forked from francoisjacquet/rosariosis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathModules.php
129 lines (108 loc) · 2.58 KB
/
Modules.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
<?php
/**
* Modules
*
* Warehouse header
* Get requested program / modname, if allowed
* Warehouse footer
*
* @package RosarioSIS
*/
require_once 'Warehouse.php';
// If no modname found, go back to index.
if ( empty( $_REQUEST['modname'] ) )
{
header( 'Location: index.php' );
exit();
}
$modname = $_REQUEST['modname'];
if ( ! isset( $_REQUEST['modfunc'] ) )
{
$_REQUEST['modfunc'] = false;
}
$_ROSARIO['page'] = 'modules';
// Save $_REQUEST vars in session: used to recreate $_REQUEST in Bottom.php.
if ( ! isset( $_REQUEST['_ROSARIO_PDF'] )
&& empty( $_REQUEST['LO_save'] )
&& ( mb_strpos( $modname, 'misc/' ) === false
|| $modname === 'misc/Portal.php'
|| $modname === 'misc/Registration.php'
|| $modname === 'misc/Export.php' )
&& $modname !== 'Reports/SavedReports.php' )
{
$_SESSION['_REQUEST_vars'] = $_REQUEST;
}
// Set Popup window detection.
isPopup( $modname, $_REQUEST['modfunc'] );
// Output Header HTML.
Warehouse( 'header' );
/**
* FJ security fix, cf http://www.securiteam.com/securitynews/6S02U1P6BI.html
* allow PHP scripts in misc/ one by one in place of the whole folder.
*/
$allowed = in_array(
$modname,
array(
'misc/ChooseRequest.php',
'misc/ChooseCourse.php',
'misc/Portal.php',
'misc/ViewContact.php',
)
);
// Browse allowed programs and look for requested modname.
if ( ! $allowed )
{
// Generate Menu.
require_once 'Menu.php';
foreach ( (array) $_ROSARIO['Menu'] as $modcat => $programs )
{
foreach ( (array) $programs as $program => $title )
{
if ( is_int( $program ) )
{
continue;
}
// FJ fix bug URL Modules.php?modname=Student_Billing/Statements.php&_ROSARIO_PDF.
if ( $modname == $program
|| ( mb_strpos( $program, $modname ) === 0
&& mb_strpos( $_SERVER['QUERY_STRING'], $program ) === 8 ) )
{
$allowed = true;
// Eg: "Student_Billing/Statements.php&_ROSARIO_PDF".
$_ROSARIO['ProgramLoaded'] = $program;
break 2;
}
}
}
}
if ( $allowed )
{
// Force search_modfunc to list.
if ( Preferences( 'SEARCH' ) !== 'Y' )
{
$_REQUEST['search_modfunc'] = 'list';
}
elseif ( ! isset( $_REQUEST['search_modfunc'] ) )
{
$_REQUEST['search_modfunc'] = '';
}
if ( substr( $modname, -4, 4 ) !== '.php'
|| strpos( $modname, '..' ) !== false
/*|| ! is_file( 'modules/' . $modname )*/ )
{
require_once 'ProgramFunctions/HackingLog.fnc.php';
HackingLog();
}
else
{
require_once 'modules/' . $modname;
}
}
// Not allowed, hacking attempt?
elseif ( User( 'USERNAME' ) )
{
require_once 'ProgramFunctions/HackingLog.fnc.php';
HackingLog();
}
// Output Footer HTML.
Warehouse( 'footer' );