_userid'] > 0) { if($remote_user && $remote_user['remote_userid'] > 0) {
if (trim($remote_user['remote_ips']) != '') { if (trim($remote_user['remote_ips']) != '') {
$allowed_ips = explode(',',$remote_user[' remote_ips']); $allowed_ips = explode(',',$remote_user[' remote_ips']);
foreach($allowed_ips as $i => $allowed) { foreach($allowed_ips as $i => $allowed) {
if(!filter_var($allowed, FILTER_V ALIDATE_IP)) { if(!filter_var($allowed, FILTER_V ALIDATE_IP)) {
// get the ip for a hostn ame // get the ip for a hostn ame
skipping to change at line 188 skipping to change at line 214
} }
} }
} }
} }
if(!$remote_allowed) { if(!$remote_allowed) {
throw new SoapFault('login_failed', 'The login is not allowed from '.$_SERVER['REMOTE_ADDR']); throw new SoapFault('login_failed', 'The login is not allowed from '.$_SERVER['REMOTE_ADDR']);
return false; return false;
} }
//* Create a remote user session //* Create a remote user session
//srand ((double)microtime()*1000000); //srand ((double)microtime()*1000000);
$remote_session = md5(mt_rand().uniqid('ispco')); $remote_session = substr(str_shuffle('abcdefghijk lmnopqrstuvwxyz'),0,1).sha1(mt_rand().uniqid('ispco',true));
$remote_userid = $remote_user['remote_userid']; $remote_userid = $remote_user['remote_userid'];
$remote_functions = $remote_user['remote_function s']; $remote_functions = $remote_user['remote_function s'];
$tstamp = time() + $this->session_timeout; $tstamp = time() + $this->session_timeout;
$sql = 'INSERT INTO remote_session (remote_sessio $sql = 'INSERT INTO remote_session (remote_sessio
n,remote_userid,remote_functions,tstamp' n,remote_userid,remote_functions,tstamp,remote_ip'
.') VALUES (?, ?, ?, ?)'; .') VALUES (?, ?, ?, ?, ?)';
$app->db->query($sql, $remote_session,$remote_use $app->db->query($sql, $remote_session,$remote_use
rid,$remote_functions,$tstamp); rid,$remote_functions,$tstamp, $ip);
//* Delete login attempts after successful login
$sql = "DELETE FROM `attempts_login` WHERE `ip`=?
";
$app->db->query($sql, $ip_md5);
return $remote_session; return $remote_session;
} else { } else {
if(!$alreadyfailed['times'] )
{
//* user login the first time wrong
$sql = "INSERT INTO `attempts_login` (`ip
`, `times`, `login_time`) VALUES (?, 1, NOW())";
$app->db->query($sql, $ip_md5);
} elseif($alreadyfailed['times'] >= 1) {
//* update times wrong
$sql = "UPDATE `attempts_login` SET `time
s`=`times`+1, `login_time`=NOW() WHERE `ip` = ? ORDER BY `login_time` DESC LIMIT
1";
$app->db->query($sql, $ip_md5);
}
throw new SoapFault('login_failed', 'The login fa iled. Username or password wrong.'); throw new SoapFault('login_failed', 'The login fa iled. Username or password wrong.');
return false; return false;
} }
} }
} }
//* remote logout function //* remote logout function
public function logout($session_id) public function logout($session_id)
{ {
global $app; global $app;
if(empty($session_id)) { if(empty($session_id)) {
throw new SoapFault('session_id_empty', 'The SessionID is empty.'); throw new SoapFault('session_id_empty', 'The SessionID is empty.');
return false; return false;
} }
$sql = "DELETE FROM remote_session WHERE remote_session = ?"; $sql = "DELETE FROM remote_session WHERE remote_session = ?";
if($app->db->query($sql, $session_id) != false) { if($app->db->query($sql, (string)$session_id) != false) {
return true; return true;
} else { } else {
return false; return false;
} }
} }
//** protected functions ------------------------------------------------ ----------------------------------- //** protected functions ------------------------------------------------ -----------------------------------
protected function klientadd($formdef_file, $reseller_id, $params) protected function klientadd($formdef_file, $reseller_id, $params)
{ {
skipping to change at line 520 skipping to change at line 563
protected function getSession($session_id) protected function getSession($session_id)
{ {
global $app; global $app;
if(empty($session_id)) { if(empty($session_id)) {
throw new SoapFault('session_id_empty', 'The SessionID is empty.'); throw new SoapFault('session_id_empty', 'The SessionID is empty.');
return false; return false;
} }
if(!is_string($session_id)) {
throw new SoapFault('session_id_nostring', 'Wrong Session
ID datatype.');
return false;
}
$ip_md5 = md5($_SERVER['REMOTE_ADDR']);
$sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_
time` > (NOW() - INTERVAL 5 MINUTE) LIMIT 1";
$alreadyfailed = $app->db->queryOneRecord($sql, $ip_md5);
if($alreadyfailed['times'] >= 10) {
throw new SoapFault('session_failure_limit', 'The Session
failure limit has been reached.');
return false;
}
$sql = "SELECT * FROM remote_session WHERE remote_session = ? AND tstamp >= UNIX_TIMESTAMP()"; $sql = "SELECT * FROM remote_session WHERE remote_session = ? AND tstamp >= UNIX_TIMESTAMP()";
$session = $app->db->queryOneRecord($sql, $session_id); $session = $app->db->queryOneRecord($sql, (string)$session_id);
if(!is_array($session)) {
if(!$alreadyfailed['times'] )
{
//* user login the first time wrong
$sql = "INSERT INTO `attempts_login` (`ip
`, `times`, `login_time`) VALUES (?, 1, NOW())";
$app->db->query($sql, $ip_md5);
} elseif($alreadyfailed['times'] >= 1) {
//* update times wrong
$sql = "UPDATE `attempts_login` SET `time
s`=`times`+1, `login_time`=NOW() WHERE `ip` = ? ORDER BY `login_time` DESC LIMIT
1";
$app->db->query($sql, $ip_md5);
}
throw new SoapFault('session_does_not_exist', 'The Sessio
n is expired or does not exist.');
return false;
}
$ip = $_SERVER['REMOTE_ADDR'];
if($session['remote_ip'] != $ip) {
throw new SoapFault('session_ip_mismatch', 'Session IP mi
smatch.');
return false;
}
if($session['remote_userid'] > 0) { if($session['remote_userid'] > 0) {
return $session; return $session;
} else { } else {
if(!$alreadyfailed['times'] )
{
//* user login the first time wrong
$sql = "INSERT INTO `attempts_login` (`ip
`, `times`, `login_time`) VALUES (?, 1, NOW())";
$app->db->query($sql, $ip_md5);
} elseif($alreadyfailed['times'] >= 1) {
//* update times wrong
$sql = "UPDATE `attempts_login` SET `time
s`=`times`+1, `login_time`=NOW() WHERE `ip` = ? AND `login_time` < NOW() ORDER B
Y `login_time` DESC LIMIT 1";
$app->db->query($sql, $ip_md5);
}
throw new SoapFault('session_does_not_exist', 'The Sessio n is expired or does not exist.'); throw new SoapFault('session_does_not_exist', 'The Sessio n is expired or does not exist.');
return false; return false;
} }
} }
public function server_get($session_id, $server_id = null, $section ='') { public function server_get($session_id, $server_id = null, $section ='') {
global $app; global $app;
if(!$this->checkPerm($session_id, 'server_get')) { if(!$this->checkPerm($session_id, 'server_get')) {
throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.'); throw new SoapFault('permission_denied', 'You do not have the permissions to access this function.');
return false; return false;
 End of changes. 14 change blocks. 
17 lines changed or deleted 129 lines changed or added
To the PHP Programs section of the ISPConfig source changes report or the top of this page
Mainly generated by pkgdiff using rfcdiff
Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)