1<?php 2 3// ------------------------------------------------------------------------------- 4// | net2ftp: a web based FTP client | 5// | Copyright (c) 2003-2017 by David Gartner | 6// | | 7// | This program is free software; you can redistribute it and/or | 8// | modify it under the terms of the GNU General Public License | 9// | as published by the Free Software Foundation; either version 2 | 10// | of the License, or (at your option) any later version. | 11// | | 12// ------------------------------------------------------------------------------- 13 14 15 16 17// ************************************************************************************** 18// ************************************************************************************** 19// ** ** 20// ** ** 21 22function encryptPassword($password) { 23 24// -------------- 25// This function encrypts the FTP password 26// -------------- 27 28// ------------------------------------------------------------------------- 29// Global variables and settings 30// ------------------------------------------------------------------------- 31 global $net2ftp_settings; 32 33// ------------------------------------------------------------------------- 34// If mcrypt libraries are available, encrypt the password with the Stone PHP SafeCrypt library 35// http://blog.sc.tri-bit.com/archives/101 36// ------------------------------------------------------------------------- 37// if (function_exists("mcrypt_module_open") == true) { 38// $packed = PackCrypt($password, DEFAULT_MD5_SALT); 39// if ($packed["success"] == true) { return $packed["output"]; } 40// else { 41// setErrorVars(false, "An error occured when trying to encrypt the password: " . $packed["reason"], debug_backtrace(), __FILE__, __LINE__); 42// } 43// } 44// ------------------------------------------------------------------------- 45// Else, XOR it with a random string 46// ------------------------------------------------------------------------- 47// else { 48 $password_encrypted = ""; 49 $encryption_string = sha1($net2ftp_settings["encryption_string"]); 50 if (strlen($encryption_string) % 2 == 1) { // we need even number of characters 51 $encryption_string .= $encryption_string{0}; 52 } 53 for ($i=0; $i < strlen($password); $i++) { // encrypts one character - two bytes at once 54 $password_encrypted .= sprintf("%02X", hexdec(substr($encryption_string, 2*$i % strlen($encryption_string), 2)) ^ ord($password{$i})); 55 } 56 return $password_encrypted; 57// } 58 59} // End function encryptPassword 60 61// ** ** 62// ** ** 63// ************************************************************************************** 64// ************************************************************************************** 65 66 67 68 69 70// ************************************************************************************** 71// ************************************************************************************** 72// ** ** 73// ** ** 74 75function decryptPassword($password_encrypted) { 76 77// -------------- 78// This function decrypts the FTP password 79// -------------- 80 81// ------------------------------------------------------------------------- 82// Global variables and settings 83// ------------------------------------------------------------------------- 84 global $net2ftp_settings; 85 86// ------------------------------------------------------------------------- 87// If mcrypt libraries are available, encrypt the password with the Stone PHP SafeCrypt library 88// http://blog.sc.tri-bit.com/archives/101 89// ------------------------------------------------------------------------- 90// if (function_exists("mcrypt_module_open") == true) { 91// $unpacked = UnpackCrypt($password_encrypted, DEFAULT_MD5_SALT); 92// if ($unpacked["success"] == true) { return $unpacked["output"]; } 93// else { 94// setErrorVars(false, "An error occured when trying to decrypt the password: " . $unpacked["reason"], debug_backtrace(), __FILE__, __LINE__); 95// } 96// } 97 98// ------------------------------------------------------------------------- 99// Else, XOR it with a random string 100// ------------------------------------------------------------------------- 101// else { 102 $password = ""; 103 $encryption_string = sha1($net2ftp_settings["encryption_string"]); 104 if (strlen($encryption_string) % 2 == 1) { // we need even number of characters 105 $encryption_string .= $encryption_string{0}; 106 } 107 for ($i=0; $i < strlen($password_encrypted); $i += 2) { // decrypts two bytes - one character at once 108 $password .= chr(hexdec(substr($encryption_string, $i % strlen($encryption_string), 2)) ^ hexdec(substr($password_encrypted, $i, 2))); 109 } 110 return $password; 111// } 112 113} // End function decryptPassword 114 115// ** ** 116// ** ** 117// ************************************************************************************** 118// ************************************************************************************** 119 120 121 122 123 124// ************************************************************************************** 125// ************************************************************************************** 126// ** ** 127// ** ** 128 129function checkIPinNetwork($ip, $network) { 130 131// ---------- 132// This function checks if an IP address is part of a network 133// If yes, it returns true; if no, it returns false 134// 135// The network's IP address range must be one of these notations: 136// - Single IP (example: 192.168.1.1) 137// - IP from-to (example: 192.168.1.1-192.168.1.10) 138// - CIDR notation (example: 192.168.1.0/30 or 192.168.1/30) 139// ---------- 140 141 $ip = trim($ip); 142 $network = trim($network); 143 144// network is in the format 192.168.1.1-192.168.1.10 145 $d = strpos($network,"-"); 146 if ($d !== false) { 147 $from = ip2long(trim(substr($network,0,$d))); 148 $to = ip2long(trim(substr($network,$d+1))); 149 $ip = ip2long($ip); 150 return ($ip >= $from and $ip <= $to); 151 } 152 153// network is in the format 192.168.1.0/30 or 192.168.1/30 154 $d = strpos($network,"/"); 155 if ($d !== false) { 156 $ip_arr = explode("/", $network); 157 if (!preg_match("@\d*\.\d*\.\d*\.\d*@", $ip_arr[0], $matches)){ 158 $ip_arr[0] .= ".0"; // To handle networks like 192.168.1/30 (instead of 192.168.1.0/30) 159 } 160 $network_long = ip2long($ip_arr[0]); 161 $x = ip2long($ip_arr[1]); 162 $mask = long2ip($x) == $ip_arr[1] ? $x : (0xffffffff << (32 - $ip_arr[1])); 163 $ip_long = ip2long($ip); 164 return ($ip_long & $mask) == ($network_long & $mask); 165 } 166 167// network is a simple IP address 168 if ($ip == $network) { return true; } 169 else { return false; } 170 171} // End function checkIPinNetwork 172 173// ** ** 174// ** ** 175// ************************************************************************************** 176// ************************************************************************************** 177 178 179 180 181 182// ************************************************************************************** 183// ************************************************************************************** 184// ** ** 185// ** ** 186 187function printLoginInfo() { 188 189// -------------- 190// This function prints the ftpserver, username and login information 191// -------------- 192 193 global $net2ftp_globals, $net2ftp_settings; 194 195 echo "<input type=\"hidden\" name=\"skin\" value=\"" . htmlEncode2($net2ftp_globals["skin"]) . "\" />\n"; 196 echo "<input type=\"hidden\" name=\"language\" value=\"" . htmlEncode2($net2ftp_globals["language"]) . "\" />\n"; 197 echo "<input type=\"hidden\" name=\"protocol\" value=\"" . htmlEncode2($net2ftp_globals["protocol"]) . "\" />\n"; 198 echo "<input type=\"hidden\" name=\"ftpserver\" value=\"" . htmlEncode2($net2ftp_globals["ftpserver"]) . "\" />\n"; 199 echo "<input type=\"hidden\" name=\"ftpserverport\" value=\"" . htmlEncode2($net2ftp_globals["ftpserverport"]) . "\" />\n"; 200 echo "<input type=\"hidden\" name=\"username\" value=\"" . htmlEncode2($net2ftp_globals["username"]) . "\" />\n"; 201 echo "<input type=\"hidden\" name=\"password_encrypted\" value=\"" . htmlEncode2($net2ftp_globals["password_encrypted"]) . "\" />\n"; 202 echo "<input type=\"hidden\" name=\"sshfingerprint\" value=\"" . htmlEncode2($net2ftp_globals["sshfingerprint"]) . "\" />\n"; 203 echo "<input type=\"hidden\" name=\"ftpmode\" value=\"" . htmlEncode2($net2ftp_globals["ftpmode"]) . "\" />\n"; 204 echo "<input type=\"hidden\" name=\"passivemode\" value=\"" . htmlEncode2($net2ftp_globals["passivemode"]) . "\" />\n"; 205 echo "<input type=\"hidden\" name=\"viewmode\" value=\"" . htmlEncode2($net2ftp_globals["viewmode"]) . "\" />\n"; 206 echo "<input type=\"hidden\" name=\"sort\" value=\"" . htmlEncode2($net2ftp_globals["sort"]) . "\" />\n"; 207 echo "<input type=\"hidden\" name=\"sortorder\" value=\"" . htmlEncode2($net2ftp_globals["sortorder"]) . "\" />\n"; 208 echo "<input type=\"hidden\" name=\"consent_necessary\" value=\"" . htmlEncode2($net2ftp_globals["consent_necessary"]) . "\" />\n"; 209 echo "<input type=\"hidden\" name=\"consent_preferences\" value=\"" . htmlEncode2($net2ftp_globals["consent_preferences"]) . "\" />\n"; 210 echo "<input type=\"hidden\" name=\"consent_statistics\" value=\"" . htmlEncode2($net2ftp_globals["consent_statistics"]) . "\" />\n"; 211 echo "<input type=\"hidden\" name=\"consent_personalized_ads\" value=\"" . htmlEncode2($net2ftp_globals["consent_personalized_ads"]) . "\" />\n"; 212 echo "<input type=\"hidden\" name=\"consent_nonpersonalized_ads\" value=\"" . htmlEncode2($net2ftp_globals["consent_nonpersonalized_ads"]) . "\" />\n"; 213 echo "<input type=\"hidden\" name=\"user_email\" value=\"" . htmlEncode2($net2ftp_globals["user_email"]) . "\" />\n"; 214 for ($i=1; $i<=10; $i++) { 215 if (isset($net2ftp_settings["privacy_policy_" . $i]) && $net2ftp_settings["privacy_policy_" . $i] != "") { 216 echo "<input type=\"hidden\" name=\"privacy" . $i . "\" value=\"" . htmlEncode2($net2ftp_globals["privacy" . $i]) . "\" />\n"; 217 } 218 } // end for 219 220} // End function printLoginInfo 221 222// ** ** 223// ** ** 224// ************************************************************************************** 225// ************************************************************************************** 226 227 228 229 230 231 232// ************************************************************************************** 233// ************************************************************************************** 234// ** ** 235// ** ** 236 237function printLoginInfo_javascript() { 238 239// -------------- 240// This function prints the ftpserver, username and login information -- for javascript input 241// -------------- 242 243 global $net2ftp_globals, $net2ftp_settings; 244 245 echo " d.writeln('<input type=\"hidden\" name=\"skin\" value=\"" . javascriptEncode2($net2ftp_globals["skin"]) . "\" />');\n"; 246 echo " d.writeln('<input type=\"hidden\" name=\"language\" value=\"" . javascriptEncode2($net2ftp_globals["language"]) . "\" />');\n"; 247 echo " d.writeln('<input type=\"hidden\" name=\"protocol\" value=\"" . javascriptEncode2($net2ftp_globals["protocol"]) . "\" />');\n"; 248 echo " d.writeln('<input type=\"hidden\" name=\"ftpserver\" value=\"" . javascriptEncode2($net2ftp_globals["ftpserver"]) . "\" />');\n"; 249 echo " d.writeln('<input type=\"hidden\" name=\"ftpserverport\" value=\"" . javascriptEncode2($net2ftp_globals["ftpserverport"]) . "\" />');\n"; 250 echo " d.writeln('<input type=\"hidden\" name=\"username\" value=\"" . javascriptEncode2($net2ftp_globals["username"]) . "\" />');\n"; 251 echo " d.writeln('<input type=\"hidden\" name=\"password_encrypted\" value=\"" . javascriptEncode2($net2ftp_globals["password_encrypted"]) . "\" />');\n"; 252 echo " d.writeln('<input type=\"hidden\" name=\"sshfingerprint\" value=\"" . javascriptEncode2($net2ftp_globals["sshfingerprint"]) . "\" />');\n"; 253 echo " d.writeln('<input type=\"hidden\" name=\"ftpmode\" value=\"" . javascriptEncode2($net2ftp_globals["ftpmode"]) . "\" />');\n"; 254 echo " d.writeln('<input type=\"hidden\" name=\"passivemode\" value=\"" . javascriptEncode2($net2ftp_globals["passivemode"]) . "\" />');\n"; 255 echo " d.writeln('<input type=\"hidden\" name=\"viewmode\" value=\"" . javascriptEncode2($net2ftp_globals["viewmode"]) . "\" />');\n"; 256 echo " d.writeln('<input type=\"hidden\" name=\"sort\" value=\"" . javascriptEncode2($net2ftp_globals["sort"]) . "\" />');\n"; 257 echo " d.writeln('<input type=\"hidden\" name=\"sortorder\" value=\"" . javascriptEncode2($net2ftp_globals["sortorder"]) . "\" />');\n"; 258 echo " d.writeln('<input type=\"hidden\" name=\"consent_necessary\" value=\"" . javascriptEncode2($net2ftp_globals["consent_necessary"]) . "\" />');\n"; 259 echo " d.writeln('<input type=\"hidden\" name=\"consent_preferences\" value=\"" . javascriptEncode2($net2ftp_globals["consent_preferences"]) . "\" />');\n"; 260 echo " d.writeln('<input type=\"hidden\" name=\"consent_statistics\" value=\"" . javascriptEncode2($net2ftp_globals["consent_statistics"]) . "\" />');\n"; 261 echo " d.writeln('<input type=\"hidden\" name=\"consent_personalized_ads\" value=\"" . javascriptEncode2($net2ftp_globals["consent_personalized_ads"]) . "\" />');\n"; 262 echo " d.writeln('<input type=\"hidden\" name=\"consent_nonpersonalized_ads\" value=\"" . javascriptEncode2($net2ftp_globals["consent_nonpersonalized_ads"]) . "\" />');\n"; 263 echo " d.writeln('<input type=\"hidden\" name=\"user_email\" value=\"" . javascriptEncode2($net2ftp_globals["user_email"]) . "\" />');\n"; 264 for ($i=1; $i<=10; $i++) { 265 if (isset($net2ftp_settings["privacy_policy_" . $i]) && $net2ftp_settings["privacy_policy_" . $i] != "") { 266 echo " d.writeln('<input type=\"hidden\" name=\"privacy" . $i . "\" value=\"" . javascriptEncode2($net2ftp_globals["privacy" . $i]) . "\" />');\n"; 267 } 268 } // end for 269 270 271} // End function printLoginInfo_javascript 272 273// ** ** 274// ** ** 275// ************************************************************************************** 276// ************************************************************************************** 277 278 279 280 281 282 283// ************************************************************************************** 284// ************************************************************************************** 285// ** ** 286// ** ** 287 288function printPHP_SELF($case) { 289 290// -------------- 291// This function prints $PHP_SELF, the name of the script itself 292// -------------- 293 294// ------------------------------------------------------------------------- 295// Global variables and settings 296// ------------------------------------------------------------------------- 297 global $net2ftp_globals, $net2ftp_settings; 298 299 $protocol = urlEncode2($net2ftp_globals["protocol"]); 300 $ftpserver = urlEncode2($net2ftp_globals["ftpserver"]); 301 $ftpserverport = urlEncode2($net2ftp_globals["ftpserverport"]); 302 $username = urlEncode2($net2ftp_globals["username"]); 303 $password_encrypted = urlEncode2($net2ftp_globals["password_encrypted"]); 304 $directory_html = urlEncode2($net2ftp_globals["directory"]); 305 $entry_html = urlEncode2($net2ftp_globals["entry"]); 306 $skin = urlEncode2($net2ftp_globals["skin"]); 307 $language = urlEncode2($net2ftp_globals["language"]); 308 $sshfingerprint = urlEncode2($net2ftp_globals["sshfingerprint"]); 309 $ftpmode = urlEncode2($net2ftp_globals["ftpmode"]); 310 $passivemode = urlEncode2($net2ftp_globals["passivemode"]); 311 $viewmode = urlEncode2($net2ftp_globals["viewmode"]); 312 $sort = urlEncode2($net2ftp_globals["sort"]); 313 $sortorder = urlEncode2($net2ftp_globals["sortorder"]); 314 $state_html = urlEncode2($net2ftp_globals["state"]); 315 $state2_html = urlEncode2($net2ftp_globals["state2"]); 316 $user_email_html = urlEncode2($net2ftp_globals["user_email"]); 317 $consent_necessary = urlEncode2($net2ftp_globals["consent_necessary"]); 318 $consent_preferences = urlEncode2($net2ftp_globals["consent_preferences"]); 319 $consent_statistics = urlEncode2($net2ftp_globals["consent_statistics "]); 320 $consent_personalized_ads = urlEncode2($net2ftp_globals["consent_personalized_ads"]); 321 $consent_nonpersonalized_ads = urlEncode2($net2ftp_globals["consent_nonpersonalized_ads"]); 322 $privacy_full_html = ""; 323 for ($i=1; $i<=10; $i++) { 324 if (isset($net2ftp_settings["privacy_policy_" . $i]) && $net2ftp_settings["privacy_policy_" . $i] != "") { 325 $privacy_full_html .= "&privacy" . $i . "=" . htmlEncode2($net2ftp_globals["privacy" . $i]); 326 } 327 } // end for 328 329// From /includes/registerglobals.inc.php 330 $URL = $net2ftp_globals["action_url"]; 331 332// If the URL already contains parameters (?param1=value1&param2=value2...), append & 333// If not, append a ? 334 if (strpos($URL, "?") !== false) { $URL .= "&"; } 335 else { $URL .= "?"; } 336 337// Append further parameters 338 if ($case == "actions") { 339 $URL .= "protocol=$protocol&ftpserver=$ftpserver&ftpserverport=$ftpserverport&username=$username&skin=$skin&language=$language&sshfingerprint=$sshfingerprint&ftpmode=$ftpmode&passivemode=$passivemode&viewmode=$viewmode&sort=$sort&sortorder=$sortorder" . $privacy_full_html; 340 } 341// Bookmark with password 342// Until version 1.1: go straight to the bookmarked state (e.g. Browse, Edit, etc) 343// As of version 1.2: always show login_small form, either with or without password filled in; captcha is needed to block robots 344 elseif ($case == "bookmark_withpw") { 345// $URL .= "protocol=$protocol&amp;ftpserver=$ftpserver&amp;ftpserverport=$ftpserverport&amp;sshfingerprint=$sshfingerprint&amp;username=$username&amp;password_encrypted=$password_encrypted&amp;language=$language&amp;skin=$skin&amp;ftpmode=$ftpmode&amp;passivemode=$passivemode&amp;viewmode=$viewmode&amp;sort=$sort&amp;sortorder=$sortorder&amp;state=$state_html&amp;state2=$state2_html&amp;directory=$directory_html&amp;entry=$entry_html"; 346 $URL .= "protocol=$protocol&amp;ftpserver=$ftpserver&amp;ftpserverport=$ftpserverport&amp;sshfingerprint=$sshfingerprint&amp;username=$username&amp;password_encrypted=$password_encrypted&amp;language=$language&amp;skin=$skin&amp;ftpmode=$ftpmode&amp;passivemode=$passivemode&amp;viewmode=$viewmode&amp;sort=$sort&amp;sortorder=$sortorder&amp;state=login_small&amp;state2=bookmark&amp;go_to_state=$state_html&amp;go_to_state2=$state2_html&amp;directory=$directory_html&amp;entry=$entry_html" . $privacy_full_html; 347 } 348// Bookmark without password and without SSH fingerprint: go first to the login_small state to enter the password and check the SSH fingerprint 349 elseif ($case == "bookmark_withoutpw") { 350 $URL .= "protocol=$protocol&amp;ftpserver=$ftpserver&amp;ftpserverport=$ftpserverport&amp;sshfingerprint=$sshfingerprint&amp;username=$username&amp;language=$language&amp;skin=$skin&amp;ftpmode=$ftpmode&amp;passivemode=$passivemode&amp;viewmode=$viewmode&amp;sort=$sort&amp;sortorder=$sortorder&amp;state=login_small&amp;state2=bookmark&amp;go_to_state=$state_html&amp;go_to_state2=$state2_html&amp;directory=$directory_html&amp;entry=$entry_html" . $privacy_full_html; 351 } 352// Jupload java applet: the cookie information is added to the page using javascript (/skins/blue/jupload1.template.php) 353 elseif ($case == "jupload") { 354 $URL .= "protocol=$protocol&ftpserver=$ftpserver&ftpserverport=$ftpserverport&sshfingerprint=$sshfingerprint&username=$username&language=$language&skin=$skin&ftpmode=$ftpmode&passivemode=$passivemode&directory=$directory_html&state=jupload&screen=2" . $privacy_full_html; 355 } 356 elseif ($case == "view") { 357 $URL .= "protocol=$protocol&ftpserver=$ftpserver&ftpserverport=$ftpserverport&sshfingerprint=$sshfingerprint&username=$username&language=$language&skin=$skin&ftpmode=$ftpmode&passivemode=$passivemode&viewmode=$viewmode&sort=$sort&sortorder=$sortorder&state=$state_html&state2=image&directory=$directory_html&entry=$entry_html" . $privacy_full_html; 358 } 359 elseif ($case == "createDirectoryTreeWindow") { 360 $URL = $net2ftp_globals["application_rootdir_url"] . "/index.php"; 361 } 362// Change skin 363 elseif ($case == "defaultskin") { 364 $URL .= "protocol=$protocol&ftpserver=$ftpserver&ftpserverport=$ftpserverport&sshfingerprint=$sshfingerprint&username=$username&language=$language&skin=" . $net2ftp_settings["default_skin"] . "&ftpmode=$ftpmode&passivemode=$passivemode&viewmode=$viewmode&sort=$sort&sortorder=$sortorder&state=$state_html&state2=$state2_html&directory=$directory_html&entry=$entry_html" . $privacy_full_html; 365 } 366 return $URL; 367 368} // End function printPHP_SELF 369 370// ** ** 371// ** ** 372// ************************************************************************************** 373// ************************************************************************************** 374 375 376 377 378 379// ************************************************************************************** 380// ************************************************************************************** 381// ** ** 382// ** ** 383 384function checkAuthorization($ftpserver, $ftpserverport, $directory, $username) { 385 386// -------------- 387// This function checks if 388// 1) the user is a real person using the captcha 389// 2) the user's country (derived from the user's IP address) in the list of banned countries 390// 3) the user's IP address is in the database table of anonymizer services (VPN, proxy, Tor exits) 391// 4) the user's IP address is in the list of allowed IP addresses 392// 5) the user's IP address is in the list of banned IP addresses 393// 6) the FTP server's country (derived from the FTP server's IP address) in the list of banned countries 394// 7) the FTP server is in the list of those that may be accessed 395// 8) the FTP server is in the list of those that may NOT be accessed 396// 9) the FTP server port is in the allowed range 397// 10) the directory is authorised: whether the current $directory name contains a banned keyword. 398// 11) the privacy policies (checkboxes on the login screen) were accepted 399// If all is OK, then the user may continue... 400// -------------- 401 402// ------------------------------------------------------------------------- 403// Global variables 404// ------------------------------------------------------------------------- 405 global $net2ftp_globals, $net2ftp_settings, $net2ftp_result, $_POST; 406 407 408// ------------------------------------------------------------------------- 409// Connect to the database 410// ------------------------------------------------------------------------- 411 if ($net2ftp_settings["use_database"] == "yes") { 412 net2ftp_connect_db(); 413 if ($net2ftp_result["success"] == false) { return false; } 414 } 415 416 417// ------------------------------------------------------------------------- 418// Convert the user's IP address to a number ($user_ip_number) 419// Look up the FTP server's IP address and convert it to a number too ($ftpserver_ip_number) 420// ------------------------------------------------------------------------- 421 422// ---------------------------- 423// Determine user's IP 424// ---------------------------- 425 $user_ipaddress_number = Dot2LongIP($net2ftp_globals["REMOTE_ADDR"]); 426 427// ---------------------------- 428// Determine FTP server's IP 429// Note that $ftpserver can be a hostname or an IP address 430// ---------------------------- 431 if ($ftpserver != "") { 432 $ftpserver_filtered = filter_var($ftpserver, FILTER_VALIDATE_IP); 433// FTP server is an IP address already 434 if ($ftpserver_filtered == $ftpserver) { 435 $ftpserver_ipaddress_number = Dot2LongIP($ftpserver); 436 $net2ftp_globals["ftpserver_ipaddress"] = $ftpserver; 437 } 438// FTP server is a hostname 439 else { 440 $ftpserver_clean = trim($ftpserver . '.'); 441 $ftpserver_ipaddress = gethostbyname($ftpserver_clean); 442// Set ftpserver_ip to blank if IP address lookup failed 443 if ($ftpserver_ipaddress == $ftpserver_clean) { 444 $ftpserver_ipaddress = ""; 445 $ftpserver_ipaddress_number = ""; 446 $net2ftp_globals["ftpserver_ipaddress"] = ""; 447 } 448 else { 449 $ftpserver_ipaddress_number = Dot2LongIP($ftpserver_ipaddress); 450 $net2ftp_globals["ftpserver_ipaddress"] = $ftpserver_ipaddress; 451 } 452 } 453 } // end if ($ftpserver != "") 454 else { 455 $net2ftp_globals["ftpserver_ipaddress"] = ""; 456 $net2ftp_globals["ftpserver_country"] = ""; 457 } 458 459// ------------------------------------------------------------------------- 460// 1) Check if the user is a real person using the captcha 461// ------------------------------------------------------------------------- 462 463 if ($net2ftp_settings["use_captcha"] == "yes" && $net2ftp_globals["state"] != "serverfingerprint") { 464// User comes from login screen; send request to Google 465// https://www.kaplankomputing.com/blog/tutorials/recaptcha-php-demo-tutorial/ 466// How to solve file_get_contents errors and setup openssl 467// https://stackoverflow.com/questions/26148701/file-get-contents-ssl-operation-failed-with-code-1-and-more 468// On Ubuntu 16.04, this worked: prioritize IPv4 over IPv6 in /etc/gai.conf 469 470// When user submits login form and goes to browse screen, send captcha info to Google 471// Skip this when user reloads browse screen after logging in, to avoid captcha errors (Google returns error if captcha is sent a 2nd time) 472 if (isset($_POST["g-recaptcha-response"]) == true && (isset($_SESSION["captcha"]) == false || $_SESSION["captcha"] != "OK")) { 473 $response = $_POST["g-recaptcha-response"]; 474 $url = 'https://www.google.com/recaptcha/api/siteverify'; 475 $data = array( 476 'secret' => $net2ftp_settings["recaptcha_secretkey"], 477 'response' => $response 478 ); 479 $options = array( 480 'http' => array( 481 'header' => 'Content-Type: application/x-www-form-urlencoded\r\n', 482 'method' => 'POST', 483 'content' => http_build_query($data) 484 ) 485 ); 486 $context = stream_context_create($options); 487 $verify = file_get_contents($url, false, $context); 488 if ($verify === false) { 489 $errormessage = __("Connection from net2ftp server to Google captcha server failed"); 490 setErrorVars(false, $errormessage, debug_backtrace(), __FILE__, __LINE__); 491 return false; 492 } 493 $captcha_success = json_decode($verify); 494 if ($captcha_success->success == false) { 495 $_SESSION["captcha"] = "Error"; 496 $errormessage = __("Captcha check failed on the login screen. Please return to the login screen and tick the 'I'm not a robot' checkbox before clicking on the 'Login' button."); 497 setErrorVars(false, $errormessage, debug_backtrace(), __FILE__, __LINE__); 498 return false; 499 } 500 else if ($captcha_success->success == true) { 501 $_SESSION["captcha"] = "OK"; 502 } 503 } 504 505// User comes from another screen 506 else { 507 if ($_SESSION["captcha"] != "OK") { 508 $errormessage = __("Captcha check failed in the session. Please return to the login screen and tick the 'I'm not a robot' checkbox before clicking on the 'Login' button."); 509 setErrorVars(false, $errormessage, debug_backtrace(), __FILE__, __LINE__); 510 return false; 511 } 512 } 513 } // end if ($net2ftp_settings["use_captcha"] == "yes") 514 515 516// ------------------------------------------------------------------------- 517// 2) Check if the user's country (derived from the user's IP address) in the list of banned countries 518// ------------------------------------------------------------------------- 519 520 if ($net2ftp_settings["use_geoblocking"] == "yes") { 521 522// Determine the user's country based on his IP address 523 $sqlquery2 = "SELECT * FROM ip2location_db1 WHERE ip_to >= $user_ipaddress_number LIMIT 1;"; 524 $result2 = mysqli_query($net2ftp_globals["mysqli_link"], "$sqlquery2"); 525 if ($result2 == false) { 526 setErrorVars(false, "Unable to execute SQL SELECT query (checkAuthorization > sqlquery2) <br /> $sqlquery2", debug_backtrace(), __FILE__, __LINE__); 527 return false; 528 } 529 530 $resultRow2 = mysqli_fetch_object($result2); 531 $user_country_code = $resultRow2->country_code; 532 $user_country_name = $resultRow2->country_name; 533 $net2ftp_globals["user_country"] = $user_country_code; 534 535 mysqli_free_result($result2); 536 537// Check if user's country is allowed or blocked 538 for ($i = 1; $i <= sizeof($net2ftp_settings["geoblock"]); $i++) { 539 if ($user_country_code == $net2ftp_settings["geoblock"][$i]) { 540 setErrorVars(false, " 541The European Union's \"General Data Protection Regulation\" (GDPR) has taken effect on May 25th 2018. 542Even though the intentions of this law are good, some points are still unclear or difficult to implement. 543The fines for non-compliance are up to 20 million Euro, not to mention lawyer fees.<br /><br /> 544 545Even though net2ftp is mostly compliant with the GDPR requirements, 546it makes no sense for any business to provide a service free of charge when the risks are that high. 547We have decided to stop offering services to users from the 27 EU countries (including Britain), 548Croatia, Iceland, Liechtenstein and Switzerland, and also block connections to servers in these countries.<br /><br /> 549 550You are seeing this message because we have detected that you are visiting this website from 551$user_country_name (derived from your IP address " . $net2ftp_globals["REMOTE_ADDR"] . "). 552 ", debug_backtrace(), __FILE__, __LINE__); 553 return false; 554 } 555 } 556 557 } // end if($net2ftp_settings["use_geoblocking"] 558 559// ------------------------------------------------------------------------- 560// 3) Check if the user's IP address is in the database table of anonymizer services (VPN, proxy, Tor exits) 561// ------------------------------------------------------------------------- 562 563 if ($net2ftp_settings["use_geoblocking"] == "yes") { 564 565 $sqlquery3 = "SELECT * FROM ip2location_px1 WHERE ip_from <= $user_ipaddress_number AND ip_to >= $user_ipaddress_number LIMIT 1;"; 566 567 $result3 = mysqli_query($net2ftp_globals["mysqli_link"], "$sqlquery3"); 568 if ($result3 == false) { 569 setErrorVars(false, "Unable to execute SQL SELECT query (checkAuthorization > sqlquery3) <br /> $sqlquery3", debug_backtrace(), __FILE__, __LINE__); 570 return false; 571 } 572 573 $nrofrows3 = mysqli_num_rows($result3); 574 575 mysqli_free_result($result3); 576 577 if ($nrofrows3 > 0) { 578 setErrorVars(false, " 579The European Union's \"General Data Protection Regulation\" (GDPR) has taken effect on May 25th 2018. 580Even though the intentions of this law are good, some points are still unclear or difficult to implement. 581The fines for non-compliance are up to 20 million Euro, not to mention lawyer fees.<br /><br /> 582 583Even though net2ftp is mostly compliant with the GDPR requirements, 584it makes no sense for any business to provide a service free of charge when the risks are that high. 585We have decided to stop offering services to users from the 27 EU countries (including Britain), 586Croatia, Iceland, Liechtenstein and Switzerland, and also block connections to servers in these countries.<br /><br /> 587 588You are seeing this message because we have detected that you are visiting this website using 589an anonymizing service (VPN, proxy, Tor) (derived from your IP address " . $net2ftp_globals["REMOTE_ADDR"] . "). 590 ", debug_backtrace(), __FILE__, __LINE__); 591 return false; 592 } 593 594 } // end if($net2ftp_settings["use_geoblocking"] 595 596 597// ------------------------------------------------------------------------- 598// 4) Check if the user's IP address is in the list of allowed IP addresses 599// ------------------------------------------------------------------------- 600 if ($net2ftp_settings["allowed_addresses"][1] != "ALL") { 601 $result4 = false; 602 for ($i=1; $i<=sizeof($net2ftp_settings["allowed_addresses"]); $i++) { 603 if (checkIPinNetwork($net2ftp_globals["REMOTE_ADDR"], $net2ftp_settings["allowed_addresses"][$i]) == true) { $result4 = true; break 1; } 604 } 605 if ($result4 == false) { 606 $errormessage = __("Your IP address (%1\$s) is not in the list of allowed IP addresses.", $net2ftp_globals["REMOTE_ADDR"]); 607 setErrorVars(false, $errormessage, debug_backtrace(), __FILE__, __LINE__); 608 return false; 609 } 610 } 611 612 613// ------------------------------------------------------------------------- 614// 5) Check if the user's IP address is in the list of banned IP addresses 615// ------------------------------------------------------------------------- 616 if (isset($net2ftp_settings["banned_addresses"][1]) == true && $net2ftp_settings["banned_addresses"][1] != "NONE") { 617 $result5 = false; 618 for ($i=1; $i<=sizeof($net2ftp_settings["banned_addresses"]); $i++) { 619 if (checkIPinNetwork($net2ftp_globals["REMOTE_ADDR"], $net2ftp_settings["banned_addresses"][$i]) == true) { $result5 = true; break 1; } 620 } 621 if ($result5 == true) { 622 $errormessage = __("Your IP address (%1\$s) is in the list of banned IP addresses.", $net2ftp_globals["REMOTE_ADDR"]); 623 setErrorVars(false, $errormessage, debug_backtrace(), __FILE__, __LINE__); 624 return false; 625 } 626 } 627 628 629// ------------------------------------------------------------------------- 630// 6) Check if the FTP server's country (derived from the FTP server's IP address) in the list of banned countries 631// ------------------------------------------------------------------------- 632 633 if ($ftpserver != "" && $net2ftp_settings["use_geoblocking"] == "yes") { 634 635// Determine the FTP server's country based on his IP address 636 $sqlquery6 = "SELECT * FROM ip2location_db1 WHERE ip_to >= $ftpserver_ipaddress_number LIMIT 1;"; 637 638 $result6 = mysqli_query($net2ftp_globals["mysqli_link"], "$sqlquery6"); 639 if ($result6 == false) { 640 setErrorVars(false, "Unable to execute SQL SELECT query (checkAuthorization > sqlquery6) <br /> $sqlquery6", debug_backtrace(), __FILE__, __LINE__); 641 return false; 642 } 643 644 $resultRow6 = mysqli_fetch_object($result6); 645 $ftpserver_country_code = $resultRow6->country_code; 646 $ftpserver_country_name = $resultRow6->country_name; 647 $net2ftp_globals["ftpserver_country"] = $ftpserver_country_code; 648 649 mysqli_free_result($result6); 650 651// Check if user's country is allowed or blocked 652 for ($i = 1; $i <= sizeof($net2ftp_settings["geoblock"]); $i++) { 653 if ($ftpserver_country_code == $net2ftp_settings["geoblock"][$i]) { 654 setErrorVars(false, " 655The European Union's \"General Data Protection Regulation\" (GDPR) has taken effect on May 25th 2018. 656Even though the intentions of this law are good, some points are still unclear or difficult to implement. 657The fines for non-compliance are up to 20 million Euro, not to mention lawyer fees.<br /><br /> 658 659Even though net2ftp is mostly compliant with the GDPR requirements, 660it makes no sense for any business to provide a service free of charge when the risks are that high. 661We have decided to stop offering services to users from the 27 EU countries (including Britain), 662Croatia, Iceland, Liechtenstein and Switzerland, and also block connections to servers in these countries.<br /><br /> 663 664You are seeing this message because we have detected that you are trying to connect to a server in 665$ftpserver_country_name (derived from the server's IP address " . $ftpserver_ipaddress . "). 666 ", debug_backtrace(), __FILE__, __LINE__); 667 return false; 668 } 669 } // end for 670 671 } // end if($ftpserver ... $net2ftp_settings["use_geoblocking"] 672 673 674// ------------------------------------------------------------------------- 675// 7) Check if the FTP server is in the list of those that may be accessed 676// ------------------------------------------------------------------------- 677 if ($net2ftp_settings["allowed_ftpservers"][1] != "ALL") { 678 $result7 = array_search($ftpserver, $net2ftp_settings["allowed_ftpservers"]); 679 if ($result7 == false) { 680 $errormessage = __("The FTP server <b>%1\$s</b> is not in the list of allowed FTP servers.", $ftpserver); 681 setErrorVars(false, $errormessage, debug_backtrace(), __FILE__, __LINE__); 682 return false; 683 } 684 } 685 686 687// ------------------------------------------------------------------------- 688// 8) Check if the FTP server is in the list of those that may NOT be accessed 689// ------------------------------------------------------------------------- 690 if (isset($net2ftp_settings["banned_ftpservers"][1]) == true && $net2ftp_settings["banned_ftpservers"][1] != "NONE") { 691 $result8 = array_search($ftpserver, $net2ftp_settings["banned_ftpservers"]); 692 if ($result8 != false) { 693 $errormessage = __("The FTP server <b>%1\$s</b> is in the list of banned FTP servers.", $ftpserver); 694 setErrorVars(false, $errormessage, debug_backtrace(), __FILE__, __LINE__); 695 return false; 696 } 697 } 698 699 700// ------------------------------------------------------------------------- 701// 9) Check if the FTP server port is OK 702// ------------------------------------------------------------------------- 703// Do not perform this check if ALL ports are allowed 704 if ($net2ftp_settings["allowed_ftpserverport"] != "ALL" ) { 705// Report the error if another port nr has been entered than the one which is allowed 706 if ($ftpserverport != $net2ftp_settings["allowed_ftpserverport"]) { 707 $errormessage = __("The FTP server port %1\$s may not be used.", $ftpserverport); 708 setErrorVars(false, $errormessage, debug_backtrace(), __FILE__, __LINE__); 709 return false; 710 } 711 } 712 713// ------------------------------------------------------------------------- 714// 10) Check if the directory is authorised: whether the current $directory name contains a banned keyword. 715// The rootdirectory is first checked for the current user; if this is not set, 716// the default rootdirectory is checked. 717// ------------------------------------------------------------------------- 718 $result10 = checkAuthorizedDirectory($directory); 719 if ($result10 == false) { 720 $net2ftp_globals["directory_html"] = htmlEncode2($net2ftp_globals["directory"]); 721 $net2ftp_globals["directory_js"] = javascriptEncode2($net2ftp_globals["directory"]); 722 if (strlen($net2ftp_globals["directory"]) > 0) { $net2ftp_globals["printdirectory"] = $net2ftp_globals["directory"]; } 723 else { $net2ftp_globals["printdirectory"] = "/"; } 724 } 725 726// ------------------------------------------------------------------------- 727// 11) Check if the privacy policies were accepted 728// ------------------------------------------------------------------------- 729 if ($net2ftp_globals["state"] != "login" && $net2ftp_globals["state"] != "login_small" && $net2ftp_globals["state"] != "homepage" && $net2ftp_globals["state"] != "clearcookies") { 730 for ($i=1; $i<=10; $i++) { 731 if (isset($net2ftp_settings["privacy_policy_" . $i]) && $net2ftp_settings["privacy_policy_" . $i] != "") { 732 if ($net2ftp_globals["privacy" . $i] != 1) { 733 $errormessage = __("Please agree to all privacy policies."); 734 setErrorVars(false, $errormessage, debug_backtrace(), __FILE__, __LINE__); 735 return false; 736 } 737 } 738 } // end for 739 } 740 741// ------------------------------------------------------------------------- 742// If everything is OK, return true 743// ------------------------------------------------------------------------- 744 return true; 745 746} // end checkAuthorization 747 748// ** ** 749// ** ** 750// ************************************************************************************** 751// ************************************************************************************** 752 753 754 755 756 757// ************************************************************************************** 758// ************************************************************************************** 759// ** ** 760// ** ** 761 762function Dot2LongIP($IPaddress) { 763 764 if ($IPaddress == "") { return 0; } 765 elseif ($IPaddress == "::1") { return 0; } 766 else { 767 $ips = explode(".", $IPaddress); 768 return ($ips[3] + $ips[2] * 256 + $ips[1] * 256 * 256 + $ips[0] * 256 * 256 * 256); 769 } 770 771} // end function Dot2LongIP 772 773// ** ** 774// ** ** 775// ************************************************************************************** 776// ************************************************************************************** 777 778 779 780 781 782// ************************************************************************************** 783// ************************************************************************************** 784// ** ** 785// ** ** 786 787function checkAuthorizedDirectory($directory) { 788 789// -------------- 790// This function checks whether the current $directory name contains a banned 791// keyword. 792// -------------- 793 794// ------------------------------------------------------------------------- 795// Global variables 796// ------------------------------------------------------------------------- 797 global $net2ftp_globals, $net2ftp_settings, $net2ftp_result; 798 799// ------------------------------------------------------------------------- 800// Check if the directory name contains a banned keyword 801// ------------------------------------------------------------------------- 802 if (checkAuthorizedName($directory) == false) { return false; } 803 804 return true; 805 806} // end checkAuthorizedDirectory 807 808// ** ** 809// ** ** 810// ************************************************************************************** 811// ************************************************************************************** 812 813 814 815 816 817// ************************************************************************************** 818// ************************************************************************************** 819// ** ** 820// ** ** 821 822function checkAuthorizedName($dirfilename) { 823 824// -------------- 825// This function checks if the directory/file/symlink name contains a forbidden keyword 826// -------------- 827 828// ------------------------------------------------------------------------- 829// Global variables 830// ------------------------------------------------------------------------- 831 global $net2ftp_settings; 832 833// ------------------------------------------------------------------------- 834// Check 835// ------------------------------------------------------------------------- 836 if (isset($net2ftp_settings["banned_keywords"][1]) == true && $net2ftp_settings["banned_keywords"][1] != "NONE") { 837 for ($i=1; $i<=sizeof($net2ftp_settings["banned_keywords"]); $i++) { 838 if (strpos($dirfilename, $net2ftp_settings["banned_keywords"][$i]) !== false) { return false; } 839 } 840 } 841 842 return true; 843 844} // end checkAuthorizedName 845 846// ** ** 847// ** ** 848// ************************************************************************************** 849// ************************************************************************************** 850 851 852 853 854 855// ************************************************************************************** 856// ************************************************************************************** 857// ** ** 858// ** ** 859 860function isSubdirectory($parentdir, $childdir) { 861 862// -------------- 863// Returns true if the childdir is a subdirectory of the parentdir 864// -------------- 865 866// If the parentdir is empty or the root directory, then the childdir is 867// a the same as or a subdirectory of the parentdir 868 if ($parentdir == "" || $parentdir == "/" || $parentdir == "\\") { return true; } 869 870// Strip the directories of leading and trailing slashes 871 $parentdir = stripDirectory($parentdir); 872 $childdir = stripDirectory($childdir); 873 $parentdir_length = strlen($parentdir); 874 875// Check if the first characters of the childdir are different from the 876// parentdir. Example: 877// parentdir: /home/abc 878// childdir: /home/blabla ==> false 879// childdir: /home/abcd ==> continue further checks 880// childdir: /home/abc/xyz ==> continue further checks 881 $childdir_firstchars = substr($childdir, 0, $parentdir_length); 882 if ($childdir_firstchars != $parentdir) { return false; } 883 884// If the first characters of the childdir are identical to the parentdir, 885// check if the first next character of the childdir name is different. 886// Example: 887// parentdir: /home/abc 888// childdir: /home/abcd ==> false 889// childdir: /home/abc/xyz ==> true 890 $childdir_nextchar = substr($childdir, $parentdir_length, 1); 891 if ($childdir_nextchar != "/" && $childdir_nextchar != "\\") { return false; } 892 893 return true; 894 895} // end isSubdirectory 896 897// ** ** 898// ** ** 899// ************************************************************************************** 900// ************************************************************************************** 901 902 903 904 905 906// ************************************************************************************** 907// ************************************************************************************** 908// ** ** 909// ** ** 910 911function checkAdminUsernamePassword() { 912 913// -------------- 914// This function checks the Administrator username and password. 915// If one of the two is not filled in or incorrect, a header() is sent 916// to redirect the user to the login_small page. 917// -------------- 918 919// ------------------------------------------------------------------------- 920// Global variables 921// ------------------------------------------------------------------------- 922 global $net2ftp_globals, $net2ftp_settings, $net2ftp_result; 923 $input_admin_username = $_POST["input_admin_username"]; 924 $input_admin_password = $_POST["input_admin_password"]; 925 926// ------------------------------------------------------------------------- 927// Check Admin username and password 928// ------------------------------------------------------------------------- 929 930// Set the error message depending on the case 931// Redirect the user to the login_small page 932 933 // No username or password filled in 934 if ($input_admin_username == "" || $input_admin_password == "") { 935 $errormessage = htmlEncode2(__("You did not enter your Administrator username or password.")); 936 header("Location: " . $net2ftp_globals["action_url"] . "?state=login_small&state2=admin&go_to_state=" . $net2ftp_globals["state"] . "&go_to_state2=" . $net2ftp_globals["state2"] . "&errormessage=" . $errormessage); 937 $net2ftp_result["exit"] = true; 938 return false; 939 } 940 941 // Wrong username or password 942 elseif ($input_admin_username != $net2ftp_settings["admin_username"] || 943 $input_admin_password != $net2ftp_settings["admin_password"]) { 944 $errormessage = htmlEncode2(__("Wrong username or password. Please try again.")); 945 header("Location: " . $net2ftp_globals["action_url"] . "?state=login_small&state2=admin&go_to_state=" . $net2ftp_globals["state"] . "&go_to_state2=" . $net2ftp_globals["state2"] . "&errormessage=" . $errormessage); 946 $net2ftp_result["exit"] = true; 947 return false; 948 } 949 950 return true; 951 952} // end checkAdminUsernamePassword() 953 954// ** ** 955// ** ** 956// ************************************************************************************** 957// ************************************************************************************** 958 959 960 961?>