forked from francoisjacquet/rosariosis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Modules.php
130 lines (108 loc) · 2.61 KB
/
Modules.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
<?php
/**
* Modules
*
* Warehouse header
* Get requested program / modname, if allowed
* Warehouse footer
*
* @package RosarioSIS
*/
require_once 'Warehouse.php';
// If no modname found, go back to index.
if ( empty( $_REQUEST['modname'] ) )
{
header( 'Location: index.php' );
exit();
}
$modname = $_REQUEST['modname'];
if ( ! isset( $_REQUEST['modfunc'] ) )
{
$_REQUEST['modfunc'] = false;
}
$_ROSARIO['page'] = 'modules';
// Save $_REQUEST vars in session: used to recreate $_REQUEST in Bottom.php.
if ( ! isset( $_REQUEST['_ROSARIO_PDF'] )
&& empty( $_REQUEST['LO_save'] )
&& ( mb_strpos( $modname, 'misc/' ) === false
|| $modname === 'misc/Portal.php' )
&& $modname !== 'Reports/SavedReports.php' )
{
$_SESSION['_REQUEST_vars'] = $_REQUEST;
}
// Set Popup window detection.
isPopup( $modname, $_REQUEST['modfunc'] );
// Output Header HTML.
Warehouse( 'header' );
/**
* FJ security fix, cf http://www.securiteam.com/securitynews/6S02U1P6BI.html
* allow PHP scripts in misc/ one by one in place of the whole folder.
*/
$allowed = in_array(
$modname,
[
'misc/ChooseRequest.php',
'misc/ChooseCourse.php',
'misc/Portal.php',
'misc/ViewContact.php',
]
);
// Browse allowed programs and look for requested modname.
if ( ! $allowed )
{
// Generate Menu.
require_once 'Menu.php';
// @since 10.3 Fix program not found when query string is URL encoded.
$query_string = urldecode( $_SERVER['QUERY_STRING'] );
foreach ( (array) $_ROSARIO['Menu'] as $modcat => $programs )
{
foreach ( (array) $programs as $program => $title )
{
if ( is_int( $program ) )
{
continue;
}
// FJ fix bug URL Modules.php?modname=Student_Billing/Statements.php&_ROSARIO_PDF.
if ( $modname == $program
|| ( mb_strpos( $program, $modname ) === 0
&& mb_strpos( $query_string, $program ) === 8 ) )
{
$allowed = true;
// Eg: "Student_Billing/Statements.php&_ROSARIO_PDF".
$_ROSARIO['ProgramLoaded'] = $program;
break 2;
}
}
}
}
if ( $allowed )
{
// Force search_modfunc to list.
if ( Preferences( 'SEARCH' ) !== 'Y' )
{
$_REQUEST['search_modfunc'] = 'list';
}
elseif ( ! isset( $_REQUEST['search_modfunc'] ) )
{
$_REQUEST['search_modfunc'] = '';
}
if ( substr( $modname, -4, 4 ) !== '.php'
|| strpos( $modname, '..' ) !== false
/*|| ! is_file( 'modules/' . $modname )*/ )
{
require_once 'ProgramFunctions/HackingLog.fnc.php';
HackingLog();
}
else
{
require_once 'modules/' . $modname;
}
}
// Not allowed, hacking attempt?
elseif ( User( 'USERNAME' ) )
{
require_once 'ProgramFunctions/HackingLog.fnc.php';
HackingLog();
}
// Output Footer HTML.
Warehouse( 'footer' );