SHARE
TWEET

osC_Sec

a guest Jan 26th, 2012 39 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <?php
  2.  
  3.   /**
  4.    * @package osC_Sec Security Class for Oscommerce / Digistore
  5.    * @author Te Taipo <rohepotae@gmail.com>
  6.    * @copyright (c) Hokioi-IT
  7.    * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  8.    * @version $Id: osC_Sec.php 5.0.1a
  9.    * @see readme.htm
  10.    * @link http://addons.oscommerce.com/info/8283/
  11.    **/
  12.  
  13.   # switch off server error 'notices'
  14.  error_reporting( 6135 );
  15.  
  16.   # set the POSIX locale
  17.  setlocale( LC_CTYPE, "C" );
  18.  
  19.   # make sure $_SERVER[ "REQUEST_URI" ] is set
  20.  fix_server_vars();
  21.  
  22.   # prevent direct viewing of osC_Sec.php
  23.  if ( false !== strpos( strtolower( $_SERVER[ "SCRIPT_NAME" ] ), osCSec_selfchk() ) ) senda404Header();
  24.  
  25.   # include the settings file osc.php
  26.  if ( file_exists( rtrim( dirname( __file__ ), '/\\' ) . DIRECTORY_SEPARATOR . 'osc.php' ) ) {
  27.      require_once( rtrim( dirname( __file__ ), '/\\' ) . DIRECTORY_SEPARATOR . 'osc.php' );
  28.   } else {
  29.      $osC_Sec = new osC_Sec();
  30.      $osC_Sec->Sentry( $timestampOffset=0,$nonGETPOSTReqs=0,$spiderBlock=0,$banipaddress=0,$useIPTRAP=0,
  31.                        $ipTrapBlocked="",$emailenabled=0,$youremail="",$fromemail="",$disable_tellafriend=NULL );
  32.   }
  33.  
  34.   class osC_Sec {
  35.    
  36.     var $_fullreport = true;
  37.    
  38.     function Sentry( $timestampOffset=0,$nonGETPOSTReqs=0,$spiderBlock=0,$banipaddress=0,$useIPTRAP=0,
  39.                      $ipTrapBlocked="",$emailenabled=0,$youremail="",$fromemail="",$disable_tellafriend=NULL ) {
  40.      
  41.       global $PHP_SELF;
  42.       $this->_nonGETPOSTReqs = ( bool )$this->fINT( $nonGETPOSTReqs );
  43.       $this->_banipaddress = ( bool )$this->fINT( $banipaddress );
  44.       $this->_useIPTRAP = ( bool )$this->fINT( $useIPTRAP );
  45.       $this->_emailenabled = ( bool )$this->fINT( $emailenabled );
  46.       $this->_currentVersion = "5.0.1a";
  47.       $spiderBlock = ( bool )$this->fINT( $spiderBlock );
  48.      
  49.       $this->_disable_tellafriend = 0;
  50.       if ( isset( $disable_tellafriend ) ) $this->_disable_tellafriend = ( bool )$this->fINT( $disable_tellafriend );
  51.  
  52.       $this->setIPTrapBlocked( $ipTrapBlocked );
  53.  
  54.       if ( false !== ( bool )$this->fINT( $this->_emailenabled ) ) {
  55.           $this->_youremail = $youremail;
  56.           $this->_fromemail = $fromemail;
  57.           $this->_timestampOffset = $this->fINT( $timestampOffset );
  58.       }
  59.      
  60.       # if open_basedir is not set in php.ini then set it in the local scope
  61.      # only available for version 2.3.1 of osCommerce
  62.      $this->setOpenBaseDir();
  63.      
  64.       # check settings are correct
  65.      $this->chkSetup();
  66.  
  67.       # reliably set $PHP_SELF as a filename
  68.      $PHP_SELF = $this->phpSelfFix();
  69.  
  70.       # prevent the version of php being discovered
  71.      $this->x_powered_by();
  72.      
  73.       # ban bad harvesting spiders
  74.      if ( false !== $spiderBlock ) $this->badArachnid();
  75.  
  76.       # set the host address to be used in the email notification and htaccess
  77.      if ( ( false !== $this->_emailenabled )
  78.          || ( false !== $this->_banipaddress ) ) {
  79.          $this->_httphost = preg_replace( "/^(?:([^\.]+)\.)?domain\.com$/", "\1", $_SERVER[ "SERVER_NAME" ] );
  80.       }
  81.       # set the path to the htaccess in the root catalog
  82.      if ( $this->_banipaddress ) $this->_htaccessfile = $this->strCharsfrmStr( $this->getDir() . ".htaccess", "//", "/" );
  83.      
  84.       # set the path to the IP_Trapped.txt file
  85.      if ( $this->_useIPTRAP ) $this->_ipTrappedURL = $this->strCharsfrmStr( $this->getDir() . "banned/IP_Trapped.txt", "//", "/" );
  86.  
  87.       # if ip address already in the trapped banlist, redirect to blocked.php
  88.      if ( false !== $this->ipTrapped() ) {
  89.           header( "Location: " . $this->_ipTrapBlocked );
  90.           exit;
  91.       }
  92.       # prevent non-standard requests:
  93.      if ( ( false !== $this->byPass() ) && ( false !== $this->_nonGETPOSTReqs ) ) $this->checkReqType();
  94.      
  95.       # check for the specific attempt to exploit osCommerce / Digistore
  96.      # no requests are exempt from this filter
  97.      $this->osCAdminLoginBypass();
  98.      
  99.       # prevent tell_a_friend.php spam
  100.      # by disabling guest emailing
  101.      $this->disable_tellafriend();
  102.      
  103.       # check for database injection attempts
  104.      $this->dbShield();
  105.  
  106.       # check _GET requests against the blacklist
  107.      $this->getShield();
  108.  
  109.       # check _POST variables against the blacklist
  110.      #$this->postShield();
  111.  
  112.       # run through $_COOKIE checking against blacklists
  113.      $this->cookieShield();
  114.  
  115.       # PHP5 with register_long_arrays off? From SoapCMS Core Security Class
  116.      if ( @phpversion() >= "5.0.0"
  117.             && ( !ini_get( "register_long_arrays" )
  118.             || @ini_get( "register_long_arrays" ) == "0"
  119.             || strtolower( @ini_get( "register_long_arrays" ) ) == "off" ) ) {
  120.  
  121.             $HTTP_POST_VARS = $_POST;
  122.             $HTTP_GET_VARS = $_GET;
  123.             $HTTP_SERVER_VARS = $_SERVER;
  124.             $HTTP_COOKIE_VARS = $_COOKIE;
  125.             $HTTP_ENV_VARS = $_ENV;
  126.             $HTTP_POST_FILES = $_FILES;
  127.  
  128.             # _SESSION is the only superglobal which is conditionally set
  129.            if ( isset( $_SESSION ) ) $HTTP_SESSION_VARS = $_SESSION;
  130.       }
  131.  
  132.       # merge $_REQUEST with cleaned _GET and _POST excluding _COOKIE data
  133.      $_REQUEST = array_merge( $_GET, $_POST );
  134.  
  135.     } // end of Sentry function
  136.  
  137.     /**
  138.      * banChecker()
  139.      *
  140.      * @return
  141.      */
  142.     function banChecker( $r = "", $t = false ) {
  143.         if ( false !== $this->byPass() && false !== ( bool )$t ) {
  144.             return $this->tinoRahui( $r );
  145.         } else {
  146.             return false;
  147.         }
  148.     }
  149.  
  150.     /**
  151.      * osCEmailer()
  152.      *
  153.      * @return
  154.      */
  155.     function osCEmailer( $r, $fullreport = true ) {
  156.          # disable the emailer if htaccess not writable when .htaccess banning is enabled
  157.         if ( false !== $this->_banipaddress ) {
  158.             if ( !$this->hCoreFileChk( $this->_htaccessfile ) ) return;
  159.          }
  160.  
  161.         # send the notification
  162.         if ( (( false !== $this->_banipaddress ) || (false !== $this->_useIPTRAP ) )
  163.                                                      && ( false !== $this->_emailenabled ) ) {
  164.          if ( ( false !== $this->_banipaddress ) && ( $this->hCoreFileChk( $this->_htaccessfile ) ) ) {
  165.              $banAction = "htaccess banned";
  166.          } elseif ( ( false !== $this->_useIPTRAP ) ) {
  167.              $banAction = "IP Trap banned";
  168.          }
  169.          if ( !isset( $this->_timestampOffset ) ) $this->_timestampOffset = 0;
  170.          $timestamp = gmdate( "D, d M Y H:i:s", time() + ( $this->_timestampOffset * 3600 ) );
  171.          $to = $this->_youremail;
  172.          $subject = $this->_httphost . " " . ( substr( $r, 0, 60 ) ) . "...";
  173.          $body = "This IP [ " . $this->getRealIP() . " ] has been " . $banAction . " on the http://" . $this->_httphost .
  174.              " website by osC_Sec.php version " . $this->_currentVersion . "\n\nREASON FOR BAN: " . $r . "\n\nTime of ban: " .
  175.              $timestamp . "\n";
  176.          $body .= "\n.------------[ ALL \$_GET VARIABLES ]-------------\n#\n";
  177.          if ( !empty( $_GET ) ) {
  178.              $sDimGET = $this->array_flatten( $_GET, true );
  179.              foreach ( $sDimGET as $k => $v ) {
  180.                  if ( empty( $v ) ) $v = "NULL";
  181.                  if ( !is_array( $k ) && !is_array( $v ) ) $body .= "# - " . $k . " = " . htmlspecialchars( $v ) . "\n";
  182.              }
  183.          } else {
  184.              $body .= "# - No \$_GET data\n";
  185.          }
  186.          $body .= "#\n`--------------------------------------------------------\n";
  187.          $body .= "\n.---------[ ALL \$_POST FORM VARIABLES ]-------\n#\n";
  188.          if ( ( isset( $_POST ) ) && ( $_SERVER[ "REQUEST_METHOD" ] == "POST" ) ) {
  189.              $sDimPOST = $this->array_flatten( $_POST, true );
  190.              foreach ( $sDimPOST as $k => $v ) {
  191.                  if ( empty( $v ) ) $v = "NULL";
  192.                  if ( !is_array( $k ) && !is_array( $v ) ) $body .= "# - " . $k . " = " . htmlspecialchars( $v ) . "\n";
  193.              }
  194.          } else {
  195.              $body .= "# - No POST form data\n";
  196.          }
  197.          $body .= "#\n`--------------------------------------------------------\n";
  198.          $body .= "\n.------------[ \$_SERVER VARIABLES ]--------------\n#\n";
  199.          if ( false !== $fullreport ) {
  200.              $sDimSERVER = $this->array_flatten( $_SERVER, true );
  201.              foreach ( $sDimSERVER as $k => $v ) {
  202.                  if ( empty( $v ) ) $v = "NULL";
  203.                  if ( !is_array( $k ) && !is_array( $v ) ) $body .= "# - " . $k . " = " . htmlspecialchars( $v ) . "\n";
  204.              }
  205.          } else {
  206.              # short report
  207.             $serverVars = new ArrayIterator( array( "HTTP_HOST", "HTTP_USER_AGENT", "SERVER_ADDR", "REMOTE_ADDR",
  208.                  "DOCUMENT_ROOT", "SCRIPT_FILENAME", "REQUEST_METHOD", "REQUEST_URI", "SCRIPT_NAME", "QUERY_STRING",
  209.                  "HTTP_X_CLUSTER_CLIENT_IP", "HTTP_X_FORWARDED_FOR", "HTTP_X_ORIGINAL_URL", "ORIG_PATH_INFO",
  210.                  "HTTP_X_REWRITE_URL", "HTTP_CLIENT_IP", "HTTP_PROXY_USER", "REDIRECT_URL", "SERVER_SOFTWARE" ) );
  211.              while ( $serverVars->valid() ) {
  212.                  if ( array_key_exists( $serverVars->current(), $_SERVER ) && !empty( $_SERVER[$serverVars->current()] ) ) {
  213.                      $body .= "# - \$_SERVER[ \"" . $serverVars->current() . "\" ] = " . $_SERVER[$serverVars->current()] .
  214.                          "\n";
  215.                  }
  216.                  $serverVars->next();
  217.              }
  218.  
  219.          }
  220.  
  221.          $body .= "# - \$PHP_SELF filename ( osC_Sec ) = " . $this->phpSelfFix() . "\n";
  222.          $body .= "#\n`--------------------------------------------------------\n\n";
  223.          $body .= "OTHER INFO\n";
  224.          $body .= $this->_htaccessfile;
  225.          $body .= "\n";
  226.          $body .= "is htaccess writeable = " . ( $this->hCoreFileChk( $this->_htaccessfile ) );
  227.          $body .= "\n\nResolve IP address: http://en.utrace.de/?query=" . $this->getRealIP() . "\n";
  228.          $body .= "Search Project Honeypot: http://www.projecthoneypot.org/ip_" . $this->getRealIP() . "\n\n";
  229.          $body .= "This email was generated by osC_Sec. To disable email notifications," .
  230.              " open osc.php file, and in the Settings section change \$emailenabled" . " = 1 to \$emailenabled = 0\n\n";
  231.          $body .= "Keep up with the latest version of osC_Sec.php at http://addons.oscommerce.com/info/7834 and http://goo.gl/dQ3jH\n";
  232.          $body .= "See discussions at http://www.digistore.co.nz/forum/viewtopic.php?f=10&t=7" .
  233.              " or email rohepotae@gmail.com with any suggestions.\n\n";
  234.          $from = "From: " . $this->_fromemail;
  235.          ( mail( $to, $subject, $body, $from ) );
  236.       }
  237.       return;
  238.     }
  239.     /**
  240.      * senda403Header()
  241.      *
  242.      * @return
  243.      */
  244.     function senda403Header() {
  245.         $header = array( "HTTP/1.1 403 Access Denied", "Status: 403 Access Denied by osC_Sec", "Content-Length: 0" );
  246.         foreach ( $header as $sent ) {
  247.             header( $sent );
  248.         }
  249.         die();
  250.     }
  251.  
  252.     /**
  253.      * tinoRahui()
  254.      *
  255.      * @return
  256.      */
  257.     function tinoRahui( $r ) {
  258.         if ( false === $this->byPass() ) return;
  259.         if ( ( $this->_banipaddress ) && ( $this->hCoreFileChk( $this->_htaccessfile ) ) ) {
  260.             # send an email
  261.            if ( false !== $this->_emailenabled ) $this->osCEmailer( $r, $this->_fullreport );
  262.             # add ip to htaccess
  263.            $this->htaccessbanip( $this->getRealIP() );
  264.             # call an access denied header
  265.            $this->senda403Header();
  266.             return;
  267.         } elseif ( ( false !== $this->_useIPTRAP ) && ( $this->hCoreFileChk( $this->_ipTrappedURL ) ) ) {
  268.             # send an email
  269.            $this->osCEmailer( $r, $this->_fullreport );
  270.             # add ip to iptrap ban file
  271.            $this->ipTrapban( $this->getRealIP() );
  272.             # redirect to blocked.php
  273.            header( "Location: " . $this->_ipTrapBlocked );
  274.             exit;
  275.         } elseif ( ( false !== $this->_banipaddress ) && ( !$this->hCoreFileChk( $this->_htaccessfile ) ) ) {
  276.             # if non-wrtiable htaccess then call an access denied header
  277.            $this->senda403Header();
  278.             return;
  279.         } elseif ( ( false !== $this->_useIPTRAP ) && ( !$this->hCoreFileChk( $this->_ipTrappedURL ) ) ) {
  280.             # if non-wrtiable iptrap file then call an access denied header
  281.            header( "Location: " . $this->_ipTrapBlocked );
  282.             exit;
  283.         } elseif ( ( false === $this->_banipaddress ) && ( false === $this->_useIPTRAP ) ) {
  284.             # if no banip or iptrap then call an access denied header
  285.            $this->senda403Header();
  286.             return;
  287.         }
  288.     }
  289.     /**
  290.      * osCAdminLoginBypass()
  291.      * @return
  292.      */
  293.     function osCAdminLoginBypass() {
  294.       # $this->byPass() is not called here
  295.      if ( false !== getenv( 'REQUEST_URI' ) ) {
  296.          $thenode = getenv( 'REQUEST_URI' );
  297.       } else {
  298.          $thenode = $_SERVER[ "REQUEST_URI" ];
  299.       }
  300.       if ( false !== strpos( $thenode, "php/login" ) ) {
  301.          $r = "osC_Sec detected an attempt to exploit the admin login bypass exploit. ";
  302.          $this->banChecker( $r, true );
  303.          return;
  304.       }
  305.     }
  306.     /**
  307.      * disable_tellafriend()
  308.      * @return
  309.      */
  310.     function disable_tellafriend() {
  311.       if ( false === $this->_disable_tellafriend ) return;
  312.       $PHP_SELF = $this->phpSelfFix();
  313.       $errlevel = ini_get( 'error_reporting' );
  314.       if ( false === strpos( $PHP_SELF, "tell_a_friend.php" ) ) {
  315.            return;
  316.       } elseif ( false !== strpos( $PHP_SELF, "tell_a_friend.php" )
  317.         && ( "POST" == $_SERVER[ "REQUEST_METHOD" ] )
  318.         && isset( $_GET[ "products_id" ] ) ) {
  319.            $r = "osC_Sec detected an attempt to send spam via the tell_a_friend.php file. ";
  320.            $this->banChecker( $r, true );
  321.            return;
  322.       } elseif ( false !== strpos( $PHP_SELF, "tell_a_friend.php" )
  323.         && isset( $_GET[ "products_id" ] ) ) {
  324.            error_reporting( 0 );
  325.            header( "Location: ./index.php" );
  326.            return error_reporting( $errlevel );
  327.       }
  328.     }
  329.     /**
  330.      * databaseShield()
  331.      * @return
  332.      */
  333.     function dbShield() {
  334.       if ( false === $this->byPass() || empty( $_SERVER[ "QUERY_STRING" ] ) ) return;
  335.  
  336.       $cleand_qs = stripslashes( $_SERVER[ "QUERY_STRING" ] );
  337.  
  338.       if ( ( "POST" !== $_SERVER[ "REQUEST_METHOD" ] ) && !empty( $_GET ) && is_array( $_GET ) ) {
  339.          foreach( $_GET as $k => $v ) {
  340.             if ( ( !empty( $v ) ) && ( is_array( $v ) ) ) $v = implode( " ", $v );
  341.             if ( false !== $this->injectionMatch( strtolower( $v ) ) ) {
  342.                $r = "osC_Sec detected a database injection attempt: [ " . $cleand_qs . " ]. ";
  343.                $this->banChecker( $r, true );
  344.                return;
  345.             }
  346.             $v = base64_decode( $this->url_decoder( $v ) );
  347.             if ( false !== $this->injectionMatch( strtolower( $v ) ) ) {
  348.                $r = "osC_Sec detected a database injection attempt using a base64 encoded string: [ " . $cleand_qs . " ]. ";
  349.                $this->banChecker( $r, true );
  350.                return;
  351.             }
  352.          }
  353.       }
  354.     }
  355.     /**
  356.      * postShield()
  357.      *
  358.      * @return
  359.      */
  360.     function postShield() {
  361.         if ( ( !isset( $_POST ) ) || ( "POST" !== $_SERVER[ "REQUEST_METHOD" ] )
  362.             || ( false === $this->byPass() ) ) return;
  363.         $postvar_blacklist = array( "eval(base64_decode(", "eval(", "passthru(base64_decode", "base64_", "table_schema", ",0x3a,", "concat(", "unescape(",
  364.             "fromcharcode", "php/login", "pwtoken_get", "php_uname", "passthru","%23include+<", "-1+union+select+", "cookie=4","allow_url_fopen", "shell_exec",
  365.             "get_defined_vars(", "strrev(", "%22\"%2f", "error_reporting(0)", "fwrite(", "+or+benchmark(", "waitfor delay","gzinflate(", "or \"=\"", "or%20\"=\"",
  366.             "or%20\%27=\%27", "or%20\%22=\%22", "or \%22=\%22", "prompt(","php_value%20auto", "php_value+auto", "file_get_contents(", "setcookie(" );
  367.  
  368.         $pnodes = $this->array_flatten( $_POST, false );
  369.         $i = 0;
  370.         while ( $i < count( $pnodes ) ) {
  371.             $pnode = $pnodes[$i];
  372.             $pnode64 = strtolower( base64_decode( $pnodes[$i] ) );
  373.             foreach ( $postvar_blacklist as $blacklisted ) {
  374.                 $blacklisted = strtolower( $blacklisted );
  375.                 if ( ( is_string( $pnodes[$i] ) ) && ( strlen( $pnodes[$i] ) > 0 ) ) {
  376.                     if ( ( false !== strpos( $pnode64, $blacklisted ) ) || ( false !== strpos( $pnode64, $this->url_decoder( $blacklisted ) ) ) ) {
  377.                         $r = "osC_Sec blacklisted base64 encoded _POST item is banned: " . htmlspecialchars( stripslashes( $blacklisted ) ) . ". ";
  378.                         $this->banChecker( $r, true );
  379.                         return;
  380.                     } elseif ( ( false !== strpos( $pnode, $blacklisted ) ) || ( false !== strpos( strtolower( $this->url_decoder( $pnode ) ), $this->url_decoder( $blacklisted ) ) ) ) {
  381.                         $r = "osC_Sec blacklisted _POST item is banned: " . htmlspecialchars( stripslashes( $blacklisted ) ) . ". ";
  382.                         $this->banChecker( $r, true );
  383.                         return;
  384.                     }
  385.                 }
  386.             }
  387.             $i++;
  388.         }
  389.     }
  390.     /**
  391.      * getShield()
  392.      *
  393.      * @return
  394.      */
  395.     function getShield() {
  396.         if ( false === $this->byPass() ) return;
  397.         $reqvar_blacklist = array(
  398.         "php/login", "eval(base64_decode(", "asc%3Deval", "asc%3Deval", "eval%28", "eval%2528", "eval(", "fromCharCode", "; base64", "base64,",
  399.         "_START_", "onerror=alert(", "mysql_query", "../cmd", "rush=", "pwtoken_get", "EXTRACTVALUE(", "phpinfo()", "1=1--", "%000", "lpad(",
  400.         "php_uname", "%3Cform", "passthru(", "sha1(", "sha2(", "\..\..", "<%3Fphp", "}%00.", "%%", "1+and+1", "/iframe", "\$_GET", "ob_starting",
  401.         "%20and%201=1", "document.cookie(", "document.write(", "onload%3d", "onunload%3d", "PHP_SELF", "etc/passwd", "shell_exec", "\$_SERVER", "substr(",
  402.         "\$_POST", "cookie=4", "\$_SESSION", "\$_REQUEST",  "\$_ENV", "GLOBALS[", "\$HTTP_", ".php/admin", "mosConfig_", "cookies=1", "%3C@replace(",
  403.         "hex_ent", "inurl:", "replace(", "onload=", "/iframe>", "return%20clk", "login.php?action=backupnow", "php/password_for", "@@datadir",
  404.         "@@version", "unhex(", "error_reporting(", "HTTP_CMD", "=alert(", "version()", "localhost", "})%3B", "/FRAMESET", "Set-Cookie",
  405.         "%27%a0%6f%72%a0%31%3d%31%23", "%bf%5c%27", "%bf%27", "%ef%bb%bf", "%8c%5c", "%a3%27", "%20regexp%20", "JHs=", "HTTP/1.", "{\$_",
  406.         "<script>" );
  407.  
  408.         $sqlfilematchlist = "\balias\b|bin|\bboot\b|config|\benviron\b|etc|\.(?:js|txt|exe|ht|ini|bat)|
  409.                             \blib\b|log|\bproc\b|\bsql\b|tmp|\bvar\b|(?:uploa|passw)d";
  410.         $sqlfilematchlist = preg_replace( "/[\s]/i", "", $sqlfilematchlist );
  411.         $whitelistpattern = "[^\w\s\p{L}\d\r?,=@%:{}\/.-]";
  412.         $injectattempt = false;
  413.         if ( false !== getenv( 'REQUEST_URI' ) ) {
  414.            $thenode = getenv( 'REQUEST_URI' );
  415.         } else {
  416.            $thenode = $_SERVER[ "REQUEST_URI" ];
  417.         }
  418.         $v = $this->url_decoder( $thenode ); // first of two urldecodes
  419.         $v = preg_replace( "/$whitelistpattern/i", "", $this->url_decoder( $v ) );
  420.  
  421.         # run through a specific set of tests
  422.        if ( ( false !== ( bool )preg_match( "/mouse(?:down|over)/i", $v ) )
  423.             && ( false !== ( bool )preg_match( "/c(?:path|tthis|t\(this)|(?:forgotte|admi)n|sqlpatch|,,|ftp:|(?:aler|promp)t/i", $v ) ) ) {
  424.             $injectattempt = true;
  425.         } elseif ( ( ( false !== strpos( $v, "ftp:" ) ) && ( substr_count( $v, "ftp" ) > 1 ) )
  426.             && ( false !== ( bool )preg_match( "/@|\/\//i", $v ) ) ) {
  427.             $injectattempt = true;
  428.         } elseif ( ( false !== ( bool )preg_match( "/(?:showimg|cookie|cookies)=/i", $v ) ) && ( "POST" == $_SERVER[ "REQUEST_METHOD" ] ) ) {
  429.             $injectattempt = true;
  430.         } elseif ( ( ( substr_count( $v, "../" ) > 2 ) || ( substr_count( $v, "..//" ) > 2 ) )
  431.             && ( false !== ( bool )preg_match( "/$sqlfilematchlist/i", $v ) ) ) {
  432.             $injectattempt = true;
  433.         } elseif ( ( false !== strpos( $v, "http:" ) )
  434.             && ( false !== ( bool )preg_match( "/(?:dir|path)=/i", $v ) ) ) {
  435.             $injectattempt = true;
  436.         } elseif ( false !== ( bool )preg_match( "/php:\/\/filter|convert.base64-(?:encode|decode)|zlib.(?:inflate|deflate)/i", $v )
  437.                 || false !== ( bool )preg_match( "/data:\/\/filter|text\/plain|http:\/\/(?:127.0.0.1|localhost)/i", $v ) ) {
  438.             $injectattempt = true;
  439.         }
  440.         if ( false !== ( bool )$injectattempt ) {
  441.             $r = "osC_Sec detected an attempt to read or include unauthorized file content. ";
  442.             $this->banChecker( $r, true );
  443.             return;
  444.         }
  445.         foreach ( $reqvar_blacklist as $blacklisted ) {
  446.             $blacklisted = strtolower( $this->url_decoder( $blacklisted ) );
  447.             # somple check of the request_uri against the blacklist irregardless of request type
  448.            if ( ( false !== strpos( $thenode, $blacklisted ) ) ||
  449.                  ( false !== strpos( $this->url_decoder( urldecode( $thenode ) ), $this->url_decoder( $blacklisted ) ) ) ) {
  450.                 $r = "osC_Sec blacklist request_uri item is banned: " . htmlspecialchars( $blacklisted ) . ". ";
  451.                 $this->banChecker( $r, true );
  452.                 return;
  453.             }
  454.         }
  455.         # check each part of the query string against the list
  456.        if ( ( "POST" !== $_SERVER[ "REQUEST_METHOD" ] ) && ( is_array( $_GET ) ) && !empty( $_SERVER[ "QUERY_STRING" ] ) ) {
  457.             $gnodes = explode( "&", $_SERVER[ "QUERY_STRING" ] );
  458.             $i = 0;
  459.             while ( $i < count( $gnodes ) ) {
  460.                 if ( is_string( $gnodes[$i] ) ) {
  461.                     $tmp = explode( "=", $gnodes[$i] );
  462.                     if ( is_array( $tmp ) ) {
  463.                         $gvar = $tmp[count( $tmp ) - count( $tmp )];
  464.                         $gval = $tmp[count( $tmp ) - 1];
  465.                     }
  466.                     $gvar = strtolower( $gvar );
  467.                     $gfvar = preg_replace( "/$whitelistpattern/i", "", $this->url_decoder( $gvar ) );
  468.                     $gval64 = strtolower( base64_decode( $gval ) );
  469.                     $gval = strtolower( $gval );
  470.                     $gfval = preg_replace( "/$whitelistpattern/i", "", $this->url_decoder( $gval ) );
  471.  
  472.                     foreach ( $reqvar_blacklist as $blacklisted ) {
  473.                         $blacklisted = strtolower( $this->url_decoder( $blacklisted ) );
  474.                         if ( ( false !== strpos( $gvar, $blacklisted ) ) || ( false !== strpos( $this->url_decoder( urldecode( $gvar ) ), $this->url_decoder( $blacklisted ) ) ) ) {
  475.                              $r = "getShield() listed query_string variable is banned: " . htmlspecialchars( $blacklisted ) . ". ";
  476.                              $this->banChecker( $r, true );
  477.                              return;
  478.                         }
  479.                         if ( ( false !== strpos( $gfvar, $blacklisted ) ) || ( false !== strpos( $this->url_decoder( urldecode( $gfvar ) ), $this->url_decoder( $blacklisted ) ) ) ) {
  480.                              $r = "getShield() listed query_string filtered variable is banned: " . htmlspecialchars( $blacklisted ) . ". ";
  481.              
  482.                              $this->banChecker( $r, true );
  483.                              return;
  484.                         }
  485.                         if ( ( false !== strpos( $gval, $blacklisted ) ) ||
  486.                              ( false !== strpos( $this->url_decoder( urldecode( $gval ) ), $this->url_decoder( $blacklisted ) ) ) ) {
  487.                              $r = "osC_Sec blacklist query_string value is banned: " . htmlspecialchars( $blacklisted ) . ". ";
  488.                              $this->banChecker( $r, true );
  489.                              return;
  490.                         }
  491.                         if ( false !== strpos( $gval64, $blacklisted ) ) {
  492.                              $r = "osC_Sec base64 encoded blacklist query_string value is banned: " . htmlspecialchars( $blacklisted ) . ". ";
  493.                              $this->banChecker( $r, true );
  494.                              return;
  495.                         }
  496.                         if ( ( false !== strpos( $gfval, $blacklisted ) ) ||
  497.                              ( false !== strpos( $this->url_decoder( urldecode( $gfval ) ), $this->url_decoder( $blacklisted ) ) ) ) {
  498.                              $r = "osC_Sec blacklist query_string filtered value is banned: " . htmlspecialchars( $blacklisted ) . ". ";
  499.                              $this->banChecker( $r, true );
  500.                              return;
  501.                         }
  502.                     }
  503.                 }
  504.                 $i++;
  505.             }
  506.         }
  507.     }
  508.     /**
  509.      * cookieShield()
  510.      *
  511.      * @return
  512.      */
  513.     function cookieShield() {
  514.         if ( false === $this->byPass() ) return;
  515.         $cookie_blacklist = array( "eval(", "base64_", "fromCharCode", "%27/*", "%27+and", "prompt(", "\"+OR+(", "\"%20OR%20(", "\"+OR+(", ")=\"",
  516.                                    "ZXZhbCg=", "ZnJvbUNoYXJDb2Rl", "U0VMRUNULyoqLw==", "Ki9XSEVSRS8q" );
  517.        
  518.         $injectattempt = false;
  519.         $cnodekeys = array_keys( $_COOKIE );
  520.         $cnodevals = array_values( $_COOKIE );
  521.  
  522.         if ( !empty( $cnodevals ) ) {
  523.           if ( is_array( $cnodevals ) ) {
  524.              $v = implode( " ", $cnodevals );
  525.           } else $v = $cnodevals;
  526.           if ( !is_array( $v ) ) {
  527.               $orig_v = $v;
  528.               $injectattempt = $this->injectionMatch( $v );
  529.               if ( isset( $injectattempt ) && ( false !== ( bool )$injectattempt ) ) {
  530.                       $r = "osC_Sec detected malicious cookie content: [ " . stripslashes( $orig_v ) . " ].";
  531.                       $this->banChecker( $r, true );
  532.                       return;
  533.               }
  534.           }
  535.         }
  536.         $i = 0;
  537.         while ( $i < count( $cnodekeys ) ) {
  538.             $cnodekey = strtolower( $cnodekeys[$i] );
  539.             $cnodeval = strtolower( $cnodevals[$i] );
  540.             if ( ( is_string( $cnodekeys[$i] ) ) ) {
  541.                 foreach ( $cookie_blacklist as $blacklisted ) {
  542.                     $blacklisted = strtolower( $blacklisted );
  543.                     if ( ( false !== strpos( $cnodekey, $blacklisted ) ) || ( false !== strpos( $this->url_decoder( urldecode( $cnodekey ) ), $this->url_decoder( $blacklisted ) ) ) ) {
  544.                         $r = "osC_Sec \$cnodekeys listed item is banned: " . htmlspecialchars( $blacklisted ) . ". ";
  545.                         $this->banChecker( $r, true );
  546.                         return;
  547.                     }
  548.                     if ( ( false !== strpos( $cnodeval, $blacklisted ) ) || ( false !== strpos( $this->url_decoder( urldecode( $cnodeval ) ), $this->url_decoder( $blacklisted ) ) ) ) {
  549.                         $r = "osC_Sec \$cnodevals listed item is banned: " . htmlspecialchars( $blacklisted ) . ". ";
  550.                         $this->banChecker( $r, true );
  551.                         return;
  552.                     }
  553.                 }
  554.             }
  555.             $i++;
  556.         }
  557.     }
  558.     /**
  559.      * injectionMatch()
  560.      *
  561.      * @param mixed $string
  562.      * @return
  563.      */
  564.     function injectionMatch( $string ) {
  565.       $string = $this->url_decoder( $string );
  566.       $string = preg_replace( "/[^\w\s\p{L}\d\r?,(=@%:{}\/.-]/i", "", $this->url_decoder( $string ) ); // urldecode twice
  567.       $string = strtolower( $string );
  568.       $string = str_replace( "//", " ", $string );
  569.       $sqlmatchlist = "(?:abs|ascii|base64|bin|benchmark|cast|chr|char|charset|collation|concat|concat_ws|
  570.                        conv|convert|count|curdate|database|date|decode|diff|distinct|elt|encode|encrypt|
  571.                        extract|field|floor|format|hex|if|in|insert|instr|interval|lcase|left|
  572.                        length|load_file|locate|lock|log|lower|lpad|ltrim|max|md5|mid|mod|name|now|
  573.                        null|ord|password|position|quote|rand|repeat|replace|reverse|right|rlike|
  574.                        round|row_count|rpad|rtrim|_set|schema|sha1|sha2|sleep|soundex|space|strcmp|
  575.                        substr|substr_index|substring|sum|time|trim|truncate|ucase|unhex|upper|
  576.                        _user|user|values|varchar|version|while|xor)\(|\(0x|0x|@@|cast|integer";
  577.                         $sqlmatchlist = preg_replace( "/[\s]/i", "", $sqlmatchlist );
  578.       if ( false !== ( bool )preg_match( "/\bdrop\b/i", $string )
  579.           && false !== ( bool )preg_match( "/\btable\b|\buser\b/i", $string )
  580.           && false !== ( bool )preg_match( "/--|\//i", $string ) ) {
  581.             return true;
  582.       } elseif ( ( false !== strpos( $string, "grant" ) )
  583.               && ( false !== strpos( $string, "all" ) )
  584.               && ( false !== strpos( $string, "privileges" ) ) ) {
  585.             return true;
  586.       } elseif ( false !== preg_match_all( "/\bload\b|\bdata\b|\binfile\b|\btable\b|\bterminated\b/i", $string, $matches ) > 3 ) {
  587.             return true;
  588.       } elseif ( ( ( false !== ( bool )preg_match( "/select|declare/i", $string ) )
  589.         || ( false !== ( bool )preg_match( "/\band\b/i", $string ) ) || ( false !== ( bool )preg_match( "/\bif\b/i", $string ) ) )
  590.         && ( false !== preg_match_all( "/$sqlmatchlist/", $string, $matches ) > 0 ) ) {
  591.             return true;
  592.       } elseif ( false !== preg_match_all( "/$sqlmatchlist/", $string, $matches ) > 1 ) {
  593.             return true;
  594.       } elseif ( false !== strpos( $string, "update" ) && false !== ( bool )preg_match( "/\bset\b/i", $string )
  595.             && ( false !== ( bool )preg_match( "/\bcolumn\b|\bdata\b|concat\(|\bemail\b|\blogin\b|\bname\b|\bpass\b|sha1|sha2|\btable\b|\bwhere\b|\buser\b|\bval\b|0x/i", $string ) ) ) {
  596.             return true;
  597.       # tackle the noDB / js issue
  598.      } elseif ( ( substr_count( $string, "var" ) > 1 ) && ( false !== ( bool )preg_match( "/date\(|while\(|sleep\(/i", $string ) ) ) {
  599.             return true;
  600.       }
  601.       $string = preg_replace( "/[^\w\s\p{L}\d\r?,=@%:{}\/.-]/i", "", $string );
  602.       $sqlmatchlist = "_and|ascii|b(?:enchmark|etween|in|itlength|ulk)|c(?:ast|har|ookie|ollate|oncat|urrent)|\bdate\b|dump|e(?:lt|xport)|
  603.                       false|\bfield\b|fetch|format|function|\bhaving\b|i(?:dentity|nforma|nstr|nto)|\bif\b|\bin\b|
  604.                       l(?:case|eft|ength|ike|imit|oad|ocate|ower|pad|trim)|join|m(:?ake|atch|d5|id)|not_like|not_regexp|order|outfile|
  605.                       p(?:ass|ost|osition|riv)|\bquote\b|\br(?:egexp\b|ename\b|epeat\b|eplace\b|equest\b|everse\b|eturn\b|ight\b|like\b|pad\b|trim\b)|
  606.                       \bs(?:ql\b|hell\b|trcmp\b|ubstr\b)|\bt(?:able\b|rim\b|rue\b|runcate\b)|u(?:case|nhex|pdate|pper|ser)|values|varchar|\bwhen\b|where|with|0x|
  607.                       _(?:decrypt|encrypt|get|post|server|cookie|global|or|request|xor)|(?:column|db|load|not|octet|sql|table|xp)_";
  608.                       $sqlmatchlist = preg_replace( "/[\s]/i", "", $sqlmatchlist );
  609.       if ( false !== strpos( $string, "by" ) && ( false !== ( bool )preg_match( "/\border\b|\bgroup\b/i", $string ) )
  610.                 && ( false !== ( bool )preg_match( "/\bcolumn\b|\bdesc\b|\berror\b|\bfrom\b|hav|\blimit\b|\boffset\b|\btable\b|\/|--/i", $string )
  611.                     || ( false !== ( bool )preg_match( "/\b[0-9]\b/i", $string ) ) ) ) {
  612.             return true;
  613.       } elseif ( ( false !== ( bool )preg_match( "/\btable\b|\bcolumn\b/i", $string  ) ) && false !== strpos( $string, "exists" )
  614.                 && ( false !== ( bool )preg_match( "/\bif\b|\berror\b|\buser\b|\bno\b/i", $string ) ) ) {
  615.             return true;
  616.       } elseif ( ( ( false !== strpos( $string, "waitfor" ) && false !== strpos( $string, "delay" ) && ( ( bool )preg_match( "/(:)/i", $string ) ) )
  617.          || false !== strpos( $string, "nowait" ) )
  618.                 && ( false !== ( bool )preg_match( "/--|\/|\blimit\b|\bshutdown\b|\bupdate\b|\bdesc\b/i", $string ) ) ) {
  619.             return true;
  620.       } elseif ( false !== ( bool )preg_match( "/\binto\b/i", $string )
  621.               && ( false !== ( bool )preg_match( "/\boutfile\b/i", $string ) ) ) {
  622.             return true;
  623.       } elseif ( false !== ( bool )preg_match( "/\bdrop\b/i", $string )
  624.               && ( false !== ( bool )preg_match( "/\buser\b/i", $string ) ) ) {
  625.             return true;
  626.       } elseif ( ( ( false !== strpos( $string, "create" ) && false !== ( bool )preg_match( "/\btable\b|\buser\b|\bselect\b/i", $string ) )
  627.          || ( false !== strpos( $string, "delete" ) && false !== strpos( $string, "from" ) )
  628.          || ( false !== strpos( $string, "insert" ) && ( false !== ( bool )preg_match( "/\bexec\b|\binto\b|from/i", $string ) ) )
  629.          || ( false !== strpos( $string, "select" ) && ( false !== ( bool )preg_match( "/\bby\b|\bcase\b|from|\bif\b|\binto\b|ord|union/i", $string ) ) ) )
  630.             && ( false !== ( bool )preg_match( "/$sqlmatchlist/i", $string ) ) ) {
  631.             return true;
  632.       } elseif ( false !== strpos( $string, "null" ) ) {
  633.             $nstring = preg_replace( "/[^a-z]/i", "", $this->url_decoder( $string ) );
  634.             if ( false !== ( bool )preg_match( "/(null){2,}/i", $nstring ) ) {
  635.                 return true;
  636.             } else return false;
  637.       } else return false;
  638.     return false;
  639.     }
  640.     /**
  641.      * htaccessbanip()
  642.      *
  643.      * @param mixed $banip
  644.      * @return
  645.      */
  646.     function htaccessbanip( $banip ) {
  647.         if ( false === $this->byPass() ) return;
  648.         if ( !isset( $this->_htaccessfile ) ) return $this->senda403Header();
  649.         $limitend = "# End of $this->_httphost Osc_Sec Ban\n";
  650.         $newline = "deny from $banip\n";
  651.         if ( file_exists( $this->_htaccessfile ) ) {
  652.             $mybans = file( $this->_htaccessfile );
  653.             $lastline = "";
  654.             if ( in_array( $newline, $mybans ) ) exit();
  655.             if ( in_array( $limitend, $mybans ) ) {
  656.                 $i = count( $mybans ) - 1;
  657.                 while ( $mybans[$i] != $limitend ) {
  658.                     $lastline = array_pop( $mybans ) . $lastline;
  659.                     $i--;
  660.                 }
  661.                 $lastline = array_pop( $mybans ) . $lastline;
  662.                 $lastline = array_pop( $mybans ) . $lastline;
  663.                 array_push( $mybans, $newline, $lastline );
  664.             } else {
  665.                 array_push( $mybans, "\n\n# $this->_httphost Osc_Sec Ban\n", "order allow,deny\n", $newline,
  666.                     "allow from all\n", $limitend );
  667.             }
  668.         } else {
  669.             $mybans = array( "# $this->_httphost Osc_Sec Ban\n", "order allow,deny\n", $newline, "allow from all\n", $limitend );
  670.         }
  671.         if ( ini_get( 'allow_url_fopen' ) == 1 ) @ini_set( 'allow_url_fopen', '0' );
  672.         if ( ini_get( 'allow_url_include' ) == 1 ) @ini_set( 'allow_url_include', '0' );
  673.         $myfile = fopen( $this->_htaccessfile, "w" );
  674.         fwrite( $myfile, implode( $mybans, "" ) );
  675.         fclose( $myfile );
  676.     }
  677.     /**
  678.      * ipTrapped()
  679.      *
  680.      * @return
  681.      */
  682.     function ipTrapped() {
  683.         if ( false !== $this->_useIPTRAP ) {
  684.             # if IP is already in IP Trap list then redirect
  685.            $mybans = file( $this->_ipTrappedURL );
  686.             $mybans = array_values( $mybans );
  687.             foreach ( $mybans as $i => $value ) {
  688.                 if ( strlen( $mybans[$i] > 0 ) ) {
  689.                     # find IP address in IP Trap ban list
  690.                    if ( false !== strpos( $mybans[$i], $this->getRealIP() ) ) {
  691.                         $this->_emailenabled = 0;
  692.                         return true;
  693.                     }
  694.                 }
  695.             }
  696.         }
  697.         return false;
  698.     }
  699.     function setIPTrapBlocked( $ipTrapBlocked ) {
  700.       if ( false !== ( bool )$this->fINT( $this->_useIPTRAP ) ) {
  701.          if ( false !== $this->fURL( $ipTrapBlocked )
  702.              && false !== strpos( $ipTrapBlocked, "blocked.php" ) ) {
  703.              $this->_ipTrapBlocked = $ipTrapBlocked;
  704.          } else {
  705.              $this->_ipTrapBlocked = false;
  706.          }
  707.       }
  708.     }
  709.     /**
  710.      * my_array_filter_fn()
  711.      *
  712.      * @param mixed $val
  713.      * @return
  714.      */
  715.     function my_array_filter_fn( $val ) {
  716.         $val = trim( $val );
  717.         $allowed_vals = array( "0" );
  718.         return in_array( $val, $allowed_vals, true ) ? true : ( $val ? true : false );
  719.     }
  720.     /**
  721.      * ipTrapban()
  722.      *
  723.      * @param mixed $banip
  724.      * @return
  725.      */
  726.     function ipTrapban( $banip ) {
  727.         if ( false === $this->byPass() ) return;
  728.         $bannedAlready = false;
  729.         $limitend = "\n";
  730.         $newline = "$banip";
  731.         if ( file_exists( $this->_ipTrappedURL ) ) {
  732.             $mybans = file( $this->_ipTrappedURL );
  733.             $lastline = "";
  734.             $mybans = array_filter( $mybans, array( "osC_Sec", "my_array_filter_fn" ) );
  735.             $mybans = array_values( $mybans );
  736.             $endIPTrapIP = "999.999.999.999";
  737.             foreach ( $mybans as $i => $value ) {
  738.                 if ( strlen( $mybans[$i] > 0 ) ) {
  739.                     if ( false !== strpos( $mybans[$i], $newline ) ) $bannedAlready = true;
  740.                 }
  741.             }
  742.             foreach ( $mybans as $i => $value ) {
  743.                 if ( false !== strpos( $mybans[$i], " " ) ) $mybans[$i] = preg_replace( "/[\s\r\n]/i", "", $mybans[$i] );
  744.                 if ( ( false === ( bool )preg_match( "`[\r\n]`", $mybans[$i] ) ) ) $mybans[$i] = $mybans[$i] . "\n";
  745.             }
  746.             if ( false !== ( bool )$bannedAlready ) {
  747.                 if ( ini_get( 'allow_url_fopen' ) == 1 ) @ini_set( 'allow_url_fopen', '0' );
  748.                 if ( ini_get( 'allow_url_include' ) == 1 ) @ini_set( 'allow_url_include', '0' );
  749.                 $myfile = fopen( $this->_ipTrappedURL, "w" );
  750.                 fwrite( $myfile, implode( $mybans, "" ) );
  751.                 fclose( $myfile );
  752.             }
  753.             if ( false === ( bool )$bannedAlready ) {
  754.                 if ( ( false !== strpos( $mybans[$i], $endIPTrapIP ) ) ) unset( $mybans[$i] );
  755.                 if ( in_array( $limitend, $mybans ) ) {
  756.                     $i = count( $mybans ) - 1;
  757.                     while ( $mybans[$i] != $limitend ) {
  758.                         $lastline = array_pop( $mybans ) . $lastline;
  759.                         $i--;
  760.                     }
  761.                     array_push( $mybans, $newline, $endIPTrapIP );
  762.                 } else {
  763.                     array_push( $mybans, "\n", $newline, $endIPTrapIP );
  764.                 }
  765.             } else {
  766.                 if ( false === ( bool )$bannedAlready ) {
  767.                     $mybans = array( "\n", $newline, $endIPTrapIP );
  768.                 }
  769.             }
  770.             if ( false === ( bool )$bannedAlready ) {
  771.                 $mybans = array_filter( $mybans, array( "osC_Sec", "my_array_filter_fn" ) );
  772.                 $mybans = array_values( $mybans );
  773.                 $i = 0;
  774.                 foreach ( $mybans as $i => $value ) {
  775.                     if ( false !== strpos( $mybans[$i], " " ) ) $mybans[$i] = str_replace( " ", "", $mybans[$i] );
  776.                     if ( ( false === ( bool )preg_match( "`[\r\n]`", $mybans[$i] ) ) ) $mybans[$i] = $mybans[$i] . "\n";
  777.                 }
  778.                 if ( ini_get( 'allow_url_fopen' ) == 1 ) @ini_set( 'allow_url_fopen', '0' );
  779.                 if ( ini_get( 'allow_url_include' ) == 1 ) @ini_set( 'allow_url_include', '0' );
  780.                 $myfile = fopen( $this->_ipTrappedURL, "w" );
  781.                 fwrite( $myfile, implode( $mybans, "" ) );
  782.                 fclose( $myfile );
  783.             }
  784.         }
  785.     }
  786.     /**
  787.      * hCoreFileChk()
  788.      *
  789.      * @param mixed $filename
  790.      * @return
  791.      */
  792.     function hCoreFileChk( $filename ) {
  793.         if ( is_writable( $filename ) ) {
  794.             return true;
  795.         }
  796.         return false;
  797.     }
  798.     /**
  799.      * checkfilename()
  800.      *
  801.      * @param mixed $fname
  802.      * @return
  803.      */
  804.     function checkfilename( $fname ) {
  805.       # check for login spoofing ( filename.php/login.php )
  806.        if ( ( !empty( $fname ) )
  807.             && ( substr_count( $fname, ".php" ) == 1 )
  808.             && ( ".php" == substr( $fname, -4 ) ) ) {
  809.             if ( ( ( strlen( $fname ) ) - ( strpos( $fname, "." ) ) ) <> 4 ) {
  810.                 return false;
  811.             } elseif ( ( false !== is_readable( $fname ) ) || ( false !== strpos( $_SERVER[ "SCRIPT_NAME" ], "ext/modules/" ) ) ) return true;
  812.         } else return false;
  813.         return false;
  814.     }
  815.     /**
  816.      * phpSelfFix()
  817.      *
  818.      * @return
  819.      */
  820.     function phpSelfFix() {
  821.         global $PHP_SELF;
  822.         if ( false !== ( bool )ini_get( "register_globals" ) || ( !isset( $HTTP_SERVER_VARS ) ) ) $HTTP_SERVER_VARS = $_SERVER;
  823.         $filename = NULL;
  824.         # this is the RC3 standard code
  825.        $filename = ( ( ( strlen( ini_get( "cgi.fix_pathinfo" ) ) > 0 )
  826.                      && ( ( bool )ini_get( "cgi.fix_pathinfo" ) == false ) )
  827.                      || !isset( $HTTP_SERVER_VARS[ "SCRIPT_NAME" ] ) ) ?
  828.                      basename( $HTTP_SERVER_VARS[ "PHP_SELF" ] ) :
  829.                      basename( $HTTP_SERVER_VARS[ "SCRIPT_NAME" ] );
  830.                     if ( false === $this->checkfilename( $filename ) ) {
  831.                         $filename = NULL;
  832.                     } else return $filename;
  833.  
  834.         # if RC3 fails then try a version of FWR Media's $PHP_SELF code.
  835.        if ( empty( $filename ) && ( false !== strpos( $_SERVER[ "SCRIPT_NAME" ], ".php" ) ) ) {
  836.             preg_match( "@[a-z0-9_]+\.php@i", $_SERVER[ "SCRIPT_NAME" ], $matches );
  837.             if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
  838.                 && ( substr( $matches[0], -4, 4 ) == ".php" )
  839.                 && ( is_readable( $matches[0] )
  840.                 || ( false !== strpos( $_SERVER[ "SCRIPT_NAME" ], "ext/modules/" ) ) ) ) {
  841.                 $filename = $matches[0];
  842.             }
  843.             if ( false === $this->checkfilename( $filename ) ) {
  844.                 $filename = NULL;
  845.             } else return $filename;
  846.         }
  847.  
  848.         # if that fails then try osC_Sec $PHP_SELF code
  849.        if ( empty( $filename ) && isset( $_SERVER[ "SCRIPT_FILENAME" ] ) && ( "" !== $_SERVER[ "SCRIPT_FILENAME" ] ) ) {
  850.             $tmp = explode( "/", $_SERVER[ "SCRIPT_FILENAME" ] );
  851.             if ( is_array( $tmp ) ) {
  852.                 $filename = $tmp[count( $tmp ) - 1];
  853.             }
  854.             if ( false !== $this->checkfilename( $filename ) ) {
  855.                 return $filename;
  856.             }
  857.         } elseif ( ( $_SERVER[ "PHP_SELF" ] == "/" ) || ( $_SERVER[ "SCRIPT_NAME" ] == "/" ) ) {
  858.          return "index.php";
  859.         } else die();
  860.     }
  861.     /**
  862.      * array_flatten()
  863.      *
  864.      * @param mixed $array
  865.      * @param bool $preserve_keys
  866.      * @return
  867.      */
  868.     function array_flatten( $array, $preserve_keys = false ) {
  869.       if ( !$preserve_keys ) {
  870.           $array = array_values( $array );
  871.       }
  872.       $flattened_array = array();
  873.       foreach ( $array as $k => $v ) {
  874.           if ( is_array( $v ) ) {
  875.               $flattened_array = array_merge( $flattened_array, $this->array_flatten( $v, $preserve_keys ) );
  876.           } elseif ( $preserve_keys ) {
  877.               $flattened_array[ $k ] = $v;
  878.           } else {
  879.               $flattened_array[] = $v;
  880.           }
  881.       }
  882.       return $flattened_array;
  883.     }
  884.  
  885.     /**
  886.      * byPass()
  887.      *
  888.      * @return
  889.      */
  890.     function byPass() {
  891.         $PHP_SELF = $this->phpSelfFix();
  892.        
  893.         $filename_bypass = array();
  894.         $dir_bypass = array();
  895.         $exfrmBanlist = array();
  896.  
  897.         # list of files to bypass. I have added a few for consideration. Try to keep this list short
  898.        $filename_bypass = array( "sitemonitor", "protx_process.php", "dps_pxpay_result_handler.php",
  899.                                   "ipn.php", "express_payflow.php", "quickpay.php" );
  900.        
  901.         # bypass all files in a directory. Use this sparingly
  902.        $dir_bypass = array( "/ext/modules/payment" );
  903.  
  904.         # list of IP exceptions. Add bypass ips and uncomment for use
  905.        # $exfrmBanlist = array( '', '', '' );
  906.        
  907.         $realip = $this->getRealIP();
  908.         if ( false === empty( $exfrmBanlist ) ) {
  909.           foreach ( $exfrmBanlist as $exCeptions ) {
  910.               if ( false !== ( strlen( $realip ) == strlen( $exCeptions ) )
  911.                   && ( false !== strpos( $realip, $exCeptions ) ) ) {
  912.                   return false;
  913.               }
  914.           }
  915.         }
  916.         if ( false === empty( $filename_bypass ) ) {
  917.           foreach ( $filename_bypass as $filename ) {
  918.               if ( false !== strpos( $PHP_SELF, $filename ) ) {
  919.                   return false;
  920.               }
  921.           }
  922.         }
  923.         if ( false === empty( $dir_bypass ) ) {
  924.           foreach ( $dir_bypass as $dirname ) {
  925.               if ( false !== strpos( $_SERVER[ "SCRIPT_NAME" ], $dirname ) ) {
  926.                   return false;
  927.               }
  928.           }
  929.         }
  930.         return true;
  931.     }
  932.     /**
  933.      * checkReqType()
  934.      *
  935.      * @return
  936.      */
  937.     function checkReqType() {
  938.         if ( false === $this->byPass() ) return;
  939.         $reqType = $_SERVER[ "REQUEST_METHOD" ];
  940.         $req_whitelist = array( "GET", "OPTIONS", "HEAD", "POST" );
  941.         # first check for numbers in REQUEST_METHOD
  942.        if ( false !== ( bool )preg_match( "/[0-9]+/", $reqType ) ) {
  943.             $r = " Request method [ " . $_SERVER[ "REQUEST_METHOD" ] .
  944.                 " ] should not contain numbers. ";
  945.             $this->banChecker( $r, true );
  946.         }
  947.         # then make sure its all UPPERCASE (for servers that do not filter the case of the request method)
  948.        if ( false === ctype_upper( $reqType ) ) {
  949.             $r = " Request method [ " . $_SERVER[ "REQUEST_METHOD" ] .
  950.                 " ] should be in all uppercase letters. ";
  951.             $this->banChecker( $r, true );
  952.             # lastly check against the whitelist
  953.        } elseif ( false === in_array( $reqType, $req_whitelist ) ) {
  954.             $r = " Request method [ " . $_SERVER[ "REQUEST_METHOD" ] .
  955.                 " ] is neither GET, OPTIONS, HEAD or POST. ";
  956.             $this->banChecker( $r, true );
  957.         }
  958.     }
  959.     /**
  960.      * chkSetup()
  961.      *
  962.      * @return
  963.      */
  964.     function chkSetup() {
  965.         # Make sure $banipaddress and $useIPTRAP are not both activated at the same time
  966.        if ( ( $this->_banipaddress ) && ( $this->_useIPTRAP ) ) die( "<p align=center><font face=verdana size=1>" .
  967.                 "<strong>WARNING</strong>: Choose either \$banipaddress or \$useIPTRAP, not both thanks.</font></p>" );
  968.         # if using IPTrap, Make sure $ipTrapBlocked is set
  969.        if ( ( $this->_useIPTRAP ) && ( false === $this->_ipTrapBlocked ) ) die( "<p align=center><font face=verdana size=1>" .
  970.                 "<strong>WARNING</strong>: Check the \$ipTrapBlocked url to the IP Trap blocked.php file in the osc.php file for errors.<br />".
  971.                 "\$ipTrapBlocked cannot be left empty if IP Trap is enabled. If not empty then check that the URL is correct." );
  972.     }
  973.     /**
  974.      * getDir()
  975.      *
  976.      * @return
  977.      */
  978.     function getDir() {
  979.         if ( ( defined( "DIR_FS_CATALOG" ) ) && ( "/" !== substr( DIR_FS_CATALOG, -1 ) ) ) {
  980.             return DIR_FS_CATALOG . "/";
  981.         } elseif ( defined( "DIR_FS_CATALOG" ) ) {
  982.             return DIR_FS_CATALOG;
  983.         } elseif ( !defined( "DIR_FS_CATALOG" ) ) {
  984.             $rootDir = $_SERVER[ "SCRIPT_NAME" ];
  985.             if ( false !== strpos( $rootDir, "/" ) ) {
  986.                 if ( $rootDir[0] == "/" ) {
  987.                     $rootDir = substr( $rootDir, 1 );
  988.                     $pos = strpos( strtolower( $rootDir ), strtolower( "/" ) );
  989.                     $pos += strlen( "." ) - 1;
  990.                     $rootDir = substr( $rootDir, 0, $pos );
  991.                     if ( "/" !== substr( $rootDir, -1 ) ) $rootDir = "/" . $rootDir . "/";
  992.                 }
  993.             }
  994.             $dirFS = $_SERVER[ "DOCUMENT_ROOT" ] . $rootDir;
  995.             while ( ( false !== strpos( $dirFS, "//" ) ) ) {
  996.                 $dirFS = str_replace( "//", "/", $dirFS );
  997.             }
  998.            return $dirFS;
  999.         }
  1000.     }
  1001.     /**
  1002.      * check_ip()
  1003.      *
  1004.      * @param mixed $ip
  1005.      * @return
  1006.      */
  1007.     function check_ip( $ip ) {
  1008.       # simple ip format check
  1009.      if ( function_exists( 'filter_var' )
  1010.           && defined( 'FILTER_VALIDATE_IP' )
  1011.           && defined( 'FILTER_FLAG_IPV4' )
  1012.           && defined( 'FILTER_FLAG_IPV6' ) ) {
  1013.           if ( filter_var( $ip, FILTER_VALIDATE_IP,
  1014.                                 FILTER_FLAG_IPV4 ||
  1015.                                 FILTER_FLAG_IPV6 ) === false ) {
  1016.                                 return $this->senda403Header();
  1017.           } else return true;
  1018.       }
  1019.       if ( preg_match( '/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/', $ip ) ) {
  1020.         $parts = explode( '.', $ip );
  1021.  
  1022.         foreach ( $parts as $ip_parts ) {
  1023.           if ( !is_numeric( $ip_parts ) || ( ( int )( $ip_parts ) > 255 ) || ( ( int )( $ip_parts ) < 0 ) ) {
  1024.              return $this->senda403Header();
  1025.           }
  1026.         }
  1027.         return true;
  1028.       } else return false;
  1029.     }
  1030.    
  1031.     /**
  1032.      * getRealIP()
  1033.      *
  1034.      * @return
  1035.      */
  1036.     function getRealIP() {
  1037.       global $_SERVER;
  1038.       $ip_addresses = array();
  1039.       if ( isset( $_SERVER ) ) {
  1040.       // check for IPs passing through proxies
  1041.       if ( !empty( $_SERVER[ 'HTTP_X_FORWARDED_FOR' ] ) ) {
  1042.        // check if multiple ips exist in var
  1043.         $iplist = explode( ',', $_SERVER[ 'HTTP_X_FORWARDED_FOR' ] );
  1044.         foreach ( $iplist as $ip ) {
  1045.          if ( $this->check_ip( $ip ) )
  1046.           $HTTP_X_FORWARDED_FOR = $ip;
  1047.         }
  1048.        }
  1049.       }
  1050.       if ( ( !empty( $_SERVER[ 'HTTP_CLIENT_IP' ] ) && false !== $this->check_ip( $_SERVER[ 'HTTP_CLIENT_IP' ] ) )
  1051.         || ( !empty( $HTTP_X_FORWARDED_FOR ) && false !== $this->check_ip( $HTTP_X_FORWARDED_FOR ) )
  1052.         || ( !empty( $_SERVER[ 'HTTP_X_FORWARDED' ] ) && false !== $this->check_ip( $_SERVER[ 'HTTP_X_FORWARDED' ] ) )
  1053.         || ( !empty( $_SERVER[ 'HTTP_PROXY_USER' ] ) && false !== $this->check_ip( $_SERVER[ 'HTTP_PROXY_USER' ] ) )
  1054.         || ( !empty( $_SERVER[ 'HTTP_X_CLUSTER_CLIENT_IP' ] ) && false !== $this->check_ip( $_SERVER[ 'HTTP_X_CLUSTER_CLIENT_IP' ] ) )
  1055.         || ( !empty( $_SERVER[ 'HTTP_FORWARDED' ] ) && false !== $this->check_ip( $_SERVER[ 'HTTP_FORWARDED' ] ) )
  1056.         || ( !empty( $_SERVER[ 'HTTP_CF_CONNECTING_IP' ] ) && false !== $this->check_ip( $_SERVER[ 'HTTP_CF_CONNECTING_IP' ] ) )
  1057.         || ( !empty( $_SERVER[ 'HTTP_FORWARDED_FOR' ] ) && false !== $this->check_ip( $_SERVER[ 'HTTP_FORWARDED_FOR' ] ) ) ) {
  1058.                # just disable the ban IP function so as not to
  1059.               # accidentally ban an upstream proxy server
  1060.               # however osC_Sec can still block any
  1061.               # malicious requests irregardless
  1062.               $this->_banipaddress = 0;
  1063.                $this->_useIPTRAP = 0;
  1064.       }
  1065.       return ( false !== $this->check_ip( $_SERVER[ "REMOTE_ADDR" ] ) ) ? $_SERVER[ "REMOTE_ADDR" ] : $this->senda403Header();
  1066.     }
  1067.     function fINT( $integ ) {
  1068.      # check input is an integer and no lower than 0 in value
  1069.      if ( function_exists( 'filter_var' ) && defined( 'FILTER_SANITIZE_NUMBER_INT' ) ) {
  1070.              $integ_filtered = ( int )filter_var( $integ, FILTER_SANITIZE_NUMBER_INT );
  1071.              if ( isset( $integ )
  1072.                  && $integ_filtered
  1073.                  && is_int( $integ_filtered )
  1074.                  && 0 <= $integ_filtered ) {
  1075.                return $integ_filtered;
  1076.              } else return 0;
  1077.       } elseif ( isset( $integ )
  1078.                  && 0 <= ( int )$integ ) {
  1079.                return ( int )$integ;
  1080.       } else return 0;
  1081.     }
  1082.     function fURL( $url ) {
  1083.      # check input is an integer and no lower than 0 in value
  1084.      if ( function_exists( 'filter_var' ) && defined( 'FILTER_SANITIZE_URL' ) ) {
  1085.              $url_filtered = filter_var( $url, FILTER_SANITIZE_URL );
  1086.       }
  1087.       if ( isset( $url_filtered ) ) {
  1088.         if ( preg_match( "#^http(s)?://[a-z0-9-_.]+\.[a-z]{2,4}#i", $url ) ) {
  1089.             return $url;
  1090.         } else return false;
  1091.       }
  1092.       return false;
  1093.     }
  1094.     /**
  1095.      * strCharsfrmStr()
  1096.      *
  1097.      * @param mixed $string
  1098.      * @param mixed $strip
  1099.      * @param mixed $replace
  1100.      * @return
  1101.      */
  1102.     function strCharsfrmStr( $string, $strip, $replace ) {
  1103.         $x = ( false !== strpos( $string, $strip ) ) ? true : false;
  1104.         while ( false !== $x ) {
  1105.             $string = str_replace( $strip, $replace, $string );
  1106.             $x = ( false !== strpos( $string, $strip ) ) ? true : false;
  1107.         }
  1108.         return $string;
  1109.     }
  1110.     /**
  1111.      * Bad Spider Block
  1112.      */
  1113.     function badArachnid() {
  1114.         if ( false === $this->byPass() ) return;
  1115.         if ( isset( $_SERVER[ "HTTP_USER_AGENT" ] ) ) {
  1116.           $badagentlist = array( "Baidu", "WebLeacher", "autoemailspider", "MSProxy", "Yeti", "Twiceler", "blackhat", "Mail.Ru", "fuck" );
  1117.           $lcUserAgent = strtolower( $_SERVER[ "HTTP_USER_AGENT" ] );
  1118.           foreach ( $badagentlist as $badagent ) {
  1119.               $badagent = strtolower( $badagent );
  1120.               if ( false !== strpos( $lcUserAgent, $badagent ) ) {
  1121.                   $header = array( "HTTP/1.1 404 Not Found", "HTTP/1.1 404 Not Found", "Content-Length: 0" );
  1122.                   foreach ( $header as $sent ) {
  1123.                       header( $sent );
  1124.                   }
  1125.                   die();
  1126.               }
  1127.           }
  1128.         }
  1129.     }
  1130.     function get_version() {
  1131.        if ( false !== file_exists( $this->getDir() . 'includes/version.php' )
  1132.           && false !== is_readable( $this->getDir() . 'includes/version.php' ) ) {
  1133.           return trim( implode('', file( $this->getDir() . 'includes/version.php' ) ) );
  1134.        }
  1135.     return false;
  1136.     }
  1137.     function setOpenBaseDir() {
  1138.        if ( false !== $this->get_version()
  1139.           && $this->get_version() == "2.3.1" ) {
  1140.           if ( strlen( ini_get( 'open_basedir' ) == 0 ) ) {
  1141.               return @ini_set( 'open_basedir', $this->getDir() );
  1142.           }
  1143.        }
  1144.     }
  1145.    /**
  1146.     * x_powered_by()
  1147.     */
  1148.     function x_powered_by() {
  1149.        $errlevel = ini_get( 'error_reporting' );
  1150.        error_reporting( 0 );
  1151.        if ( false !== ( bool )ini_get( 'expose_php' ) ) {
  1152.           header( "X-Powered-By: osC_Sec" );
  1153.        }
  1154.        error_reporting( $errlevel );
  1155.     }
  1156.    /**
  1157.     * url_decoder()
  1158.     */
  1159.     function url_decoder( $var ) {
  1160.       return rawurldecode( urldecode( $var ) );
  1161.     }
  1162.   } // end of class
  1163.  
  1164.   /**
  1165.    * osCSec_selfchk()
  1166.    *
  1167.    * @return
  1168.    */
  1169.   function osCSec_selfchk() {
  1170.       $oscsecfilepath = str_replace( DIRECTORY_SEPARATOR, urldecode( "%2F" ), __file__ );
  1171.       $oscsecfilepath = explode( "/", $oscsecfilepath );
  1172.       if ( is_array( $oscsecfilepath ) ) {
  1173.           $fileself = $oscsecfilepath[count( $oscsecfilepath ) - 1];
  1174.           if ( $fileself[0] == "/" ) {
  1175.               return $fileself;
  1176.           } else {
  1177.               return "/" . $fileself;
  1178.           }
  1179.       }
  1180.   }
  1181.   /**
  1182.    * senda404Header()
  1183.    *
  1184.    * @return
  1185.    */
  1186.   function senda404Header() {
  1187.       $header = array( "HTTP/1.1 404 Not Found", "HTTP/1.1 404 Not Found", "Content-Length: 0" );
  1188.       foreach ( $header as $sent ) {
  1189.           header( $sent );
  1190.       }
  1191.       die();
  1192.   }
  1193.  
  1194.  /**
  1195.   * fix_server_vars()
  1196.   *
  1197.   * @return
  1198.   */
  1199.   function fix_server_vars() {
  1200.       $_request_uri = "";
  1201.       if ( empty( $_SERVER[ "REQUEST_URI" ] ) || ( php_sapi_name() != "cgi-fcgi" && false !== ( bool )preg_match( "/^Microsoft-IIS\//", $_SERVER[ "SERVER_SOFTWARE" ] ) ) ) {
  1202.           if ( isset( $_SERVER[ "HTTP_X_ORIGINAL_URL" ] ) ) {
  1203.               $_request_uri = $_SERVER[ "HTTP_X_ORIGINAL_URL" ];
  1204.           } else
  1205.               if ( isset( $_SERVER[ "HTTP_X_REWRITE_URL" ] ) ) {
  1206.                   $_request_uri = $_SERVER[ "HTTP_X_REWRITE_URL" ];
  1207.               } else {
  1208.                   if ( !isset( $_SERVER[ "PATH_INFO" ] ) && isset( $_SERVER[ "ORIG_PATH_INFO" ] ) ) $_SERVER[ "PATH_INFO" ] = $_SERVER[ "ORIG_PATH_INFO" ];
  1209.                   if ( isset( $_SERVER[ "PATH_INFO" ] ) ) {
  1210.                       if ( $_SERVER[ "PATH_INFO" ] == $_SERVER[ "SCRIPT_NAME" ] ) {
  1211.                           $_request_uri = $_SERVER[ "PATH_INFO" ];
  1212.                       } else {
  1213.                           $_request_uri = $_SERVER[ "SCRIPT_NAME" ] . $_SERVER[ "PATH_INFO" ];
  1214.                       }
  1215.                   }
  1216.                   if ( !empty( $_SERVER[ "QUERY_STRING" ] ) ) {
  1217.                       $_request_uri .= "?" . $_SERVER[ "QUERY_STRING" ];
  1218.                   }
  1219.               }
  1220.       }
  1221.       if ( false !== getenv( 'REQUEST_URI' ) && strlen( getenv( 'REQUEST_URI' ) ) > 7 ) {
  1222.          $_request_uri = getenv( 'REQUEST_URI' );
  1223.       }
  1224.       $_SERVER[ "REQUEST_URI" ] = $_request_uri;
  1225.       # fix php.cgi in script_filename
  1226.      if ( isset( $_SERVER[ "SCRIPT_FILENAME" ] )
  1227.           && isset( $_SERVER[ "PATH_TRANSLATED" ] )
  1228.           && ( strpos( $_SERVER[ "SCRIPT_FILENAME" ], "php.cgi" ) == strlen( $_SERVER[ "SCRIPT_FILENAME" ] ) - 7 ) ) {
  1229.           $_SERVER[ "SCRIPT_FILENAME" ] = $_SERVER[ "PATH_TRANSLATED" ];
  1230.       }
  1231.   }
  1232. ?>
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top