-
-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathadmin.php
91 lines (66 loc) · 3.06 KB
/
admin.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<?php
/*
* Copyright 2014-2025 GPLv3, Open Crypto Tracker by Mike Kilday: [email protected] (leave this copyright / attribution intact in ALL forks / copies!)
*/
// MAY HELP, SINCE WE USE SAMESITE=STRICT COOKIES (ESPECIALLY ON SERVERS WITH DOMAIN REDIRECTS)
if ( !preg_match("/admin\.php/i", $_SERVER['REQUEST_URI']) ) {
header("Location: admin.php");
exit;
}
// Runtime mode
$runtime_mode = 'ui';
$is_admin = true;
// The $is_iframe flag (if required) has to be toggled before init.php
// (no need for security checks here, we are just saying if this is an iframe)
if (
isset($_GET['section']) && trim($_GET['section']) != ''
|| isset($_GET['subsection']) && trim($_GET['subsection']) != ''
|| isset($_GET['plugin']) && trim($_GET['plugin']) != ''
) {
$is_iframe = true;
}
require("app-lib/php/init.php");
// Security monitoring
if ( $ct['possible_input_injection'] ) {
$security_error_ui = 'Possible code injection attack stopped, please DO NOT attempt to inject scripting or HTML into user inputs.<br /><br />Updating of admin section "' . $ct['gen']->key_to_name($_POST['interface_id']) . '" FAILED.<br /><br /><a href="' . $base_url . $_SERVER['REQUEST_URI'] .'" style="font-weight: bold;">Return To The Previous Page</a>';
echo '<style>html,body,a{color:red;}</style>' . $security_error_ui;
// Log errors before exiting
// WE ALREADY QUEUED THE ERROR LOG ENTRY FOR THIS ISSUE IN: $ct['gen']->malware_scan_string()
$ct['cache']->app_log();
exit;
}
// If an activated password reset is in progress or no admin login has been set yet, prompt user to create an admin user / pass
elseif ( $password_reset_approved || !is_array($stored_admin_login) ) {
require("templates/interface/php/admin/admin-login/register.php");
exit;
}
// If NOT logged in
elseif ( $ct['gen']->admin_logged_in() == false ) {
require("templates/interface/php/admin/admin-login/login.php");
exit;
}
// Otherwise, let the admin interface show...
// Main admin page
elseif ( !isset($_GET['plugin']) && !isset($_GET['iframe_nonce']) ) {
require("templates/interface/php/wrap/header.php");
require("templates/interface/php/admin/admin-elements/admin-page-main.php");
require("templates/interface/php/wrap/footer.php");
}
// Iframe admin pages
elseif (
isset($_GET['section']) && trim($_GET['section']) != '' && $ct['gen']->pass_sec_check($_GET['iframe_nonce'], 'iframe_' . $_GET['section'])
|| isset($_GET['subsection']) && trim($_GET['subsection']) != '' && $ct['gen']->pass_sec_check($_GET['iframe_nonce'], 'iframe_' . $_GET['subsection'])
|| isset($_GET['plugin']) && trim($_GET['plugin']) != '' && $ct['gen']->pass_sec_check($_GET['iframe_nonce'], 'iframe_' . $_GET['plugin'])
) {
require("templates/interface/php/admin/admin-elements/admin-page-iframe.php");
}
else {
$security_error = 'Admin nonce expired / incorrect (from ' . $ct['remote_ip'] . '), try reloading the app';
$ct['gen']->log('security_error', $security_error);
echo '<style>html,body,a{color:red;}</style>' . $security_error . '.';
// Log errors before exiting
$ct['cache']->app_log();
exit;
}
// DON'T LEAVE ANY WHITESPACE AFTER THE CLOSING PHP TAG!
?>