Hacking attempt using PHP $GLOBALS overwrite vulnerability detected, reported to admin
You're worse than this guy! Unless you are this guy...
You been f***ed by Enano | valid XHTML 1.1
- +Hacking attempt using PHP $GLOBALS overwrite vulnerability detected, reported to admin
You're worse than this guy! Unless you are this guy...
You been f***ed by Enano | valid XHTML 1.1
+ Your web browser did not provide the HTTP Host: field. This site requires a modern browser that supports the HTTP 1.1 standard.'); + grinding_halt('Cannot get hostname', 'Your web browser did not provide the HTTP Host: field. This site requires a modern browser that supports the HTTP 1.1 standard.
'); // // END BACKGROUND AND ENVIRONMENT CHECKS @@ -212,7 +212,7 @@ @include(ENANO_ROOT . $config_file); unset($dbuser, $dbpasswd); if ( !isset($dbdriver) ) - $dbdriver = 'mysql'; + $dbdriver = 'mysql'; $db = new $dbdriver(); $db->connect(); @@ -229,18 +229,18 @@ // Build the list of system tables (this is mostly done in constants.php, but that's before table_prefix is known) if ( defined('table_prefix') && !defined('ENANO_TABLELIST_PREFIXED') ) { - define('ENANO_TABLELIST_PREFIXED', 1); - foreach ( $system_table_list as $i => $_ ) - { - $system_table_list[$i] = table_prefix . $system_table_list[$i]; - } + define('ENANO_TABLELIST_PREFIXED', 1); + foreach ( $system_table_list as $i => $_ ) + { + $system_table_list[$i] = table_prefix . $system_table_list[$i]; + } } // Select and fetch the site configuration $e = $db->sql_query('SELECT config_name, config_value FROM '.table_prefix.'config;'); if ( !$e ) { - $db->_die('Some critical configuration information could not be selected.'); + $db->_die('Some critical configuration information could not be selected.'); } // Used in die_semicritical to figure out whether to call getConfig() or not define('ENANO_CONFIG_FETCHED', ''); @@ -249,7 +249,7 @@ $enano_config = Array(); while($r = $db->fetchrow()) { - $enano_config[$r['config_name']] = $r['config_value']; + $enano_config[$r['config_name']] = $r['config_value']; } $db->free_result(); @@ -258,22 +258,22 @@ if ( defined('ENANO_EXIT_AFTER_CONFIG') ) { - return true; + return true; } // Now that we have the config, check the Enano version. if ( enano_version(false, true) != $version && !defined('IN_ENANO_UPGRADE') ) { - grinding_halt('Version mismatch', 'It seems that the Enano release we\'re trying to run ('.$version.') is different from the version specified in your database ('.enano_version().'). Perhaps you need to upgrade?
'); + grinding_halt('Version mismatch', 'It seems that the Enano release we\'re trying to run ('.$version.') is different from the version specified in your database ('.enano_version().'). Perhaps you need to upgrade?
'); } // Set our CDN path if ( !defined('cdnPath') ) { - $cdnpath = getConfig('cdn_path', scriptPath); - if ( empty($cdnpath) ) - $cdnpath = scriptPath; - define('cdnPath', $cdnpath); + $cdnpath = getConfig('cdn_path', scriptPath); + if ( empty($cdnpath) ) + $cdnpath = scriptPath; + define('cdnPath', $cdnpath); } // @@ -283,47 +283,47 @@ // If the AES key size has been changed, bail out and fast if ( !getConfig('aes_key_size') ) { - setConfig('aes_key_size', AES_BITS); + setConfig('aes_key_size', AES_BITS); } else if ( $ks = getConfig('aes_key_size') ) { - if ( intval($ks) != AES_BITS ) - { - grinding_halt('AES key size changed', 'Enano has detected that the AES key size in constants.php has been changed. This change cannot be performed after installation, otherwise the private key would have to be re-generated and all passwords would have to be re-encrypted.
Please change the key size back to ' . $ks . ' bits and reload this page.
'); - } + if ( intval($ks) != AES_BITS ) + { + grinding_halt('AES key size changed', 'Enano has detected that the AES key size in constants.php has been changed. This change cannot be performed after installation, otherwise the private key would have to be re-generated and all passwords would have to be re-encrypted.
Please change the key size back to ' . $ks . ' bits and reload this page.
'); + } } // Same for AES block size if ( !getConfig('aes_block_size') ) { - setConfig('aes_block_size', AES_BLOCKSIZE); + setConfig('aes_block_size', AES_BLOCKSIZE); } else if ( $ks = getConfig('aes_block_size') ) { - if ( intval($ks) != AES_BLOCKSIZE ) - { - grinding_halt('AES block size changed', 'Enano has detected that the AES block size in constants.php has been changed. This change cannot be performed after installation, otherwise all passwords would have to be re-encrypted.
Please change the block size back to ' . $ks . ' bits and reload this page.
'); - } + if ( intval($ks) != AES_BLOCKSIZE ) + { + grinding_halt('AES block size changed', 'Enano has detected that the AES block size in constants.php has been changed. This change cannot be performed after installation, otherwise all passwords would have to be re-encrypted.
Please change the block size back to ' . $ks . ' bits and reload this page.
'); + } } // Is there no default language? if ( getConfig('default_language') === false && !defined('IN_ENANO_MIGRATION') ) { - $q = $db->sql_query('SELECT lang_id FROM '.table_prefix.'language LIMIT 1;'); - if ( !$q ) - $db->_die('common.php - setting default language'); - if ( $db->numrows() < 1 && !defined('ENANO_ALLOW_LOAD_NOLANG') ) - { - grinding_halt('No languages', 'There are no languages installed on this site.
-If you are the website administrator, you may install a language by writing and executing a simple PHP script to install it:
-
+ $q = $db->sql_query('SELECT lang_id FROM '.table_prefix.'language LIMIT 1;');
+ if ( !$q )
+ $db->_die('common.php - setting default language');
+ if ( $db->numrows() < 1 && !defined('ENANO_ALLOW_LOAD_NOLANG') )
+ {
+ grinding_halt('No languages', 'There are no languages installed on this site.
+ If you are the website administrator, you may install a language by writing and executing a simple PHP script to install it:
+
<?php
define("ENANO_ALLOW_LOAD_NOLANG", 1);
require("includes/common.php");
install_language("eng", "English", "English", ENANO_ROOT . "/language/english/enano.json");');
- }
- $row = $db->fetchrow();
- setConfig('default_language', $row['lang_id']);
+ }
+ $row = $db->fetchrow();
+ setConfig('default_language', $row['lang_id']);
}
profiler_log('Ran checks');
@@ -348,8 +348,8 @@
// Load plugins from common because we can't give plugins full abilities in object context
foreach ( $plugins->load_list as $f )
{
- if ( file_exists(ENANO_ROOT . '/plugins/' . $f) )
- include_once ENANO_ROOT . '/plugins/' . $f;
+ if ( file_exists(ENANO_ROOT . '/plugins/' . $f) )
+ include_once ENANO_ROOT . '/plugins/' . $f;
}
profiler_log('Loaded plugins');
@@ -371,125 +371,125 @@
// script though, because that will make the DBAL look in the wrong place for the config file.
if ( !defined('IN_ENANO_INSTALL') )
{
- // And here you have it, the de facto way to place a hook. Plugins can place hooks and hook
- // into other plugins. You just never know.
- $code = $plugins->setHook('base_classes_initted');
- foreach ( $code as $cmd )
- {
- eval($cmd);
- }
-
- profiler_log('Finished base_classes_initted hook');
-
- // One quick security check...
- if ( !is_valid_ip($_SERVER['REMOTE_ADDR']) )
- {
- die('SECURITY: spoofed IP address: ' . htmlspecialchars($_SERVER['REMOTE_ADDR']));
- }
-
- // For special and administration pages, sometimes there is a "preloader" function that must be run
- // before the session manager and/or path manager get the init signal. Call it here.
- $urlname = get_title(true);
- list($page_id, $namespace) = RenderMan::strToPageID($urlname);
- list($page_id_top) = explode('/', $page_id);
- $fname = "page_{$namespace}_{$page_id_top}_preloader";
- if( ( $namespace == 'Admin' || $namespace == 'Special' ) && function_exists($fname))
- {
- call_user_func($fname);
- }
-
- profiler_log('Checked for (and ran, if applicable) preloader');
-
- // Add all of our built in special pages
- foreach ( array('SpecialUserFuncs', 'SpecialPageFuncs', 'SpecialAdmin', 'SpecialCSS', 'SpecialUpDownload', 'SpecialSearch', 'PrivateMessages', 'SpecialGroups', 'SpecialLog') as $plugin )
- {
- $funcname = "{$plugin}_paths_init";
- if ( function_exists($funcname) )
- {
- $funcname();
- }
- }
- profiler_log('Added special pages');
-
- // All checks passed! Start the main components up.
- $session->start();
-
- // This is where plugins will want to add pages from 1.1.x on out. You can still add
- // pages at base_classes_initted but the titles won't be localized. This is because
- // the session manager has to be started before localization will work in the user's
- // preferred language.
- $code = $plugins->setHook('session_started');
- foreach ( $code as $cmd )
- {
- eval($cmd);
- }
-
- profiler_log('Ran session_started hook');
-
- $paths->init($urlname);
-
- // setup output format
- if ( defined('ENANO_OUTPUT_FORMAT') )
- $class = 'Output_' . ENANO_OUTPUT_FORMAT;
- else
- $class = ( isset($_GET['noheaders']) ) ? 'Output_Naked' : 'Output_HTML';
-
- $output = new $class();
-
- // Are we running from the API? If so, did the page set a title?
- if ( !defined('ENANO_INTERFACE_INDEX') && !defined('ENANO_INTERFACE_AJAX') && isset($title) )
- {
- $output->set_title($title);
- }
-
- // We're ready for whatever life throws us now, at least from an API point of view.
- define('ENANO_MAINSTREAM', '');
-
- // If the site is disabled, bail out, unless we're trying to log in or administer the site
- if(getConfig('site_disabled') == '1' && $session->user_level < USER_LEVEL_ADMIN)
- {
- // is this one of the more critical special pages?
- if ( $paths->namespace == 'Admin' || ( $paths->namespace == 'Special' && ( $paths->page_id == 'CSS' || $paths->page_id == 'Administration' || $paths->page_id == 'Login' ) ) )
- {
- // yeah, we need to keep this page available. do nothing; allow execution to continue
- }
- else
- {
- if(!$n = getConfig('site_disabled_notice'))
- {
- $n = 'The administrator has disabled the site. Please check back later.';
- }
-
- $text = RenderMan::render($n) . '
-
- If you have an administrative account, you may log in to the site.
- ';
- $paths->wiki_mode = 0;
- die_semicritical('Site disabled', $text);
- }
- }
- else if ( getConfig('site_disabled') == '1' && $session->user_level >= USER_LEVEL_ADMIN )
- {
- // If the site is disabled but the user has admin rights, allow browsing
- // and stuff, but display the orange box notifying the admin.
- $template->site_disabled = true;
- }
-
- // At this point all of Enano is fully initialized and running and you're ready to do whatever you want.
- $code = $plugins->setHook('common_post');
- foreach ( $code as $cmd )
- {
- eval($cmd);
- }
-
- profiler_log('Ran disabled-site checks and common_post');
-
- load_rank_data();
-
- profiler_log('Loaded user rank data');
-
- if ( isset($_GET['noheaders']) )
- $template->no_headers = true;
+ // And here you have it, the de facto way to place a hook. Plugins can place hooks and hook
+ // into other plugins. You just never know.
+ $code = $plugins->setHook('base_classes_initted');
+ foreach ( $code as $cmd )
+ {
+ eval($cmd);
+ }
+
+ profiler_log('Finished base_classes_initted hook');
+
+ // One quick security check...
+ if ( !is_valid_ip($_SERVER['REMOTE_ADDR']) )
+ {
+ die('SECURITY: spoofed IP address: ' . htmlspecialchars($_SERVER['REMOTE_ADDR']));
+ }
+
+ // For special and administration pages, sometimes there is a "preloader" function that must be run
+ // before the session manager and/or path manager get the init signal. Call it here.
+ $urlname = get_title(true);
+ list($page_id, $namespace) = RenderMan::strToPageID($urlname);
+ list($page_id_top) = explode('/', $page_id);
+ $fname = "page_{$namespace}_{$page_id_top}_preloader";
+ if( ( $namespace == 'Admin' || $namespace == 'Special' ) && function_exists($fname))
+ {
+ call_user_func($fname);
+ }
+
+ profiler_log('Checked for (and ran, if applicable) preloader');
+
+ // Add all of our built in special pages
+ foreach ( array('SpecialUserFuncs', 'SpecialPageFuncs', 'SpecialAdmin', 'SpecialCSS', 'SpecialUpDownload', 'SpecialSearch', 'PrivateMessages', 'SpecialGroups', 'SpecialLog') as $plugin )
+ {
+ $funcname = "{$plugin}_paths_init";
+ if ( function_exists($funcname) )
+ {
+ $funcname();
+ }
+ }
+ profiler_log('Added special pages');
+
+ // All checks passed! Start the main components up.
+ $session->start();
+
+ // This is where plugins will want to add pages from 1.1.x on out. You can still add
+ // pages at base_classes_initted but the titles won't be localized. This is because
+ // the session manager has to be started before localization will work in the user's
+ // preferred language.
+ $code = $plugins->setHook('session_started');
+ foreach ( $code as $cmd )
+ {
+ eval($cmd);
+ }
+
+ profiler_log('Ran session_started hook');
+
+ $paths->init($urlname);
+
+ // setup output format
+ if ( defined('ENANO_OUTPUT_FORMAT') )
+ $class = 'Output_' . ENANO_OUTPUT_FORMAT;
+ else
+ $class = ( isset($_GET['noheaders']) ) ? 'Output_Naked' : 'Output_HTML';
+
+ $output = new $class();
+
+ // Are we running from the API? If so, did the page set a title?
+ if ( !defined('ENANO_INTERFACE_INDEX') && !defined('ENANO_INTERFACE_AJAX') && isset($title) )
+ {
+ $output->set_title($title);
+ }
+
+ // We're ready for whatever life throws us now, at least from an API point of view.
+ define('ENANO_MAINSTREAM', '');
+
+ // If the site is disabled, bail out, unless we're trying to log in or administer the site
+ if(getConfig('site_disabled') == '1' && $session->user_level < USER_LEVEL_ADMIN)
+ {
+ // is this one of the more critical special pages?
+ if ( $paths->namespace == 'Admin' || ( $paths->namespace == 'Special' && ( $paths->page_id == 'CSS' || $paths->page_id == 'Administration' || $paths->page_id == 'Login' ) ) )
+ {
+ // yeah, we need to keep this page available. do nothing; allow execution to continue
+ }
+ else
+ {
+ if(!$n = getConfig('site_disabled_notice'))
+ {
+ $n = 'The administrator has disabled the site. Please check back later.';
+ }
+
+ $text = RenderMan::render($n) . '
+
+ If you have an administrative account, you may log in to the site.
+ ';
+ $paths->wiki_mode = 0;
+ die_semicritical('Site disabled', $text);
+ }
+ }
+ else if ( getConfig('site_disabled') == '1' && $session->user_level >= USER_LEVEL_ADMIN )
+ {
+ // If the site is disabled but the user has admin rights, allow browsing
+ // and stuff, but display the orange box notifying the admin.
+ $template->site_disabled = true;
+ }
+
+ // At this point all of Enano is fully initialized and running and you're ready to do whatever you want.
+ $code = $plugins->setHook('common_post');
+ foreach ( $code as $cmd )
+ {
+ eval($cmd);
+ }
+
+ profiler_log('Ran disabled-site checks and common_post');
+
+ load_rank_data();
+
+ profiler_log('Loaded user rank data');
+
+ if ( isset($_GET['noheaders']) )
+ $template->no_headers = true;
}
profiler_log('common finished');