diff -r 1c7f59df9474 -r 93ef7df77847 plugins/SpecialAdmin.php --- a/plugins/SpecialAdmin.php Wed Aug 29 18:23:37 2007 -0400 +++ b/plugins/SpecialAdmin.php Wed Aug 29 23:35:06 2007 -0400 @@ -41,6 +41,7 @@ // Admin pages that were too enormous to be in this file were split off into the plugins/admin/ directory in 1.0.1 require(ENANO_ROOT . '/plugins/admin/PageGroups.php'); +require(ENANO_ROOT . '/plugins/admin/SecurityLog.php'); // function names are IMPORTANT!!! The name pattern is: page__ @@ -104,61 +105,10 @@ // Security log echo '

Security log

'; - echo '
'; - $cls = 'row2'; - echo ''; - require('config.php'); - $hash = md5($dbpasswd); - unset($dbname, $dbhost, $dbuser, $dbpasswd); - unset($dbname, $dbhost, $dbuser, $dbpasswd); // PHP5 Zend bug - if ( defined('ENANO_DEMO_MODE') && !isset($_GET[ $hash ]) && substr($_SERVER['REMOTE_ADDR'], 0, 8) != '192.168.' ) - { - echo ''; - } - else - { - if(isset($_GET['fulllog'])) - { - $l = 'SELECT action,date_string,author,edit_summary,time_id,page_text FROM '.table_prefix.'logs WHERE log_type=\'security\' ORDER BY time_id DESC, action ASC;'; - } - else - { - $l = 'SELECT action,date_string,author,edit_summary,time_id,page_text FROM '.table_prefix.'logs WHERE log_type=\'security\' ORDER BY time_id DESC, action ASC LIMIT 5'; - } - $q = $db->sql_query($l); - while($r = $db->fetchrow()) - { - if ( $r['action'] == 'illegal_page' ) - { - list($illegal_id, $illegal_ns) = unserialize($r['page_text']); - $url = makeUrlNS($illegal_ns, $illegal_id, false, true); - $title = get_page_title_ns($illegal_id, $illegal_ns); - $class = ( isPage($paths->nslist[$illegal_ns] . $illegal_id) ) ? '' : ' class="wikilink-nonexistent"'; - $illegal_link = '' . $title . ''; - } - if($cls == 'row2') $cls = 'row1'; - else $cls = 'row2'; - echo ''; - } - $db->free_result(); - } - echo '
TypeDateUsernameIP Address
Logs are recorded but not displayed for privacy purposes in the demo.
'; - switch($r['action']) - { - case "admin_auth_good": echo 'Successful elevated authentication'; if ( !empty($r['page_text']) ) { $level = $session->userlevel_to_string( intval($r['page_text']) ); echo "
Authentication level: $level"; } break; - case "admin_auth_bad": echo 'Failed elevated authentication'; if ( !empty($r['page_text']) ) { $level = $session->userlevel_to_string( intval($r['page_text']) ); echo "
Attempted auth level: $level"; } break; - case "activ_good": echo 'Successful account activation'; break; - case "auth_good": echo 'Successful regular user logon'; break; - case "activ_bad": echo 'Failed account activation'; break; - case "auth_bad": echo 'Failed regular user logon'; break; - case "sql_inject": echo 'SQL injection attempt
Offending query: ' . htmlspecialchars($r['page_text']) . '
'; break; - case "db_backup": echo 'Database backup created
Tables: ' . $r['page_text'] . ''; break; - case "install_enano": echo "Installed Enano version {$r['page_text']}"; break; - case "upgrade_enano": echo "Upgraded Enano to version {$r['page_text']}"; break; - case "illegal_page": echo "Unauthorized viewing attempt
Page: {$illegal_link}"; break; - } - echo '
'.date('d M Y h:i a', $r['time_id']).''.$r['author'].''.$r['edit_summary'].'
'; - if(!isset($_GET['fulllog'])) echo '

Full security log

'; + $seclog = get_security_log(5); + echo $seclog; + + echo '

Full security log

'; } @@ -488,12 +438,69 @@ if(isset($_POST['save'])) { - if(isset($_POST['enable_uploads'])) setConfig('enable_uploads', '1'); else setConfig('enable_uploads', '0'); - if(isset($_POST['enable_imagemagick'])) setConfig('enable_imagemagick', '1'); else setConfig('enable_imagemagick', '0'); - if(isset($_POST['cache_thumbs'])) setConfig('cache_thumbs', '1'); else setConfig('cache_thumbs', '0'); - if(isset($_POST['file_history'])) setConfig('file_history', '1'); else setConfig('file_history', '0'); - if(file_exists($_POST['imagemagick_path'])) setConfig('imagemagick_path', $_POST['imagemagick_path']); - else echo 'Warning: the file "'.$_POST['imagemagick_path'].'" was not found, and the ImageMagick file path was not updated.'; + if(isset($_POST['enable_uploads']) && getConfig('enable_uploads') != '1') + { + $q = $db->sql_query('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,edit_summary,author) VALUES("security","upload_enable",UNIX_TIMESTAMP(),"' . $db->escape($_SERVER['REMOTE_ADDR']) . '","' . $db->escape($session->username) . '");'); + if ( !$q ) + $db->_die(); + setConfig('enable_uploads', '1'); + } + else if ( !isset($_POST['enable_uploads']) && getConfig('enable_uploads') == '1' ) + { + $q = $db->sql_query('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,edit_summary,author) VALUES("security","upload_disable",UNIX_TIMESTAMP(),"' . $db->escape($_SERVER['REMOTE_ADDR']) . '","' . $db->escape($session->username) . '");'); + if ( !$q ) + $db->_die(); + setConfig('enable_uploads', '0'); + } + if(isset($_POST['enable_imagemagick']) && getConfig('enable_imagemagick') != '1') + { + $q = $db->sql_query('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,edit_summary,author) VALUES("security","magick_enable",UNIX_TIMESTAMP(),"' . $db->escape($_SERVER['REMOTE_ADDR']) . '","' . $db->escape($session->username) . '");'); + if ( !$q ) + $db->_die(); + setConfig('enable_imagemagick', '1'); + } + else if ( !isset($_POST['enable_imagemagick']) && getConfig('enable_imagemagick') == '1' ) + { + $q = $db->sql_query('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,edit_summary,author) VALUES("security","magick_disable",UNIX_TIMESTAMP(),"' . $db->escape($_SERVER['REMOTE_ADDR']) . '","' . $db->escape($session->username) . '");'); + if ( !$q ) + $db->_die(); + setConfig('enable_imagemagick', '0'); + } + if(isset($_POST['cache_thumbs'])) + { + setConfig('cache_thumbs', '1'); + } + else + { + setConfig('cache_thumbs', '0'); + } + if(isset($_POST['file_history']) && getConfig('file_history') != '1' ) + { + $q = $db->sql_query('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,edit_summary,author) VALUES("security","filehist_enable",UNIX_TIMESTAMP(),"' . $db->escape($_SERVER['REMOTE_ADDR']) . '","' . $db->escape($session->username) . '");'); + if ( !$q ) + $db->_die(); + setConfig('file_history', '1'); + } + else if ( !isset($_POST['file_history']) && getConfig('file_history') == '1' ) + { + $q = $db->sql_query('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,edit_summary,author) VALUES("security","filehist_disable",UNIX_TIMESTAMP(),"' . $db->escape($_SERVER['REMOTE_ADDR']) . '","' . $db->escape($session->username) . '");'); + if ( !$q ) + $db->_die(); + setConfig('file_history', '0'); + } + if(file_exists($_POST['imagemagick_path']) && $_POST['imagemagick_path'] != getConfig('imagemagick_path')) + { + $old = getConfig('imagemagick_path'); + $oldnew = "{$old}||{$_POST['imagemagick_path']}"; + $q = $db->sql_query('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,edit_summary,author,page_text) VALUES("security","magick_path",UNIX_TIMESTAMP(),"' . $db->escape($_SERVER['REMOTE_ADDR']) . '","' . $db->escape($session->username) . '","' . $db->escape($oldnew) . '");'); + if ( !$q ) + $db->_die(); + setConfig('imagemagick_path', $_POST['imagemagick_path']); + } + else if ( $_POST['imagemagick_path'] != getConfig('imagemagick_path') ) + { + echo 'Warning: the file "'.htmlspecialchars($_POST['imagemagick_path']).'" was not found, and the ImageMagick file path was not updated.'; + } $max_upload = floor((float)$_POST['max_file_size'] * (int)$_POST['fs_units']); if ( $max_upload > 1048576 && defined('ENANO_DEMO_MODE') ) { @@ -531,7 +538,7 @@

Lastly, you can choose whether file history will be saved. If this option is turned on, you will be able to roll back any malicious changes made to uploaded files, but this requires a significant amount of database storage. You should probably leave this option enabled unless you have less than 250MB of MySQL database space.

-

+


sql_query('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,edit_summary,author,page_text) VALUES("security","plugin_enable",UNIX_TIMESTAMP(),"' . $db->escape($_SERVER['REMOTE_ADDR']) . '","' . $db->escape($session->username) . '","' . $db->escape($_GET['plugin']) . '");'); + if ( !$q ) + $db->_die(); setConfig('plugin_'.$_GET['plugin'], '1'); break; case "disable": @@ -561,6 +571,9 @@ } if ( !in_array($_GET['plugin'], $plugins->system_plugins) ) { + $q = $db->sql_query('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,edit_summary,author,page_text) VALUES("security","plugin_disable",UNIX_TIMESTAMP(),"' . $db->escape($_SERVER['REMOTE_ADDR']) . '","' . $db->escape($session->username) . '","' . $db->escape($_GET['plugin']) . '");'); + if ( !$q ) + $db->_die(); setConfig('plugin_'.$_GET['plugin'], '0'); } else