arriej/TSN-Ranksystem
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

release 1.2.11

Browse Source
This commit is contained in:
Newcomer1989
2018-09-27 19:24:17 +02:00
parent 1f30c15f57
commit ce3c88d833
50 changed files with 870 additions and 1076 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
webinterface/addon_assign_groups.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -44,17 +46,22 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
exit;
}
if (isset($_POST['update']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
rem_session_ts3($rspathhex);
exit;
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
require_once('nav.php');
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
$assign_groups_active = 0;
if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (isset($_POST['update']) && isset($db_csrf[$_POST['csrf_token']])) {
$assign_groups_limit = $_POST['assign_groups_limit'];
$assign_groups_groupids = $_POST['assign_groups_groupids'];
if (isset($_POST['assign_groups_active'])) $assign_groups_active = 1;
@@ -68,9 +75,11 @@ if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $
$addons_config['assign_groups_groupids']['value'] = $_POST['assign_groups_groupids'];
$addons_config['assign_groups_limit']['value'] = $_POST['assign_groups_limit'];
$addons_config['assign_groups_active']['value'] = $assign_groups_active;
} elseif(isset($_POST['update'])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
$_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -83,7 +92,7 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
</div>
</div>
<form class="form-horizontal" data-toggle="validator" name="update" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="form-horizontal">
<div class="row">
<div class="col-md-3">

36
webinterface/admin_addtime.php
View File

@@ -1,4 +1,4 @@
<?PHP
<?PHP
ini_set('session.cookie_httponly', 1);
ini_set('session.use_strict_mode', 1);
if(in_array('sha512', hash_algos())) {
@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -41,13 +43,18 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
exit;
}
if (isset($_POST['update']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
rem_session_ts3($rspathhex);
exit;
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
require_once('nav.php');
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if(!isset($_POST['number']) || $_POST['number'] == "yes") {
$_SESSION[$rspathhex.'showexcepted'] = "yes";
@@ -57,12 +64,11 @@ if(!isset($_POST['number']) || $_POST['number'] == "yes") {
$filter = "";
}
if(($dbuserdata = $mysqlcon->query("SELECT `uuid`,`cldbid`,`name` FROM `$dbname`.`user` $filter ORDER BY `name` ASC")) === false) {
if(($user_arr = $mysqlcon->query("SELECT `uuid`,`cldbid`,`name` FROM `$dbname`.`user` $filter ORDER BY `name` ASC")->fetchAll(PDO::FETCH_ASSOC)) === false) {
$err_msg = "DB Error1: ".print_r($mysqlcon->errorInfo(), true); $err_lvl = 3;
}
$user_arr = $dbuserdata->fetchAll(PDO::FETCH_ASSOC);
if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (isset($_POST['update']) && isset($db_csrf[$_POST['csrf_token']])) {
$setontime = 0;
if($_POST['setontime_day']) { $setontime = $setontime + $_POST['setontime_day'] * 86400; }
if($_POST['setontime_hour']) { $setontime = $setontime + $_POST['setontime_hour'] * 3600; }
@@ -87,9 +93,11 @@ if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $
$err_msg = substr($succmsg,0,-4); $err_lvl = NULL;
}
}
} elseif(isset($_POST['update'])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
$_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -102,7 +110,7 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
</div>
</div>
<form name="post" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="form-horizontal">
<div class="row">
<div class="col-md-3">
@@ -255,4 +263,4 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
</div>
</div>
</body>
</html>
</html>

34
webinterface/admin_remtime.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -41,13 +43,18 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
exit;
}
if (isset($_POST['update']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
rem_session_ts3($rspathhex);
exit;
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
require_once('nav.php');
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if(!isset($_POST['number']) || $_POST['number'] == "yes") {
$_SESSION[$rspathhex.'showexcepted'] = "yes";
@@ -57,12 +64,11 @@ if(!isset($_POST['number']) || $_POST['number'] == "yes") {
$filter = "";
}
if(($dbuserdata = $mysqlcon->query("SELECT `uuid`,`cldbid`,`name` FROM `$dbname`.`user` $filter ORDER BY `name` ASC")) === false) {
if(($user_arr = $mysqlcon->query("SELECT `uuid`,`cldbid`,`name` FROM `$dbname`.`user` $filter ORDER BY `name` ASC")->fetchAll(PDO::FETCH_ASSOC)) === false) {
$err_msg = "DB Error: ".print_r($mysqlcon->errorInfo(), true); $err_lvl = 3;
}
$user_arr = $dbuserdata->fetchAll(PDO::FETCH_ASSOC);
if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (isset($_POST['update']) && isset($db_csrf[$_POST['csrf_token']])) {
$setontime = 0;
if($_POST['setontime_day']) { $setontime = $setontime + $_POST['setontime_day'] * 86400; }
if($_POST['setontime_hour']) { $setontime = $setontime + $_POST['setontime_hour'] * 3600; }
@@ -88,9 +94,11 @@ if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $
$err_msg = substr($succmsg,0,-4); $err_lvl = NULL;
}
}
} elseif(isset($_POST['update'])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
$_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -103,7 +111,7 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
</div>
</div>
<form name="post" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="form-horizontal">
<div class="row">
<div class="col-md-3">
@@ -256,4 +264,4 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
</div>
</div>
</body>
</html>
</html>

49
webinterface/bot.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -159,10 +161,9 @@ if (!isset($_SESSION[$rspathhex.'logfilter'])) {
$filters = explode(',', $_SESSION[$rspathhex.'logfilter']);
if (isset($_POST['logout'])) {
echo "logout";
rem_session_ts3($rspathhex);
rem_session_ts3($rspathhex);
header("Location: //".$_SERVER['HTTP_HOST'].rtrim(dirname($_SERVER['PHP_SELF']), '/\\'));
exit;
}
@@ -173,16 +174,28 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
exit;
}
if ((isset($_POST['start']) || isset($_POST['stop']) || isset($_POST['restart']) || isset($_POST['logfilter'])) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if ((isset($_POST['start']) || isset($_POST['stop']) || isset($_POST['restart']) || isset($_POST['logfilter'])) && !isset($db_csrf[$_POST['csrf_token']])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
require_once('nav.php');
$logoutput = getlog($logpath,$number_lines,$filters,$filter2,$inactivefilter);
if (isset($_POST['start']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (isset($_POST['start']) && isset($db_csrf[$_POST['csrf_token']])) {
if(substr(sprintf('%o', fileperms($logpath)), -3, 1)!='7') {
$err_msg = "!!!! Logs folder is not writable !!!!<br>Cancel start request!"; $err_lvl = 3;
} else {
@@ -205,14 +218,14 @@ if (isset($_POST['start']) && $_SESSION[$rspathhex.'username'] == $webuser && $_
}
}
if (isset($_POST['stop']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (isset($_POST['stop']) && isset($db_csrf[$_POST['csrf_token']])) {
if (substr(php_uname(), 0, 7) == "Windows") {
$WshShell = new COM("WScript.Shell");
$oExec = $WshShell->Run("cmd /C ".$phpcommand." ".substr(__DIR__,0,-12)."\worker.php stop", 0, false);
file_put_contents(substr(__DIR__,0,-12)."\logs\autostart_deactivated");
file_put_contents(substr(__DIR__,0,-12)."\logs\autostart_deactivated","");
} else {
exec($phpcommand." ".substr(__DIR__,0,-12)."worker.php stop");
file_put_contents(substr(__DIR__,0,-12)."logs/autostart_deactivated");
file_put_contents(substr(__DIR__,0,-12)."logs/autostart_deactivated","");
}
$err_msg = $lang['wibot1'];
$err_lvl = 1;
@@ -220,7 +233,7 @@ if (isset($_POST['stop']) && $_SESSION[$rspathhex.'username'] == $webuser && $_S
$logoutput = getlog($logpath,$number_lines,$filters,$filter2,$inactivefilter);
}
if (isset($_POST['restart']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (isset($_POST['restart']) && isset($db_csrf[$_POST['csrf_token']])) {
if(substr(sprintf('%o', fileperms($logpath)), -3, 1)!='7') {
$err_msg = "!!!! Logs folder is not writable !!!!<br>Cancel restart request!"; $err_lvl = 3;
} else {
@@ -244,13 +257,11 @@ if (isset($_POST['restart']) && $_SESSION[$rspathhex.'username'] == $webuser &&
}
$disabled = '';
if($ts['host'] == NULL || $ts['query'] == NULL || $ts['voice'] == NULL || $ts['user'] == NULL || $ts['pass'] == NULL || $queryname == NULL || $queryname2 == NULL || $grouptime == NULL || $logpath == NULL) {
if($ts['host'] == NULL || $ts['query'] == NULL || $ts['voice'] == NULL || $ts['user'] == NULL || $ts['pass'] == NULL || $queryname == NULL || $grouptime == NULL || $logpath == NULL) {
$disabled = 1;
$err_msg = $lang['wibot9'];
$err_lvl = 2;
}
$_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -263,7 +274,7 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
</div>
</div>
<form class="form-horizontal" name="start" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="row">&nbsp;</div>
<div class="row">
<div class="text-center">
@@ -275,7 +286,7 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
<div class="row">&nbsp;</div>
</form>
<form class="form-horizontal" name="stop" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="row">&nbsp;</div>
<div class="row">
<div class="text-center">
@@ -287,7 +298,7 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
<div class="row">&nbsp;</div>
</form>
<form class="form-horizontal" name="restart" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="row">&nbsp;</div>
<div class="row">
<div class="text-center">
@@ -306,7 +317,7 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
</h4>
</div>
<form class="form-horizontal" name="logfilter" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="col-lg-2">
<div class="col-sm-12">
<?PHP if($filter2!=NULL) { ?>
@@ -383,4 +394,4 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
</div>
</div>
</body>
</html>
</html>

29
webinterface/changepassword.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -77,15 +79,20 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
exit;
}
if (isset($_POST['changepw']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
rem_session_ts3($rspathhex);
exit;
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
require_once('nav.php');
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if (isset($_POST['changepw']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (isset($_POST['changepw']) && isset($db_csrf[$_POST['csrf_token']])) {
$newpass = password_hash($_POST['newpwd1'], PASSWORD_DEFAULT);
if (!password_verify($_POST['oldpwd'], $webpass)) {
$err_msg = $lang['wichpw1']; $err_lvl = 3;
@@ -97,9 +104,11 @@ if (isset($_POST['changepw']) && $_SESSION[$rspathhex.'username'] == $webuser &&
enter_logfile($logpath,$timezone,3,sprintf($lang['wichpw3'],getclientip()));
$err_msg = $lang['wisvsuc']; $err_lvl = NULL;
}
} elseif(isset($_POST['changepw'])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
$_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -113,7 +122,7 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
<div class="row">
<div class="col-xs-12">
<form id="resetForm" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="form-group">
<label for="password" class="control-label"><?PHP echo $lang['pass3']; ?>:</label>
<div class="input-group-justified">

38
webinterface/core.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -40,16 +42,20 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
exit;
}
if (isset($_POST['update']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
rem_session_ts3($rspathhex);
exit;
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
require_once('nav.php');
$newcsrf = bin2hex(openssl_random_pseudo_bytes(32));
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (isset($_POST['update']) && isset($db_csrf[$_POST['csrf_token']])) {
if(($groupslist = $mysqlcon->query("SELECT * FROM `$dbname`.`groups`")->fetchAll(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
enter_logfile($logpath,$timezone,1,"Select on DB failed for group check: ".print_r($mysqlcon->errorInfo(), true));
@@ -122,7 +128,7 @@ if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
} else {
$err_msg = $lang['wisvsuc']." ".sprintf($lang['wisvres'], '&nbsp;&nbsp;<form class="btn-group" name="restart" action="bot.php" method="POST"><input type="hidden" name="csrf_token" value="'.$newcsrf.'"><button
$err_msg = $lang['wisvsuc']." ".sprintf($lang['wisvres'], '&nbsp;&nbsp;<form class="btn-group" name="restart" action="bot.php" method="POST"><input type="hidden" name="csrf_token" value="'.$csrf_token.'"><button
type="submit" class="btn btn-primary" name="restart"><i class="fa fa-fw fa-refresh"></i>&nbsp;'.$lang['wibot7'].'</button></form>');
$err_lvl = NULL;
}
@@ -134,20 +140,22 @@ if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $
$config['exceptgroup'] = $_POST['exceptgroup'];
$config['exceptcid'] = $_POST['exceptcid'];
$config['boost'] = $_POST['boost'];
} elseif(isset($_POST['update'])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
$_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
<div class="container-fluid">
<div class="row">
<div class="col-lg-12">
<h1 class="page-header"><?php echo $lang['wihlcfg']; ?></h1>
<h1 class="page-header"><?php echo $lang['winav3'],' ',$lang['wihlset']; ?></h1>
</div>
</div>
<form class="form-horizontal" data-toggle="validator" name="update" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="row">
<div class="col-md-6">
<div class="form-group">
@@ -438,7 +446,7 @@ $_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
<h4 class="modal-title"><?php echo $lang['cleanc']; ?></h4>
</div>
<div class="modal-body">
<?php echo $lang['cleancdesc']; ?>
<?php echo sprintf($lang['cleancdesc'], '<a href="https://ts-n.net/clientcleaner.php" target="_blank">https://ts-n.net/clientcleaner.php</a>'); ?>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal"><?PHP echo $lang['stnv0002']; ?></button>
@@ -509,4 +517,4 @@ $('form[data-toggle="validator"]').validator({
});
</script>
</body>
</html>
</html>

36
webinterface/db.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -40,16 +42,20 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
exit;
}
if (isset($_POST['update']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
rem_session_ts3($rspathhex);
exit;
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
require_once('nav.php');
$newcsrf = bin2hex(openssl_random_pseudo_bytes(32));
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (isset($_POST['update']) && isset($db_csrf[$_POST['csrf_token']])) {
$newconfig='<?php
$db[\'type\']=\''.$_POST['dbtype'].'\';
$db[\'host\']=\''.$_POST['dbhost'].'\';
@@ -66,7 +72,7 @@ $db[\'dbname\']=\''.$_POST['dbname'].'\';
$err_msg = sprintf($lang['widbcfgerr']);
$err_lvl = 3;
} else {
$err_msg = $lang['wisvsuc']." ".sprintf($lang['wisvres'], '&nbsp;&nbsp;<form class="btn-group" name="restart" action="bot.php" method="POST"><input type="hidden" name="csrf_token" value="'.$newcsrf.'"><button
$err_msg = $lang['wisvsuc']." ".sprintf($lang['wisvres'], '&nbsp;&nbsp;<form class="btn-group" name="restart" action="bot.php" method="POST"><input type="hidden" name="csrf_token" value="'.$csrf_token.'"><button
type="submit" class="btn btn-primary" name="restart"><i class="fa fa-fw fa-refresh"></i>&nbsp;'.$lang['wibot7'].'</button></form>');
$err_lvl = 0;
$db['type'] = $_POST['dbtype'];
@@ -80,9 +86,11 @@ $db[\'dbname\']=\''.$_POST['dbname'].'\';
$err_msg = sprintf($lang['widbcfgerr']);
$err_lvl = 3;
}
} elseif(isset($_POST['update'])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
$_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -90,12 +98,12 @@ $_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
<div class="row">
<div class="col-lg-12">
<h1 class="page-header">
<?php echo $lang['wihldb']; ?>
<?php echo $lang['winav2'],' ',$lang['wihlset']; ?>
</h1>
</div>
</div>
<form class="form-horizontal" data-toggle="validator" name="update" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="row">
<div class="col-md-3">
</div>
@@ -184,7 +192,7 @@ $_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
<h4 class="modal-title"><?php echo $lang['isntwidbtype']; ?></h4>
</div>
<div class="modal-body">
<?php echo $lang['isntwidbtypedesc']; ?>
<?php echo sprintf($lang['isntwidbtypedesc'], '<a href="https://ts-n.net/ranksystem.php#requirements" target="_blank">https://ts-n.net/ranksystem.php#requirements</a>'); ?>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal"><?PHP echo $lang['stnv0002']; ?></button>

8
webinterface/index.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -61,10 +63,9 @@ function getclientip() {
return false;
}
if(($last_access = $mysqlcon->query("SELECT `last_access`,`count_access` FROM `$dbname`.`config`")) === false) {
if(($last_access = $mysqlcon->query("SELECT `last_access`,`count_access` FROM `$dbname`.`config`")->fetchAll()) === false) {
$err_msg .= print_r($mysqlcon->errorInfo(), true);
}
$last_access = $last_access->fetchAll();
if(($last_access[0]['last_access'] + 1) >= time()) {
$again = $last_access[0]['last_access'] + 2 - time();
@@ -81,7 +82,6 @@ if(($last_access[0]['last_access'] + 1) >= time()) {
$_SESSION[$rspathhex.'password'] = $webpass;
$_SESSION[$rspathhex.'clientip'] = getclientip();
$_SESSION[$rspathhex.'newversion'] = $newversion;
$_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
enter_logfile($logpath,$timezone,6,sprintf($lang['brute2'], getclientip()));
if($mysqlcon->exec("UPDATE `$dbname`.`config` SET `count_access`='0'") === false) { }
header("Location: //".$_SERVER['HTTP_HOST'].rtrim(dirname($_SERVER['PHP_SELF']), '/\\')."/bot.php");

36
webinterface/msg.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -40,16 +42,20 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
exit;
}
if (isset($_POST['update']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
rem_session_ts3($rspathhex);
exit;
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
require_once('nav.php');
$newcsrf = bin2hex(openssl_random_pseudo_bytes(32));
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (isset($_POST['update']) && isset($db_csrf[$_POST['csrf_token']])) {
$rankupmsg = addslashes($_POST['rankupmsg']);
$servernews = addslashes($_POST['servernews']);
$nextupinfomsg1 = addslashes($_POST['nextupinfomsg1']);
@@ -61,7 +67,7 @@ if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
} else {
$err_msg = $lang['wisvsuc']." ".sprintf($lang['wisvres'], '&nbsp;&nbsp;<form class="btn-group" name="restart" action="bot.php" method="POST"><input type="hidden" name="csrf_token" value="'.$newcsrf.'"><button
$err_msg = $lang['wisvsuc']." ".sprintf($lang['wisvres'], '&nbsp;&nbsp;<form class="btn-group" name="restart" action="bot.php" method="POST"><input type="hidden" name="csrf_token" value="'.$csrf_token.'"><button
type="submit" class="btn btn-primary" name="restart"><i class="fa fa-fw fa-refresh"></i>&nbsp;'.$lang['wibot7'].'</button></form>');
$err_lvl = NULL;
}
@@ -70,9 +76,11 @@ if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $
$nextupinfomsg1 = $_POST['nextupinfomsg1'];
$nextupinfomsg2 = $_POST['nextupinfomsg2'];
$nextupinfomsg3 = $_POST['nextupinfomsg3'];
} elseif(isset($_POST['update'])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
$_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -80,12 +88,12 @@ $_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
<div class="row">
<div class="col-lg-12">
<h1 class="page-header">
<?php echo $lang['wihlmsg']; ?>
<?php echo $lang['winav5'],' ',$lang['wihlset']; ?>
</h1>
</div>
</div>
<form class="form-horizontal" name="update" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="row">
<div class="col-md-6">
<div class="panel panel-default">
@@ -190,7 +198,7 @@ $_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
<h4 class="modal-title"><?php echo $lang['wimsgmsg']; ?></h4>
</div>
<div class="modal-body">
<?php echo $lang['wimsgmsgdesc']; ?>
<?php echo sprintf($lang['wimsgmsgdesc'], '<a href="https://ts-n.net/lexicon.php?showid=97#lexindex" target="_blank">https://ts-n.net/lexicon.php?showid=97#lexindex</a>'); ?>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal"><?PHP echo $lang['stnv0002']; ?></button>

18
webinterface/nav.php
View File

@@ -26,17 +26,17 @@ if((time() - $job_check['last_update']['timestamp']) < 259200 && !isset($_SESSIO
});
});
$(function() {
$('#password').password().on('show.bs.password', function(e) {
$('#eventLog').text('On show event');
$('#methods').prop('checked', true);
}).on('hide.bs.password', function(e) {
$('#password').password().on('show.bs.password', function(e) {
$('#eventLog').text('On show event');
$('#methods').prop('checked', true);
}).on('hide.bs.password', function(e) {
$('#eventLog').text('On hide event');
$('#methods').prop('checked', false);
});
$('#methods').click(function() {
$('#password').password('toggle');
});
});
$('#methods').click(function() {
$('#password').password('toggle');
});
});
$(function() {
$("ul.dropdown-menu").on("click", "[data-keepOpenOnClick]", function(e) {
e.stopPropagation();
@@ -49,7 +49,7 @@ if((time() - $job_check['last_update']['timestamp']) < 259200 && !isset($_SESSIO
<nav class="navbar navbar-inverse navbar-fixed-top">
<div class="navbar-header">
<a class="navbar-brand" href="index.php">TSN Ranksystem - Webinterface <?PHP echo $currvers;?></a>
<?PHP if(isset($_SESSION[$rspathhex.'newversion']) && version_compare(substr($_SESSION[$rspathhex.'newversion'], 0, 5), substr($currvers, 0, 5), '>') && $_SESSION[$rspathhex.'newversion'] != '') {
<?PHP if(isset($_SESSION[$rspathhex.'newversion']) && version_compare($_SESSION[$rspathhex.'newversion'], $currvers, '>') && $_SESSION[$rspathhex.'newversion'] != '') {
echo '<a class="navbar-brand" href="//ts-n.net/ranksystem.php?changelog" target="_blank">'.$lang['winav9'].' ['.$_SESSION[$rspathhex.'newversion'].']</a>';
} ?>
</div>

37
webinterface/other.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -29,8 +31,6 @@ function getclientip() {
return false;
}
$newcsrf = bin2hex(openssl_random_pseudo_bytes(32));
if (isset($_POST['logout'])) {
rem_session_ts3($rspathhex);
header("Location: //".$_SERVER['HTTP_HOST'].rtrim(dirname($_SERVER['PHP_SELF']), '/\\'));
@@ -42,13 +42,20 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
exit;
}
if (isset($_POST['update']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
rem_session_ts3($rspathhex);
exit;
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if (isset($_POST['update']) && isset($db_csrf[$_POST['csrf_token']])) {
if (isset($_POST['iphash'])) {
if($iphash != 1) {
$err_msg2 = $lang['wisvinfo1'];
@@ -72,7 +79,7 @@ if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
} else {
$err_msg = $lang['wisvsuc']." ".sprintf($lang['wisvres'], '&nbsp;&nbsp;<form class="btn-group" name="restart" action="bot.php" method="POST"><input type="hidden" name="csrf_token" value="'.$newcsrf.'"><button
$err_msg = $lang['wisvsuc']." ".sprintf($lang['wisvres'], '&nbsp;&nbsp;<form class="btn-group" name="restart" action="bot.php" method="POST"><input type="hidden" name="csrf_token" value="'.$csrf_token.'"><button
type="submit" class="btn btn-primary" name="restart"><i class="fa fa-fw fa-refresh"></i>&nbsp;'.$lang['wibot7'].'</button></form>');
$err_lvl = NULL;
}
@@ -101,11 +108,11 @@ if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $
} elseif($language == "pt") {
require_once(substr(dirname(__FILE__),0,-12).'languages/core_pt.php');
}
} elseif(isset($_POST['update'])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
$_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
require_once('nav.php');
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -114,12 +121,12 @@ require_once('nav.php');
<div class="row">
<div class="col-lg-12">
<h1 class="page-header">
<?php echo $lang['wihlvs']; ?>
<?php echo $lang['winav4'],' ',$lang['wihlset']; ?>
</h1>
</div>
</div>
<form class="form-horizontal" data-toggle="validator" name="update" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="row">
<div class="col-md-6">
<div class="form-group">

75
webinterface/resetpassword.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -66,30 +68,40 @@ function getclientip() {
return false;
}
if(($last_access = $mysqlcon->query("SELECT `last_access`,`count_access` FROM `$dbname`.`config`")) === false) {
if(($last_access = $mysqlcon->query("SELECT `last_access`,`count_access` FROM `$dbname`.`config`")->fetchAll()) === false) {
$err_msg .= print_r($mysqlcon->errorInfo(), true);
}
$last_access = $last_access->fetchAll();
if (isset($_POST['resetpw']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
rem_session_ts3($rspathhex);
exit;
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if (($last_access[0]['last_access'] + 1) >= time()) {
$again = $last_access[0]['last_access'] + 2 - time();
$err_msg = sprintf($lang['errlogin2'],$again);
$err_lvl = 3;
} elseif (isset($_POST['resetpw']) && ($adminuuid==NULL || count($adminuuid) == 0)) {
} elseif (isset($_POST['resetpw']) && isset($db_csrf[$_POST['csrf_token']]) && ($adminuuid==NULL || count($adminuuid) == 0)) {
$err_msg = $lang['wirtpw1']; $err_lvl=3;
} elseif (isset($_POST['resetpw']) && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
} elseif (isset($_POST['resetpw']) && isset($db_csrf[$_POST['csrf_token']])) {
$nowtime = time();
if($mysqlcon->exec("UPDATE `$dbname`.`config` SET `last_access`='$nowtime',`count_access`=`count_access` + 1") === false) { }
require_once(substr(__DIR__,0,-12).'libs/ts3_lib/TeamSpeak3.php');
try {
$ts3 = TeamSpeak3::factory("serverquery://".$ts['user'].":".$ts['pass']."@".$ts['host'].":".$ts['query']."/?server_port=".$ts['voice']."&blocking=0");
if($ts['tsencrypt'] == 1) {
$ts3 = TeamSpeak3::factory("serverquery://".rawurlencode($ts['user']).":".rawurlencode($ts['pass'])."@".$ts['host'].":".$ts['query']."/?server_port=".$ts['voice']."&ssh=1");
} else {
$ts3 = TeamSpeak3::factory("serverquery://".rawurlencode($ts['user']).":".rawurlencode($ts['pass'])."@".$ts['host'].":".$ts['query']."/?server_port=".$ts['voice']."&blocking=0");
}
try {
usleep($slowmode);
@@ -99,13 +111,27 @@ if (($last_access[0]['last_access'] + 1) >= time()) {
usleep($slowmode);
$allclients = $ts3->clientList();
$adminuuid_flipped = array_flip($adminuuid);
$pwd = substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789#*+;:-_~?=%&$<24>!()"),0,12);
$webpass = password_hash($pwd, PASSWORD_DEFAULT);
foreach ($allclients as $client) {
if(in_array($client['client_unique_identifier'] , $adminuuid)) {
$uuid = $client['client_unique_identifier'];
$checkuuid = 1;
if($client['connection_client_ip'] == getclientip()) {
$checkip = 1;
if($mysqlcon->exec("UPDATE `$dbname`.`config` SET `webpass`='$webpass',`last_access`='0'") === false) {
$err_msg = $lang['isntwidbmsg'].print_r($mysqlcon->errorInfo(), true); $err_lvl = 3;
} else {
try {
usleep($slowmode);
$ts3->clientGetByUid($client['client_unique_identifier'])->message(sprintf($lang['wirtpw4'], $webuser, $pwd, '[URL=http'.(!empty($_SERVER['HTTPS'])?"s":"").'://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).']','[/URL]'));
$err_msg = sprintf($lang['wirtpw5'],'<a href="http'.(!empty($_SERVER['HTTPS'])?"s":"").'://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/">','</a>'); $err_lvl = 1;
enter_logfile($logpath,$timezone,3,sprintf($lang['wirtpw6'],getclientip()));
} catch (Exception $e) {
$err_msg = $lang['errorts3'].$e->getCode().': '.$e->getMessage(); $err_lvl = 3;
}
}
}
}
}
@@ -114,30 +140,15 @@ if (($last_access[0]['last_access'] + 1) >= time()) {
$err_msg = $lang['wirtpw2']; $err_lvl = 3;
} elseif (!isset($checkip)) {
$err_msg = $lang['wirtpw3']; $err_lvl = 3;
} else {
usleep($slowmode);
$pwd = substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789#*+;:-_~?=%&$<24>!()"),0,12);
$webpass = password_hash($pwd, PASSWORD_DEFAULT);
if($mysqlcon->exec("UPDATE `$dbname`.`config` SET `webpass`='$webpass',`last_access`='0'") === false) {
$err_msg = $lang['isntwidbmsg'].print_r($mysqlcon->errorInfo(), true); $err_lvl = 3;
} else {
try {
$ts3->clientGetByUid($uuid)->message(sprintf($lang['wirtpw4'], $webuser, $pwd, '[URL=http'.(!empty($_SERVER['HTTPS'])?"s":"").'://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).']','[/URL]'));
$err_msg = sprintf($lang['wirtpw5'],'<a href="http'.(!empty($_SERVER['HTTPS'])?"s":"").'://'.$_SERVER['SERVER_NAME'].dirname($_SERVER['SCRIPT_NAME']).'/">','</a>'); $err_lvl = 1;
enter_logfile($logpath,$timezone,3,sprintf($lang['wirtpw6'],getclientip()));
} catch (Exception $e) {
$err_msg = 'TeamSpeak '.$lang['error'].$e->getCode().': '.$e->getMessage(); $err_lvl = 3;
}
}
}
} catch (Exception $e) {
$err_msg = 'TeamSpeak '.$lang['error'].$e->getCode().': '.$e->getMessage(); $err_lvl = 3;
$err_msg = $lang['errorts3'].$e->getCode().': '.$e->getMessage(); $err_lvl = 3;
}
} elseif(isset($_POST['resetpw'])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
$_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
require_once('nav.php');
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -151,7 +162,7 @@ require_once('nav.php');
<div class="row">
<div class="col-xs-12">
<form id="resetForm" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<p><?PHP echo $lang['wirtpw8']; ?></p>
<p><?PHP echo $lang['wirtpw9']; ?>
<ul>

34
webinterface/stats.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -40,16 +42,20 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
exit;
}
if (isset($_POST['update']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
rem_session_ts3($rspathhex);
exit;
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
require_once('nav.php');
if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if (isset($_POST['update']) && isset($db_csrf[$_POST['csrf_token']])) {
if (isset($_POST['showexcld'])) $showexcld = 1; else $showexcld = 0;
if (isset($_POST['showcolrg'])) $showcolrg = 1; else $showcolrg = 0;
if (isset($_POST['showcolcld'])) $showcolcld = 1; else $showcolcld = 0;
@@ -72,9 +78,11 @@ if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $
$err_msg = $lang['wisvsuc'];
$err_lvl = NULL;
}
} elseif(isset($_POST['update'])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
$_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -82,12 +90,12 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
<div class="row">
<div class="col-lg-12">
<h1 class="page-header">
<?php echo $lang['wihlsty']; ?>
<?php echo $lang['winav6'],' ',$lang['wihlset']; ?>
</h1>
</div>
</div>
<form class="form-horizontal" name="update" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="row">
<div class="col-md-6">
<div class="panel panel-default">
@@ -502,4 +510,4 @@ $_SESSION[$rspathhex.'csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
</div>
</div>
</body>
</html>
</html>

103
webinterface/ts.php
View File

@@ -6,7 +6,9 @@ if(in_array('sha512', hash_algos())) {
}
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") {
ini_set('session.cookie_secure', 1);
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
if(!headers_sent()) {
header("Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;");
}
}
session_start();
@@ -40,44 +42,49 @@ if (!isset($_SESSION[$rspathhex.'username']) || $_SESSION[$rspathhex.'username']
exit;
}
if (isset($_POST['update']) && $_POST['csrf_token'] != $_SESSION[$rspathhex.'csrf_token']) {
echo $lang['errcsrf'];
rem_session_ts3($rspathhex);
exit;
require_once('nav.php');
$csrf_token = bin2hex(openssl_random_pseudo_bytes(32));
if ($mysqlcon->exec("INSERT INTO `$dbname`.`csrf_token` (`token`,`timestamp`,`sessionid`) VALUES ('$csrf_token','".time()."','".session_id()."')") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
require_once('nav.php');
$newcsrf = bin2hex(openssl_random_pseudo_bytes(32));
if (($db_csrf = $mysqlcon->query("SELECT * FROM `$dbname`.`csrf_token` WHERE `sessionid`='".session_id()."'")->fetchALL(PDO::FETCH_UNIQUE|PDO::FETCH_ASSOC)) === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
}
if (isset($_POST['update']) && $_SESSION[$rspathhex.'username'] == $webuser && $_SESSION[$rspathhex.'password'] == $webpass && $_SESSION[$rspathhex.'clientip'] == getclientip() && $_POST['csrf_token'] == $_SESSION[$rspathhex.'csrf_token']) {
$tshost = $_POST['tshost'];
$tsquery = $_POST['tsquery'];
if (isset($_POST['update']) && isset($db_csrf[$_POST['csrf_token']])) {
$tshost = $_POST['tshost'];
$tsquery = $_POST['tsquery'];
if (isset($_POST['tsencrypt'])) $tsencrypt = 1; else $tsencrypt = 0;
$tsvoice = $_POST['tsvoice'];
$tsuser = $_POST['tsuser'];
$tspass = $_POST['tspass'];
$queryname = $_POST['queryname'];
$queryname2 = $_POST['queryname2'];
$defchid = $_POST['defchid'];
$slowmode = $_POST['slowmode'];
$tsvoice = $_POST['tsvoice'];
$tsuser = $_POST['tsuser'];
$tspass = $_POST['tspass'];
$queryname = $_POST['queryname'];
$defchid = $_POST['defchid'];
$slowmode = $_POST['slowmode'];
$avatar_delay= $_POST['avatar_delay'];
if ($mysqlcon->exec("UPDATE `$dbname`.`config` SET `tshost`='$tshost',`tsencrypt`='$tsencrypt',`tsquery`='$tsquery',`tsvoice`='$tsvoice',`tsuser`='$tsuser',`tspass`='$tspass',`queryname`='$queryname',`queryname2`='$queryname2',`slowmode`='$slowmode',`defchid`='$defchid',`avatar_delay`='$avatar_delay'") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
if ($mysqlcon->exec("UPDATE `$dbname`.`config` SET `tshost`='$tshost',`tsencrypt`='$tsencrypt',`tsquery`='$tsquery',`tsvoice`='$tsvoice',`tsuser`='$tsuser',`tspass`='$tspass',`queryname`='$queryname',`slowmode`='$slowmode',`defchid`='$defchid',`avatar_delay`='$avatar_delay'; DELETE FROM `$dbname`.`csrf_token` WHERE `token`='".$_POST['csrf_token']."'") === false) {
$err_msg = print_r($mysqlcon->errorInfo(), true);
$err_lvl = 3;
} else {
$err_msg = $lang['wisvsuc']." ".sprintf($lang['wisvres'], '&nbsp;&nbsp;<form class="btn-group" name="restart" action="bot.php" method="POST"><input type="hidden" name="csrf_token" value="'.$newcsrf.'"><button
} else {
$err_msg = $lang['wisvsuc']." ".sprintf($lang['wisvres'], '&nbsp;&nbsp;<form class="btn-group" name="restart" action="bot.php" method="POST"><input type="hidden" name="csrf_token" value="'.$csrf_token.'"><button
type="submit" class="btn btn-primary" name="restart"><i class="fa fa-fw fa-refresh"></i>&nbsp;'.$lang['wibot7'].'</button></form>');
$err_lvl = NULL;
}
}
$ts['host'] = $_POST['tshost'];
$ts['query'] = $_POST['tsquery'];
$ts['tsencrypt']= $tsencrypt;
$ts['voice'] = $_POST['tsvoice'];
$ts['user'] = $_POST['tsuser'];
$ts['pass'] = $_POST['tspass'];
} elseif(isset($_POST['update'])) {
echo '<div class="alert alert-danger alert-dismissible">',$lang['errcsrf'],'</div>';
rem_session_ts3($rspathhex);
exit;
}
$_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
?>
<div id="page-wrapper">
<?PHP if(isset($err_msg)) error_handling($err_msg, $err_lvl); ?>
@@ -85,12 +92,12 @@ $_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
<div class="row">
<div class="col-lg-12">
<h1 class="page-header">
<?php echo $lang['wihlts']; ?>
<?php echo $lang['winav1'],' ',$lang['wihlset']; ?>
</h1>
</div>
</div>
<form class="form-horizontal" data-toggle="validator" name="update" method="POST">
<input type="hidden" name="csrf_token" value="<?PHP echo $_SESSION[$rspathhex.'csrf_token']; ?>">
<input type="hidden" name="csrf_token" value="<?PHP echo $csrf_token; ?>">
<div class="row">
<div class="col-md-6">
<div class="panel panel-default">
@@ -166,25 +173,15 @@ $_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
</div>
</div>
<div class="col-md-6 ">
<div class="panel panel-default">
<div class="panel-body">
<div class="form-group">
<label class="col-sm-4 control-label" data-toggle="modal" data-target="#wits3qnmdesc"><?php echo $lang['wits3qnm']; ?><i class="help-hover glyphicon glyphicon-question-sign"></i></label>
<div class="col-sm-8 required-field-block">
<input type="text" class="form-control" name="queryname" value="<?php echo $queryname; ?>" maxlength="30" required>
<div class="required-icon"><div class="text">*</div></div>
</div>
</div>
<div class="form-group">
<label class="col-sm-4 control-label" data-toggle="modal" data-target="#wits3qnm2desc"><?php echo $lang['wits3qnm2']; ?><i class="help-hover glyphicon glyphicon-question-sign"></i></label>
<div class="col-sm-8 required-field-block">
<input type="text" class="form-control" name="queryname2" value="<?php echo $queryname2; ?>" maxlength="30" required>
<div class="required-icon"><div class="text">*</div></div>
</div>
<div class="panel-body">
<div class="form-group">
<label class="col-sm-4 control-label" data-toggle="modal" data-target="#wits3qnmdesc"><?php echo $lang['wits3qnm']; ?><i class="help-hover glyphicon glyphicon-question-sign"></i></label>
<div class="col-sm-8 required-field-block">
<input type="text" class="form-control" name="queryname" value="<?php echo $queryname; ?>" maxlength="30" required>
<div class="required-icon"><div class="text">*</div></div>
</div>
</div>
</div>
<div class="row">&nbsp;</div>
<div class="form-group">
<label class="col-sm-4 control-label" data-toggle="modal" data-target="#wits3dchdesc"><?php echo $lang['wits3dch']; ?><i class="help-hover glyphicon glyphicon-question-sign"></i></label>
<div class="col-sm-8">
@@ -268,7 +265,7 @@ $_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
<h4 class="modal-title"><?php echo $lang['wits3encrypt']; ?></h4>
</div>
<div class="modal-body">
<?php echo $lang['wits3encryptdesc']; ?>
<?php echo sprintf($lang['wits3encryptdesc'], '<pre>sudo apt-get install php-ssh2</pre>', '<pre>query_ssh_ip=0.0.0.0,::<br>query_ssh_port=10022<br>query_protocols=ssh,raw<br>query_ssh_rsa_host_key=ssh_host_rsa_key</pre>'); ?>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal"><?PHP echo $lang['stnv0002']; ?></button>
@@ -316,7 +313,7 @@ $_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
<h4 class="modal-title"><?php echo $lang['wits3querusr']; ?></h4>
</div>
<div class="modal-body">
<?php echo $lang['wits3querusrdesc']; ?>
<?php echo sprintf($lang['wits3querusrdesc'], '<a href="https://ts-n.net/ranksystem.php#requirements" target="_blank">https://ts-n.net/ranksystem.php#requirements</a>'); ?>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal"><?PHP echo $lang['stnv0002']; ?></button>
@@ -356,22 +353,6 @@ $_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
</div>
</div>
</div>
<div class="modal fade" id="wits3qnm2desc" tabindex="-1">
<div class="modal-dialog">
<div class="modal-content">
<div class="modal-header">
<button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span></button>
<h4 class="modal-title"><?php echo $lang['wits3qnm2']; ?></h4>
</div>
<div class="modal-body">
<?php echo $lang['wits3qnm2desc']; ?>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal"><?PHP echo $lang['stnv0002']; ?></button>
</div>
</div>
</div>
</div>
<div class="modal fade" id="wits3dchdesc" tabindex="-1">
<div class="modal-dialog">
<div class="modal-content">
@@ -396,7 +377,7 @@ $_SESSION[$rspathhex.'csrf_token'] = $newcsrf;
<h4 class="modal-title"><?php echo $lang['wits3sm']; ?></h4>
</div>
<div class="modal-body">
<?php echo $lang['wits3smdesc']; ?>
<?php echo sprintf($lang['wits3smdesc'], '<pre>disabled (0,0) 0,10<br>low delay (0,2) 2,60<br>middle delay (0,5) 6,50<br>high delay (1,0) 13,00<br>huge delay (2,0) 26,00<br>ultra delay (5,0) 65,00</pre>'); ?>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-default" data-dismiss="modal"><?PHP echo $lang['stnv0002']; ?></button>