Update member.class.php
CSRF Vulnerability Fixed by Ben Khlifa Fahmi (https://www.benkhlifa.com/) from the Tunisian Whitehats Securitypull/50/head
Ben Khlifa Fahmi
parent
f249cef058
commit
de6de027d1
|
|
@ -1,107 +1,138 @@
|
||||||
<?php
|
<?php
|
||||||
/*
|
/*
|
||||||
* @link http://www.kalcaddle.com/
|
* @link http://www.kalcaddle.com/
|
||||||
* @author warlee | e-mail:kalcaddle@qq.com
|
* @author warlee | e-mail:kalcaddle@qq.com
|
||||||
* @copyright warlee 2014.(Shanghai)Co.,Ltd
|
* @copyright warlee 2014.(Shanghai)Co.,Ltd
|
||||||
* @license http://kalcaddle.com/tools/licenses/license.txt
|
* @license http://kalcaddle.com/tools/licenses/license.txt
|
||||||
*/
|
* @Security : Ben Khlifa Fahmi - Tunisian Whitehats Security / https://www.benkhlifa.com/
|
||||||
|
*/
|
||||||
|
|
||||||
class member extends Controller{
|
class member extends Controller
|
||||||
|
{
|
||||||
private $sql;
|
private $sql;
|
||||||
function __construct() {
|
function __construct()
|
||||||
|
{
|
||||||
parent::__construct();
|
parent::__construct();
|
||||||
$this->tpl = TEMPLATE.'member/';
|
$this->tpl = TEMPLATE . 'member/';
|
||||||
$this->sql=new fileCache(USER_SYSTEM.'member.php');
|
$this->sql = new fileCache(USER_SYSTEM . 'member.php');
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* 获取用户列表数据
|
* 获取用户列表数据
|
||||||
*/
|
*/
|
||||||
public function get() {
|
public function get()
|
||||||
|
{
|
||||||
show_json($this->sql->get());
|
show_json($this->sql->get());
|
||||||
}
|
}
|
||||||
/**
|
/**
|
||||||
* 用户添加
|
* 用户添加
|
||||||
*/
|
*/
|
||||||
public function add(){
|
public function add()
|
||||||
if (!$this->in['name'] ||
|
{
|
||||||
!$this->in['password'] ||
|
if (!$this->in['name'] || !$this->in['password'] || !$this->in['role'])
|
||||||
!$this->in['role'] ) show_json($this->L["data_not_full"],false);
|
show_json($this->L["data_not_full"], false);
|
||||||
|
if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) {
|
||||||
$this->in['name'] = rawurldecode($this->in['name']);
|
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
|
||||||
$this->in['password'] = rawurldecode($this->in['password']);
|
$this->in['name'] = rawurldecode($this->in['name']);
|
||||||
$user = array(
|
$this->in['password'] = rawurldecode($this->in['password']);
|
||||||
'name' => rawurldecode($this->in['name']),
|
$user = array(
|
||||||
'password' => md5(rawurldecode($this->in['password'])),
|
'name' => rawurldecode($this->in['name']),
|
||||||
'role' => $this->in['role'],
|
'password' => md5(rawurldecode($this->in['password'])),
|
||||||
'status' => 0,
|
'role' => $this->in['role'],
|
||||||
);
|
'status' => 0
|
||||||
if ($this->sql->add($this->in['name'],$user)) {
|
);
|
||||||
$this->_initUser($this->in['name']);
|
if ($this->sql->add($this->in['name'], $user)) {
|
||||||
show_json($this->L['success']);
|
$this->_initUser($this->in['name']);
|
||||||
|
show_json($referer);
|
||||||
|
}
|
||||||
|
show_json($this->L['error_repeat'], false);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
header('Location: 403.php');
|
||||||
}
|
}
|
||||||
show_json($this->L['error_repeat'],false);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* 编辑
|
* 编辑
|
||||||
*/
|
*/
|
||||||
public function edit() {
|
public function edit()
|
||||||
if (!$this->in['name'] ||
|
{
|
||||||
!$this->in['name_to'] ||
|
if (!$this->in['name'] || !$this->in['name_to'] || !$this->in['role_to'])
|
||||||
!$this->in['role_to'] ) show_json($this->L["data_not_full"],false);
|
show_json($this->L["data_not_full"], false);
|
||||||
|
if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) {
|
||||||
$this->in['name'] = rawurldecode($this->in['name']);
|
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
|
||||||
$this->in['name_to'] = rawurldecode($this->in['name_to']);
|
|
||||||
$this->in['password_to'] = rawurldecode($this->in['password_to']);
|
$this->in['name'] = rawurldecode($this->in['name']);
|
||||||
if ($this->in['name'] == 'admin') show_json($this->L['default_user_can_not_do'],false);
|
$this->in['name_to'] = rawurldecode($this->in['name_to']);
|
||||||
|
$this->in['password_to'] = rawurldecode($this->in['password_to']);
|
||||||
//查找到一条记录,修改为该数组
|
if ($this->in['name'] == 'admin')
|
||||||
$user = $this->sql->get($this->in['name']);
|
show_json($this->L['default_user_can_not_do'], false);
|
||||||
$user['name'] = $this->in['name_to'];
|
|
||||||
$user['role'] = $this->in['role_to'];
|
//查找到一条记录,修改为该数组
|
||||||
|
$user = $this->sql->get($this->in['name']);
|
||||||
if (strlen($this->in['password_to'])>=1) {
|
$user['name'] = $this->in['name_to'];
|
||||||
$user['password'] = md5($this->in['password_to']);
|
$user['role'] = $this->in['role_to'];
|
||||||
|
|
||||||
|
if (strlen($this->in['password_to']) >= 1) {
|
||||||
|
$user['password'] = md5($this->in['password_to']);
|
||||||
|
}
|
||||||
|
if ($this->sql->replace_update($this->in['name'], $user['name'], $user)) {
|
||||||
|
rename(USER_PATH . $this->in['name'], USER_PATH . $this->in['name_to']);
|
||||||
|
show_json($this->L['success']);
|
||||||
|
}
|
||||||
|
show_json($this->L['error_repeat'], false);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
header('Location: 403.php');
|
||||||
}
|
}
|
||||||
if($this->sql->replace_update($this->in['name'],$user['name'],$user)){
|
|
||||||
rename(USER_PATH.$this->in['name'],USER_PATH.$this->in['name_to']);
|
|
||||||
show_json($this->L['success']);
|
|
||||||
}
|
|
||||||
show_json($this->L['error_repeat'],false);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* 删除
|
* 删除
|
||||||
*/
|
*/
|
||||||
public function del() {
|
public function del()
|
||||||
|
{
|
||||||
$name = $this->in['name'];
|
$name = $this->in['name'];
|
||||||
if (!$name) show_json($this->L["username_can_not_null"],false);
|
if (!$name)
|
||||||
if ($name == 'admin') show_json($this->L['default_user_can_not_do'],false);
|
show_json($this->L["username_can_not_null"], false);
|
||||||
if($this->sql->delete($name)){
|
if ($name == 'admin')
|
||||||
del_dir(USER_PATH.$name.'/');
|
show_json($this->L['default_user_can_not_do'], false);
|
||||||
show_json($this->L['success']);
|
if ($_SERVER['HTTP_REFERER'] != $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]) {
|
||||||
|
if (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest') {
|
||||||
|
|
||||||
|
if ($this->sql->delete($name)) {
|
||||||
|
del_dir(USER_PATH . $name . '/');
|
||||||
|
show_json($this->L['success']);
|
||||||
|
}
|
||||||
|
show_json($this->L['error'], false);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
header('Location: 403.html');
|
||||||
}
|
}
|
||||||
show_json($this->L['error'],false);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
//============内部处理函数=============
|
//============内部处理函数=============
|
||||||
/**
|
/**
|
||||||
*初始化用户数据和配置。
|
*初始化用户数据和配置。
|
||||||
*/
|
*/
|
||||||
public function _initUser($name){
|
public function _initUser($name)
|
||||||
$root = array('home','recycle','data');
|
{
|
||||||
|
$root = array(
|
||||||
|
'home',
|
||||||
|
'recycle',
|
||||||
|
'data'
|
||||||
|
);
|
||||||
$new_user_folder = $this->config['setting_system']['new_user_folder'];
|
$new_user_folder = $this->config['setting_system']['new_user_folder'];
|
||||||
$home = explode(',',$new_user_folder);
|
$home = explode(',', $new_user_folder);
|
||||||
|
|
||||||
$user_path = USER_PATH.$name.'/';
|
$user_path = USER_PATH . $name . '/';
|
||||||
mk_dir($user_path);
|
mk_dir($user_path);
|
||||||
foreach ($root as $dir) {
|
foreach ($root as $dir) {
|
||||||
mk_dir($user_path.$dir);
|
mk_dir($user_path . $dir);
|
||||||
}
|
}
|
||||||
foreach ($home as $dir) {
|
foreach ($home as $dir) {
|
||||||
mk_dir($user_path.'home/'.$dir);
|
mk_dir($user_path . 'home/' . $dir);
|
||||||
}
|
}
|
||||||
fileCache::save($user_path.'data/config.php',$this->config['setting_default']);
|
fileCache::save($user_path . 'data/config.php', $this->config['setting_default']);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue