Cafe CounterIntelligence SoapCMS Core Security Class

1. <?php
2.  
3. #############################################################################
4. #
5. #          PHP CLASS:       c_security.php     (stand alone security class)
6. #
7. # Cafe CounterIntelligence SoapCMS Core Security Class
8. # Copyright 2004 Mike Parniak
9. # www.voodoochat.com
10. #
11. # This program is free software; you can redistribute it and/or modify
12. # it under the terms of the GNU General Public License as published by
13. # the Free Software Foundation; either version 2 of the License, or
14. # (at your option) any later version.
15. #
16. # This program is distributed in the hope that it will be useful,
17. # but WITHOUT ANY WARRANTY; without even the implied warranty of
18. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19. # GNU General Public License for more details.
20. #
21. # You should have received a copy of the GNU General Public License
22. # along with this program; if not, write to the Free Software
23. # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24. #
25. # Purpose: Base flood, XSS and SQL Injection protection
26. #
27. # Requires: Nothing.
28. #
29. #    require_once("c_security.php");
30. #    $mysecurity = new soapSecurity();
31. #
32. #
33. #
34. # Usage: create an instance of the soapSecurity object at the beginning of
35. # any publically accessible scripts. GET, POST, and COOKIE variables
36. # that are strictly numeric should begin with "n_".
37. #
38. #############################################################################
39.  
40. class soapSecurity {
41.  
42. var $ip;
43. var $csUn = "Soap";
44. var $vkeyname;
45. var $vhash;
46. var $vsession;
47. var $vsesscook;
48.  
49. // Initialization function
50.  
51. function soapSecurity($dosanitize = 1) {
52.  
53.         ini_set("session.use_only_cookies","1");
54.         ini_set("session.use_trans_sid","0");
55.        
56.         $ip = $_SERVER["REMOTE_ADDR"];
57.         $vkeyname = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] .
58.         $_SERVER["DOCUMENT_ROOT"] . $csUn);
59.         $vhash = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] .
60.         $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] .
61.         $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] . $csUn);
62.         $vsession = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_HOST"] . $csUn);
63.         $vsesscook = md5($_SERVER["REMOTE_ADDR"] . $_SERVER["DOCUMENT_ROOT"] .
64.         $_SERVER["HTTP_HOST"]);
65.        
66.         srand(time());
67.         session_name($vhash);
68.         session_id($vsession); // Begin data-specific session
69.         session_start();
70.        
71.         if ((!isset($_SESSION["soapsec-rtg"])) || ($_SESSION["soapsec-rtg"]<1)) {
72.             $_SESSION["soapsec-rtg"] = rand(3,5);
73.             $_SESSION["soapsec-romps"] = 0;
74.             $_SESSION["soapsec-ourl"] = $_SERVER["REQUEST_URI"];
75.             $_SESSION["soapsec-rcode"] = md5($_SERVER["REMOTE_ADDR"] .
76.             $_SERVER["HTTP_USER_AGENT"] .
77.             $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] .
78.             $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] .
79.             $_SESSION["soapsec-romps"] . time());
80.         }
81.        
82.         if (($_SESSION["soapsec-rtg"]>0) &&
83.         ($_SESSION["soapsec-romps"]<$_SESSION["soapsec-rtg"])) {
84.             if (($_GET[$vkeyname] == $_SESSION["soapsec-rcode"]) &&
85.             ($_GET[$vkeyname] != "")) {
86.                 $_SESSION["soapsec-romps"]++;
87.             } else $_SESSION["soapsec-errors"]+=2;
88.             if ($_SESSION["soapsec-romps"] < $_SESSION["soapsec-rtg"]) {
89.                 $_SESSION["soapsec-rcode"] = md5($_SERVER["REMOTE_ADDR"] .
90.                 $_SERVER["HTTP_USER_AGENT"] .
91.                 $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] .
92.                 $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] .
93.                 $_SESSION["soapsec-romps"] . time());
94.                 $numromps = $_SESSION["soapsec-romps"];
95.                 session_write_close();
96.                 $thisurl = $_SERVER["REQUEST_URI"];
97.                 $thisurl = eregi_replace("\?.*","",$thisurl);
98.                 $thisurl = "http://" . $_SERVER["HTTP_HOST"] . $thisurl . "?";
99.                 $outkey = $vkeyname . "=" . $_SESSION["soapsec-rcode"];
100.                
101.                 // First romp is less CPU intensive, in cases of weak automated requesters.
102.                
103.                 if ($numromps==1) {
104.                     header("Location: " . $thisurl . $outkey);
105.                     exit();
106.                 }
107.                
108.                 // Subsequent romps are tricky, using hard-to-parse javascript.
109.                
110.                 $rnu = rand(8,15);
111.                 $ran = array();
112.                 $jsout = "<SCRIPT LANGUAGE=\"JavaScript\">\n";
113.                 for ($i = 0;$i < $rnu;$i++) {
114.                     $ran[$i] = rand(-65,65);
115.                     $jsout .= "var " . chr(97+$i) . " = " . $ran[$i] . "; ";
116.                 }
117.                
118.                 $outlen = strlen($outkey);
119.                
120.                 $jsout .= "var z = new Array(); ";
121.                 $myvars = array();
122.                
123.                 $onvar = 0;
124.                 for ($i = 0;$i < $outlen;$i++) {
125.                     if ($onvar >= $rnu) $onvar = 0;
126.                     $thediff = $i - $ran[$onvar];
127.                     $myvars[$i] = "z[" . chr(97+$onvar);
128.                     if ($thediff>0) $myvars[$i].= "+";
129.                     if ($thediff<>0) $myvars[$i] .= $thediff;
130.                     $myvars[$i] .= "] = \"" . $outkey[$i] . "\"; ";
131.                     $onvar++;
132.                 }
133.                 shuffle($myvars);
134.                 $jsout .= implode('',$myvars);
135.                 $jsout .= "var x = z.join(\"\"); ";
136.                 $jsout .= "location.replace(\"" . $thisurl . "\" + x);</SCRIPT><noscript>You must enable Javascript in order to view this
137.                webpage.</noscript>";
138.                 echo $jsout;
139.             } else {
140.                 $thisurl = "http://" . $_SERVER["HTTP_HOST"] .
141.                 $_SESSION["soapsec-ourl"];
142.                 echo "<SCRIPT LANGUAGE=\"JavaScript\">location.replace(\"$thisurl\");</SCRIPT><noscript>You must enable Javascript in order to view this webpage.</noscript>";
143.             }
144.             exit();
145.         }
146.        
147.         if ($dosanitize) {
148.        
149.             $getvariables = array_keys($_GET);
150.             $count = 0;
151.             while($count < count($getvariables)) {
152.                 $_GET[$getvariables[$count]] = $this ->
153.                 sanitize($_GET[$getvariables[$count]],(strpos($getvariables[$count],"n_")===0));
154.                 $count++;
155.             }
156.             $getvariables = array_keys($_POST);
157.             $count = 0;
158.             while($count < count($getvariables)) {
159.                 $_POST[$getvariables[$count]] = $this ->
160.                 sanitize($_POST[$getvariables[$count]],(strpos($getvariables[$count],"n_")===0));
161.                 $count++;
162.             }
163.             $getvariables = array_keys($_COOKIE);
164.             $count = 0;
165.             while($count < count($getvariables)) {
166.                 $_COOKIE[$getvariables[$count]] = $this ->
167.                 sanitize($_COOKIE[$getvariables[$count]],(strpos($getvariables[$count],"n_")===0));
168.                 $count++;
169.             }
170.         }
171.        
172.         // If server has automatic global creation, destroy automatically created
173.         variables.
174.         // but... make sure that the variable's value matches the request variable's value before destroying it.
175.        
176.         $getvariables = array_keys($_REQUEST);
177.         $count = 0;
178.         while($count < count($getvariables)) {
179.             if ((isset($getvariables[$count])) && ($GLOBALS[$getvariables[$count]] == $_REQUEST[$getvariables[$count]])) {
180.             unset($GLOBALS[$getvariables[$count]]);
181.         }
182.         $count++;
183.         }
184.        
185.         // Remove our session and initiate or restore the user session.
186.        
187.         if (isset($_COOKIE["$vsesscook"])) {
188.             session_write_close();
189.             session_name($vsesscook);
190.             session_id($_COOKIE["$vsesscook"]);
191.             session_start();
192.             if (!isset($_SESSION["soap-flag"])) {
193.                 setcookie($vsesscook,"",0,"/");
194.                 session_unset();
195.                 session_destroy();
196.                 unset($_COOKIE["$vsesscook"]);
197.                 Header("Location: http://" . $_SERVER["HTTP_HOST"] .
198.                 $_SERVER["REQUEST_URI"]);
199.                 exit();
200.             }
201.         } else {
202.             if ((time()-120)<$_SESSION["soapsec-lastsess"]) {
203.                 if ($_SESSION["soapsec-fastsess"]>2) {
204.                 $_SESSION["soapsec-lastsess"] = time();
205.                 exit();
206.                 }
207.             } else $_SESSION["soapsec-fastsess"] = 0;
208.            
209.             $_SESSION["soapsec-lastsess"] = time();
210.             $_SESSION["soapsec-fastsess"]++;
211.             session_write_close;
212.             session_name($vsesscook);
213.             session_id(md5(uniqid(time())));
214.             session_start();
215.             setcookie($vsesscook,session_id(),0,"/");
216.             $_SESSION["soap-flag"] = 1;
217.         }
218.        
219.         if ($this -> floodcheck("fastaccess",3,6)) exit();
220.        
221.         return;
222. }
223.    
224.     // Removes potentially hazardous material from a string (anti-XSS, anti-Injection)
225.     // Reliable anti-injection requires cgi variables use the n_ naming convention for any
226.     // variable that is strictly numeric and possibly used in a query.
227.    
228.     function sanitize($tosanitize,$numonly=FALSE) {
229.         if ($numonly) {
230.             $tosanitize = eregi_replace("[^0-9\.\-]","",$tosanitize);
231.         } else {
232.             $tosanitize = htmlspecialchars($tosanitize);
233.             $tosanitize =
234.             eregi_replace("javascript:","javascript:",$tosanitize);
235.             if (!get_magic_quotes_gpc()) $tosanitize = addslashes($tosanitize);
236.         }
237.         return $tosanitize;
238.     }
239.    
240.     // Generic flood checking routine
241.    
242.     function floodcheck($identifier,$interval,$threshold=1) {
243.         $myresult = 0;
244.         if (isset($_SESSION["soapsec-" . $identifier])) {
245.             if ($_SESSION["soapsec-" . $identifier] > (time()-$interval)) {
246.                 if ($threshold<2) {
247.                     $myresult = 1;
248.                 } else {
249.                     if (!isset($_SESSION["soapsec-" . $identifier . "-counter"])) {
250.                         $_SESSION["soapsec-" . $identifier . "-counter"] = 1;
251.                     } else {
252.                         $_SESSION["soapsec-" . $identifier . "-counter"]++;
253.                         if ($_SESSION["soapsec-" . $identifier . "-counter"] >= $threshold) {
254.                             $myresult = 1;
255.                         }
256.                     }
257.                 }
258.             } else $_SESSION["soapsec-" . $identifier . "-counter"] = 1;
259.         }
260.         $_SESSION["soapsec-" . $identifier] = time();
261.     return $myresult;
262.     }
263. }
264. ?>