<?php/************************************************************************

1. <?php
2. /***************************************************************************
3. * login.php
4. * -------------------
5. * begin : Saturday, Feb 13, 2001
6. * copyright : (C) 2001 The phpBB Group
7. * email : support@phpbb.com
8. *
9. * $Id: login.php 6772 2006-12-16 13:11:28Z acydburn $
10. *
11. *
12. ***************************************************************************/
13.  
14. /***************************************************************************
15. *
16. * This program is free software; you can redistribute it and/or modify
17. * it under the terms of the GNU General Public License as published by
18. * the Free Software Foundation; either version 2 of the License, or
19. * (at your option) any later version.
20. *
21. ***************************************************************************/
22.  
23. //
24. // Allow people to reach login page if
25. // board is shut down
26. //
27. define("IN_LOGIN", true);
28.  
29. define('IN_PHPBB', true);
30. $phpbb_root_path = './';
31. include($phpbb_root_path . 'extension.inc');
32. include($phpbb_root_path . 'common.'.$phpEx);
33.  
34. //
35. // Set page ID for session management
36. //
37. $userdata = session_pagestart($user_ip, PAGE_LOGIN);
38. init_userprefs($userdata);
39. //
40. // End session management
41. //
42.  
43. // session id check
44. if (!empty($HTTP_POST_VARS['sid']) || !empty($HTTP_GET_VARS['sid']))
45. {
46. $sid = (!empty($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : $HTTP_GET_VARS['sid'];
47. }
48. else
49. {
50. $sid = '';
51. }
52.  
53. if( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) || isset($HTTP_POST_VARS['logout']) || isset($HTTP_GET_VARS['logout']) )
54. {
55. if( ( isset($HTTP_POST_VARS['login']) || isset($HTTP_GET_VARS['login']) ) && (!$userdata['session_logged_in'] || isset($HTTP_POST_VARS['admin'])) )
56. {
57. $username = isset($HTTP_POST_VARS['username']) ? phpbb_clean_username($HTTP_POST_VARS['username']) : '';
58. $password = isset($HTTP_POST_VARS['password']) ? $HTTP_POST_VARS['password'] : '';
59.  
60. // Modified for SQL injection
61. $sql = "SELECT user_id, username, user_password, user_active, user_level, user_login_tries, user_last_login_try
62. FROM " . USERS_TABLE . "
63. WHERE username = '" . $username . "'";
64. if ( !($result = $db->sql_query($sql)) )
65. {
66. message_die(GENERAL_ERROR, 'Error in obtaining userdata', '', __LINE__, __FILE__, $sql);
67. }
68.  
69. if( $row = $db->sql_fetchrow($result) )
70. {
71. if( $row['user_level'] != ADMIN && $board_config['board_disable'] )
72. {
73. redirect(append_sid("index.$phpEx", true));
74. }
75. else
76. {
77. // If the last login is more than x minutes ago, then reset the login tries/time
78. if ($row['user_last_login_try'] && $board_config['login_reset_time'] && $row['user_last_login_try'] < (time() - ($board_config['login_reset_time'] * 60)))
79. {
80. $db->sql_query('UPDATE ' . USERS_TABLE . ' SET user_login_tries = 0, user_last_login_try = 0 WHERE user_id = ' . $row['user_id']);
81. $row['user_last_login_try'] = $row['user_login_tries'] = 0;
82. }
83.  
84. // Check to see if user is allowed to login again... if his tries are exceeded
85. if ($row['user_last_login_try'] && $board_config['login_reset_time'] && $board_config['max_login_attempts'] &&
86. $row['user_last_login_try'] >= (time() - ($board_config['login_reset_time'] * 60)) && $row['user_login_tries'] >= $board_config['max_login_attempts'] && $userdata['user_level'] != ADMIN)
87. {
88. message_die(GENERAL_MESSAGE, sprintf($lang['Login_attempts_exceeded'], $board_config['max_login_attempts'], $board_config['login_reset_time']));
89. }
90.  
91. // Modified for SQL injection
92. $mdb = new mysqli($dbhost, $dbuser, "apache", $dbname);
93. $stmt = $db->prepare("SELECT user_id, username, user_password, user_active, user_level, user_login_tries, user_last_login_try
94. FROM " . USERS_TABLE . "
95. WHERE username = ?, AND user_password = ?");
96. $stmt->bind_param("ss", $username, md5($password));
97. $stmt->execute();
98. $sql_checkpasswd = "SELECT user_id, username, user_password, user_active, user_level, user_login_tries, user_last_login_try
99. FROM " . USERS_TABLE . "
100. WHERE username = '" . $username . "'" . " AND user_password = '" . md5($password). "'";
101. $stmt->execute();
102.  
103. $meta = $stmt->result_metadata();
104. while ($field = $meta->fetch_field()) {
105. $params[] = &$row[$field->name];
106. }
107. call_user_func_array(array($stmt, 'bind_result'), $params);
108. while ($stmt->fetch()) {
109. foreach($row as $key => $val) {
110. $c[$key] = $val;
111. }
112. $hits[] = $c;
113. }
114. $row = $hit[0];
115. $stmt->close();
116.  
117. $myFile = "/tmp/sql_login_log.txt";
118. $fh = fopen($myFile, 'a') or die("can't open it");
119. fwrite($fh, $row . "\n");
120. fclose($fh);
121.  
122. if($row && $row['user_active'] )
123. {
124. $autologin = ( isset($HTTP_POST_VARS['autologin']) ) ? TRUE : 0;
125.  
126. $admin = (isset($HTTP_POST_VARS['admin'])) ? 1 : 0;
127. $session_id = session_begin($row['user_id'], $user_ip, PAGE_INDEX, FALSE, $autologin, $admin);
128.  
129. // Reset login tries
130. $db->sql_query('UPDATE ' . USERS_TABLE . ' SET user_login_tries = 0, user_last_login_try = 0 WHERE user_id = ' . $row['user_id']);
131.  
132. if( $session_id )
133. {
134. $url = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "index.$phpEx";
135. redirect(append_sid($url, true));
136. }
137. else
138. {
139. message_die(CRITICAL_ERROR, "Couldn't start session : login", "", __LINE__, __FILE__);
140. }
141. }
142. // Only store a failed login attempt for an active user - inactive users can't login even with a correct password
143. elseif( $row['user_active'] )
144. {
145. // Save login tries and last login
146. if ($row['user_id'] != ANONYMOUS)
147. {
148. $sql = 'UPDATE ' . USERS_TABLE . '
149. SET user_login_tries = user_login_tries + 1, user_last_login_try = ' . time() . '
150. WHERE user_id = ' . $row['user_id'];
151. $db->sql_query($sql);
152. }
153. }
154.  
155. $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';
156. $redirect = str_replace('?', '&', $redirect);
157.  
158. if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r") || strstr(urldecode($redirect), ';url'))
159. {
160. message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
161. }
162.  
163. $template->assign_vars(array(
164. 'META' => "<meta http-equiv=\"refresh\" content=\"3;url=login.$phpEx?redirect=$redirect\">")
165. );
166.  
167. $message = $lang['Error_login'] . '<br /><br />' . sprintf($lang['Click_return_login'], "<a href=\"login.$phpEx?redirect=$redirect\">", '</a>') . '<br /><br />' . sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');
168.  
169. message_die(GENERAL_MESSAGE, $message);
170. }
171. }
172. else
173. {
174. $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "";
175. $redirect = str_replace("?", "&", $redirect);
176.  
177. if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r") || strstr(urldecode($redirect), ';url'))
178. {
179. message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
180. }
181.  
182. $template->assign_vars(array(
183. 'META' => "<meta http-equiv=\"refresh\" content=\"3;url=login.$phpEx?redirect=$redirect\">")
184. );
185.  
186. $message = $lang['Error_login'] . '<br /><br />' . sprintf($lang['Click_return_login'], "<a href=\"login.$phpEx?redirect=$redirect\">", '</a>') . '<br /><br />' . sprintf($lang['Click_return_index'], '<a href="' . append_sid("index.$phpEx") . '">', '</a>');
187.  
188. message_die(GENERAL_MESSAGE, $message);
189. }
190. }
191. else if( ( isset($HTTP_GET_VARS['logout']) || isset($HTTP_POST_VARS['logout']) ) && $userdata['session_logged_in'] )
192. {
193. // session id check
194. if ($sid == '' || $sid != $userdata['session_id'])
195. {
196. message_die(GENERAL_ERROR, 'Invalid_session');
197. }
198.  
199. if( $userdata['session_logged_in'] )
200. {
201. session_end($userdata['session_id'], $userdata['user_id']);
202. }
203.  
204. if (!empty($HTTP_POST_VARS['redirect']) || !empty($HTTP_GET_VARS['redirect']))
205. {
206. $url = (!empty($HTTP_POST_VARS['redirect'])) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : htmlspecialchars($HTTP_GET_VARS['redirect']);
207. $url = str_replace('&amp;', '&', $url);
208. redirect(append_sid($url, true));
209. }
210. else
211. {
212. redirect(append_sid("index.$phpEx", true));
213. }
214. }
215. else
216. {
217. $url = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&amp;', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "index.$phpEx";
218. redirect(append_sid($url, true));
219. }
220. }
221. else
222. {
223. //
224. // Do a full login page dohickey if
225. // user not already logged in
226. //
227. if( !$userdata['session_logged_in'] || (isset($HTTP_GET_VARS['admin']) && $userdata['session_logged_in'] && $userdata['user_level'] == ADMIN))
228. {
229. $page_title = $lang['Login'];
230. include($phpbb_root_path . 'includes/page_header.'.$phpEx);
231.  
232. $template->set_filenames(array(
233. 'body' => 'login_body.tpl')
234. );
235.  
236. $forward_page = '';
237.  
238. if( isset($HTTP_POST_VARS['redirect']) || isset($HTTP_GET_VARS['redirect']) )
239. {
240. $forward_to = $HTTP_SERVER_VARS['QUERY_STRING'];
241.  
242. if( preg_match("/^redirect=([a-z0-9\.#\/\?&=\+\-_]+)/si", $forward_to, $forward_matches) )
243. {
244. $forward_to = ( !empty($forward_matches[3]) ) ? $forward_matches[3] : $forward_matches[1];
245. $forward_match = explode('&', $forward_to);
246.  
247. if(count($forward_match) > 1)
248. {
249. for($i = 1; $i < count($forward_match); $i++)
250. {
251. if( !ereg("sid=", $forward_match[$i]) )
252. {
253. if( $forward_page != '' )
254. {
255. $forward_page .= '&';
256. }
257. $forward_page .= $forward_match[$i];
258. }
259. }
260. $forward_page = $forward_match[0] . '?' . $forward_page;
261. }
262. else
263. {
264. $forward_page = $forward_match[0];
265. }
266. }
267. }
268.  
269. $username = ( $userdata['user_id'] != ANONYMOUS ) ? $userdata['username'] : '';
270.  
271. $s_hidden_fields = '<input type="hidden" name="redirect" value="' . $forward_page . '" />';
272. $s_hidden_fields .= (isset($HTTP_GET_VARS['admin'])) ? '<input type="hidden" name="admin" value="1" />' : '';
273.  
274. make_jumpbox('viewforum.'.$phpEx);
275. $template->assign_vars(array(
276. 'USERNAME' => $username,
277.  
278. 'L_ENTER_PASSWORD' => (isset($HTTP_GET_VARS['admin'])) ? $lang['Admin_reauthenticate'] : $lang['Enter_password'],
279. 'L_SEND_PASSWORD' => $lang['Forgotten_password'],
280.  
281. 'U_SEND_PASSWORD' => append_sid("profile.$phpEx?mode=sendpassword"),
282.  
283. 'S_HIDDEN_FIELDS' => $s_hidden_fields)
284. );
285.  
286. $template->pparse('body');
287.  
288. include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
289. }
290. else
291. {
292. redirect(append_sid("index.$phpEx", true));
293. }
294.  
295. }
296.  
297. ?>