Version 3.4.0
1. 增加了ADMIN_IP_CHECK_ENABLE与XFF_ENABLE两个选项,在有反代或负载均衡的情况下可开启XFF_ENABLE,关闭ADMIN_IP_CHECK_ENABLE 2. 修复一系列bug
This commit is contained in:
Firesun
@@ -1,6 +1,6 @@
|
||||
<?php
|
||||
define("IN_XSS_PLATFORM", true);
|
||||
require("auth.php");
|
||||
require_once("auth.php");
|
||||
?>
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
|
||||
3
api.php
3
api.php
@@ -1,8 +1,7 @@
|
||||
<?php
|
||||
error_reporting(0);
|
||||
define("IN_XSS_PLATFORM", true);
|
||||
require_once('auth.php');
|
||||
require_once("load.php");
|
||||
require_once("functions.php");
|
||||
require_once("dio.php");
|
||||
header('Content-Type: application/json');
|
||||
|
||||
|
||||
14
auth.php
14
auth.php
@@ -3,12 +3,24 @@ if (!defined('IN_XSS_PLATFORM')) {
|
||||
exit('Access Denied');
|
||||
}
|
||||
|
||||
require_once("functions.php");
|
||||
|
||||
//设置httponly
|
||||
ini_set("session.cookie_httponly", 1);
|
||||
session_start();
|
||||
|
||||
//判断登陆情况,ip和useragent是否改变,改变则强制退出
|
||||
if (!(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != "" && $_SESSION['user_IP'] === $_SERVER['REMOTE_ADDR'] && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT'])) {
|
||||
if ( !(isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true && isset($_SESSION['user_agent']) && $_SESSION['user_agent'] != "" && $_SESSION['user_agent'] === $_SERVER['HTTP_USER_AGENT']) ) {
|
||||
$_SESSION['isLogin'] = false;
|
||||
$_SESSION['user_IP'] = "";
|
||||
$_SESSION['user_agent'] = "";
|
||||
session_unset();
|
||||
session_destroy();
|
||||
header("Location: login.php");
|
||||
exit();
|
||||
}
|
||||
|
||||
if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_IP'] != "" && $_SESSION['user_IP'] === getRealIP()) ) {
|
||||
$_SESSION['isLogin'] = false;
|
||||
$_SESSION['user_IP'] = "";
|
||||
$_SESSION['user_agent'] = "";
|
||||
|
||||
@@ -11,6 +11,8 @@ define("ENCRYPT_ENABLE", true); //是否加密“xss记录,封禁ip列表,js
|
||||
define("ENCRYPT_PASS", "bluelotus"); //加密密码
|
||||
define("ENCRYPT_TYPE", "RC4"); //加密方法(AES或RC4)
|
||||
define("KEEP_SESSION", true); //是否启用KEEP_SESSION功能,需要外部定时访问keepsession.php
|
||||
define("ADMIN_IP_CHECK_ENABLE", true);//是否启用管理员ip认证,启用后,当xss平台发现ip变化,将会踢出管理员要求重新登录,如果发现经常异常退出控制面板,请关闭此项认证
|
||||
define("XFF_ENABLE", false);//是否使用HTTP_X_FORWARDED_FOR的地址来代替REMOTE_ADDR,当且仅当存在反代的情况下才须开启,开启须谨慎!
|
||||
define("IPDATA_PATH", "qqwry.dat"); //ip归属地数据库地址
|
||||
|
||||
/*邮件通知相关配置*/
|
||||
|
||||
1
dio.php
1
dio.php
@@ -2,7 +2,6 @@
|
||||
if ( !defined('IN_XSS_PLATFORM') ) {
|
||||
exit('Access Denied');
|
||||
}
|
||||
require_once("load.php");
|
||||
require_once("functions.php");
|
||||
|
||||
//时间戳的正则表达式
|
||||
|
||||
@@ -121,6 +121,27 @@ function decrypt($info) {
|
||||
return $info;
|
||||
}
|
||||
|
||||
//获得访问者真实ip
|
||||
function getRealIP(){
|
||||
$ip="unknown";
|
||||
if (XFF_ENABLE) {
|
||||
foreach (array('HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_FORWARDED_FOR', 'HTTP_VIA', 'HTTP_FROM', 'REMOTE_ADDR') as $v) {
|
||||
if (isset($_SERVER[$v])) {
|
||||
if (! preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/', $_SERVER[$v])) {
|
||||
continue;
|
||||
}
|
||||
$ip = $_SERVER[$v];
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
if ( isset($_SERVER['REMOTE_ADDR']) )
|
||||
$ip = $_SERVER['REMOTE_ADDR'];
|
||||
}
|
||||
return $ip;
|
||||
}
|
||||
|
||||
//基于Discuz X3.1 function_misc.php 函数已过滤,可直接输出
|
||||
function convertip($ip, $ipdatafile) {
|
||||
$ipaddr = '未知';
|
||||
|
||||
@@ -3,20 +3,19 @@ define("IN_XSS_PLATFORM", true);
|
||||
ignore_user_abort(true);
|
||||
error_reporting(0);
|
||||
|
||||
//sometimes we only need "referfer".
|
||||
//sometimes we only need "referer".
|
||||
|
||||
/*
|
||||
if(count($_GET)==0&&count($_POST)==0&&count($_COOKIE)==0)
|
||||
exit();
|
||||
*/
|
||||
header("Access-Control-Allow-Origin:*");
|
||||
require_once("load.php");
|
||||
require_once("functions.php");
|
||||
require_once("dio.php");
|
||||
|
||||
$info = array();
|
||||
|
||||
$user_IP = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : "unknown";
|
||||
$user_IP = getRealIP();
|
||||
$user_port = isset($_SERVER['REMOTE_PORT']) ? $_SERVER['REMOTE_PORT'] : "unknown";
|
||||
$protocol = isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : "unknown";
|
||||
$request_method = isset($_SERVER['REQUEST_METHOD']) ? $_SERVER['REQUEST_METHOD'] : "unknown";
|
||||
|
||||
27
install.php
27
install.php
@@ -47,6 +47,8 @@ switch($step) {
|
||||
//输入处理:使用stripStr过滤xss,使用json_encode生成最终string
|
||||
$encrypt_enable = isset( $_POST['encrypt_enable'] ) ? true : false;
|
||||
$keep_session_enable = isset( $_POST['keep_session_enable'] ) ? true : false;
|
||||
$admin_ip_check_enable = isset( $_POST['admin_ip_check_enable'] ) ? true : false;
|
||||
$xff_enable= isset( $_POST['xff_enable'] ) ? true : false;
|
||||
$mail_enable = isset( $_POST['mail_enable'] ) ? true : false;
|
||||
|
||||
$pass = isset( $_POST['pass'] ) ? stripStr($_POST['pass']) : '';
|
||||
@@ -156,6 +158,8 @@ CONFIG;
|
||||
$config_str .= 'define("ENCRYPT_PASS", '.json_encode( $encrypt_pass).');//加密密码' . PHP_EOL;
|
||||
$config_str .= 'define("ENCRYPT_TYPE", '.json_encode( $encrypt_type).');//加密方法(AES或RC4)' . PHP_EOL;
|
||||
$config_str .= 'define("KEEP_SESSION", '.($keep_session_enable?"true":"false").');//是否启用KEEP_SESSION功能,需要外部定时访问keepsession.php' . PHP_EOL;
|
||||
$config_str .= 'define("ADMIN_IP_CHECK_ENABLE", '.($admin_ip_check_enable?"true":"false").');//是否启用管理员ip认证,启用后,当xss平台发现ip变化,将会踢出管理员要求重新登录,如果发现经常异常退出控制面板,请关闭此项认证' . PHP_EOL;
|
||||
$config_str .= 'define("XFF_ENABLE", '.($xff_enable?"true":"false").');//是否使用HTTP_X_FORWARDED_FOR的地址来代替REMOTE_ADDR,当且仅当存在反代的情况下才须开启,开启须谨慎!' . PHP_EOL;
|
||||
$config_str .= 'define("IPDATA_PATH", '.json_encode( $ipdata_path).');//ip归属地数据库地址' . PHP_EOL;
|
||||
$config_str .= 'define("MAIL_ENABLE", '.($mail_enable?"true":"false").');//开启邮件通知' . PHP_EOL;
|
||||
$config_str .= 'define("SMTP_SERVER", '.json_encode( $smtp_server).');//smtp服务器' . PHP_EOL;
|
||||
@@ -220,6 +224,8 @@ function display_setup_form( $error = null ) {
|
||||
|
||||
$encrypt_enable = isset( $_POST['encrypt_enable'] ) ? true : false;
|
||||
$keep_session_enable = isset( $_POST['keep_session_enable'] ) ? true : false;
|
||||
$admin_ip_check_enable = isset( $_POST['admin_ip_check_enable'] ) ? true : false;
|
||||
$xff_enable= isset( $_POST['xff_enable'] ) ? true : false;
|
||||
$mail_enable = isset( $_POST['mail_enable'] ) ? true : false;
|
||||
|
||||
$pass = isset( $_POST['pass'] ) ? stripStr($_POST['pass']) : 'bluelotus';
|
||||
@@ -282,7 +288,7 @@ function display_setup_form( $error = null ) {
|
||||
<tr>
|
||||
<th scope="row"><label for="encrypt_enable">启用数据加密</label></th>
|
||||
<td>
|
||||
<input type="checkbox" name="encrypt_enable" type="text" id="encrypt_enable" size="25" value="1" <?php if( !isset( $_POST['encrypt_enable'] ) || $encrypt_enable===true ) echo 'checked="checked"';?> />
|
||||
<input type="checkbox" name="encrypt_enable" type="text" id="encrypt_enable" size="25" value="1" <?php if( !isset( $_POST['pass'] ) || $encrypt_enable===true ) echo 'checked="checked"';?> />
|
||||
<p>对xss记录,js描述文件加密</p>
|
||||
</td>
|
||||
</tr>
|
||||
@@ -311,12 +317,29 @@ function display_setup_form( $error = null ) {
|
||||
<tr>
|
||||
<th scope="row"><label for="keep_session_enable">启用keepsession</label></th>
|
||||
<td>
|
||||
<input type="checkbox" name="keep_session_enable" type="text" id="keep_session_enable" size="25" value="1" <?php if(!isset( $_POST['keep_session_enable'] ) || $keep_session_enable===true) echo 'checked="checked"';?> />
|
||||
<input type="checkbox" name="keep_session_enable" type="text" id="keep_session_enable" size="25" value="1" <?php if(!isset( $_POST['pass'] ) || $keep_session_enable===true) echo 'checked="checked"';?> />
|
||||
|
||||
<p>详见README.md说明</p>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<th scope="row"><label for="admin_ip_check_enable">启用管理员IP校验</label></th>
|
||||
<td>
|
||||
<input type="checkbox" name="admin_ip_check_enable" type="text" id="admin_ip_check_enable" size="25" value="1" <?php if(!isset( $_POST['pass'] ) || $admin_ip_check_enable===true) echo 'checked="checked"';?> />
|
||||
|
||||
<p>详见README.md说明</p>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<th scope="row"><label for="xff_enable">使用XFF识别源ip</label></th>
|
||||
<td>
|
||||
<input type="checkbox" name="xff_enable" type="text" id="xff_enable" size="25" value="1" <?php if($xff_enable===true) echo 'checked="checked"';?> />
|
||||
<p>仅在存在反代的情况下开启</p>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<th scope="row"><label for="ipdata_path">ip数据库位置</label></th>
|
||||
<td>
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
<?php
|
||||
define("IN_XSS_PLATFORM", true);
|
||||
|
||||
require_once("load.php");
|
||||
require_once("functions.php");
|
||||
require_once("dio.php");
|
||||
|
||||
@@ -23,7 +22,7 @@ if (isset($_SESSION['isLogin']) && $_SESSION['isLogin'] === true) {
|
||||
|
||||
//判断ip是否在封禁列表中
|
||||
$forbiddenIPList = loadForbiddenIPList();
|
||||
$ip = $_SERVER['REMOTE_ADDR'];
|
||||
$ip = getRealIP();
|
||||
$is_pass_wrong = false;
|
||||
if (!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip] <= 5) {
|
||||
if (isset($_POST['password']) && $_POST['password'] != "") {
|
||||
|
||||
@@ -284,7 +284,7 @@ body.rtl,
|
||||
|
||||
}
|
||||
|
||||
#encrypt_enable, #keep_session_enable, #mail_enable {
|
||||
#encrypt_enable, #keep_session_enable, #mail_enable, #xff_enable, #admin_ip_check_enable{
|
||||
margin-right: 200px;
|
||||
}
|
||||
|
||||
|
||||
2
static/css/install.min.css
vendored
2
static/css/install.min.css
vendored
@@ -1 +1 @@
|
||||
html{background:#222526;margin:0 20px}body{background:#fff;color:#444;font-family:'Microsoft YaHei',"Open Sans",sans-serif;margin:190px auto 25px;padding:20px 20px 10px 20px;max-width:600px;-webkit-font-smoothing:subpixel-antialiased;-webkit-box-shadow:0 1px 3px rgba(0,0,0,0.13);box-shadow:0 1px 3px rgba(0,0,0,0.13)}a{color:#0073aa}a:hover,a:active{color:#00a0d2}a:focus{color:#124964;-webkit-box-shadow:0 0 0 1px #5b9dd9,0 0 2px 1px rgba(30,140,190,.8);box-shadow:0 0 0 1px #5b9dd9,0 0 2px 1px rgba(30,140,190,.8)}.ie8 a:focus{outline:#5b9dd9 solid 1px}h1,h2{border-bottom:1px solid #dedede;clear:both;color:#666;font-size:24px;padding:0;padding-bottom:7px;font-weight:normal}h3{font-size:16px}p,li,dd,dt{padding-bottom:2px;font-size:14px;line-height:1.5}code,.code{font-family:'Microsoft YaHei',Consolas,Monaco,monospace}ul,ol,dl{padding:5px 5px 5px 22px}a img{border:0}abbr{border:0;font-variant:normal}fieldset{border:0;padding:0;margin:0}label{cursor:pointer}#logo{margin:-170px 0 37px 0;padding:0 0 7px 0;border-bottom:0;text-align:center}#logo a{background-image:url(../images/logo.png);-webkit-background-size:180px;background-size:180px;background-position:center top;background-repeat:no-repeat;color:#999;height:180px;width:300px;font-size:20px;font-weight:normal;line-height:1.3em;margin:-110px auto -50px;padding:0;text-decoration:none;text-indent:-9999px;outline:0;overflow:hidden;display:block}#logo a:focus{-webkit-box-shadow:none;box-shadow:none}.step{margin:20px 0 15px}.step,th{text-align:left;padding:0}.form-table{border-collapse:collapse;margin-top:1em;width:100%}.form-table td{margin-bottom:9px;padding:10px 20px 10px 0;font-size:14px;vertical-align:top}.form-table th{font-size:14px;text-align:left;padding:10px 20px 10px 0;width:140px;vertical-align:top}.form-table code{line-height:18px;font-size:14px}.form-table p{margin:4px 0 0 0;font-size:11px;display:inline}.form-table input{line-height:20px;font-size:15px;padding:3px 5px;border:1px solid #ddd;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.07);box-shadow:inset 0 1px 2px rgba(0,0,0,0.07)}input,submit{font-family:'Microsoft YaHei',"Open Sans",sans-serif}.form-table input[type=text],.form-table input[type=email],.form-table input[type=url],.form-table input[type=password]{width:206px}.form-table th p{font-weight:normal}.form-table.install-success th,.form-table.install-success td{vertical-align:middle;padding:16px 20px 16px 0}.form-table.install-success td p{margin:0;font-size:14px}.form-table.install-success td code{margin:0;font-size:18px}.message{border:1px solid #c00;padding:.5em .7em;margin:5px 0 15px;background-color:#ffebe8}.form-table span.description.important{font-size:12px}body.rtl,.rtl textarea,.rtl input,.rtl submit{font-family:'Microsoft YaHei',Tahoma,sans-serif}:lang(he-il) body.rtl,:lang(he-il) .rtl textarea,:lang(he-il) .rtl input,:lang(he-il) .rtl submit{font-family:'Microsoft YaHei',Arial,sans-serif}@media only screen and (max-width:799px){body{margin-top:115px}#logo a{margin:-125px auto 30px}}@media screen and (max-width:782px){.form-table{margin-top:0}.form-table th,.form-table td{display:block;width:auto;vertical-align:middle}.form-table th{padding:20px 0 0}.form-table td{padding:5px 0;border:0;margin:0}textarea,input{font-size:16px}.form-table td input[type="text"],.form-table td input[type="email"],.form-table td input[type="url"],.form-table td input[type="password"],.form-table td select,.form-table td textarea,.form-table span.description{width:100%;font-size:16px;line-height:1.5;padding:7px 10px;display:block;max-width:none;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}}#encrypt_enable,#keep_session_enable,#mail_enable{margin-right:200px}.core-ui .button{color:#555;border-color:#ccc;background:#f7f7f7;-webkit-box-shadow:0 1px 0 #ccc;box-shadow:0 1px 0 #ccc;vertical-align:top;display:inline-block;text-decoration:none;font-size:13px;line-height:26px;height:28px;margin:0;padding:0 10px 1px;cursor:pointer;border-width:1px;border-style:solid;-webkit-appearance:none;-webkit-border-radius:3px;border-radius:3px;white-space:nowrap;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}
|
||||
html{background:#222526;margin:0 20px}body{background:#fff;color:#444;font-family:'Microsoft YaHei',"Open Sans",sans-serif;margin:190px auto 25px;padding:20px 20px 10px 20px;max-width:600px;-webkit-font-smoothing:subpixel-antialiased;-webkit-box-shadow:0 1px 3px rgba(0,0,0,0.13);box-shadow:0 1px 3px rgba(0,0,0,0.13)}a{color:#0073aa}a:hover,a:active{color:#00a0d2}a:focus{color:#124964;-webkit-box-shadow:0 0 0 1px #5b9dd9,0 0 2px 1px rgba(30,140,190,.8);box-shadow:0 0 0 1px #5b9dd9,0 0 2px 1px rgba(30,140,190,.8)}.ie8 a:focus{outline:#5b9dd9 solid 1px}h1,h2{border-bottom:1px solid #dedede;clear:both;color:#666;font-size:24px;padding:0;padding-bottom:7px;font-weight:normal}h3{font-size:16px}p,li,dd,dt{padding-bottom:2px;font-size:14px;line-height:1.5}code,.code{font-family:'Microsoft YaHei',Consolas,Monaco,monospace}ul,ol,dl{padding:5px 5px 5px 22px}a img{border:0}abbr{border:0;font-variant:normal}fieldset{border:0;padding:0;margin:0}label{cursor:pointer}#logo{margin:-170px 0 37px 0;padding:0 0 7px 0;border-bottom:0;text-align:center}#logo a{background-image:url(../images/logo.png);-webkit-background-size:180px;background-size:180px;background-position:center top;background-repeat:no-repeat;color:#999;height:180px;width:300px;font-size:20px;font-weight:normal;line-height:1.3em;margin:-110px auto -50px;padding:0;text-decoration:none;text-indent:-9999px;outline:0;overflow:hidden;display:block}#logo a:focus{-webkit-box-shadow:none;box-shadow:none}.step{margin:20px 0 15px}.step,th{text-align:left;padding:0}.form-table{border-collapse:collapse;margin-top:1em;width:100%}.form-table td{margin-bottom:9px;padding:10px 20px 10px 0;font-size:14px;vertical-align:top}.form-table th{font-size:14px;text-align:left;padding:10px 20px 10px 0;width:140px;vertical-align:top}.form-table code{line-height:18px;font-size:14px}.form-table p{margin:4px 0 0 0;font-size:11px;display:inline}.form-table input{line-height:20px;font-size:15px;padding:3px 5px;border:1px solid #ddd;-webkit-box-shadow:inset 0 1px 2px rgba(0,0,0,0.07);box-shadow:inset 0 1px 2px rgba(0,0,0,0.07)}input,submit{font-family:'Microsoft YaHei',"Open Sans",sans-serif}.form-table input[type=text],.form-table input[type=email],.form-table input[type=url],.form-table input[type=password]{width:206px}.form-table th p{font-weight:normal}.form-table.install-success th,.form-table.install-success td{vertical-align:middle;padding:16px 20px 16px 0}.form-table.install-success td p{margin:0;font-size:14px}.form-table.install-success td code{margin:0;font-size:18px}.message{border:1px solid #c00;padding:.5em .7em;margin:5px 0 15px;background-color:#ffebe8}.form-table span.description.important{font-size:12px}body.rtl,.rtl textarea,.rtl input,.rtl submit{font-family:'Microsoft YaHei',Tahoma,sans-serif}:lang(he-il) body.rtl,:lang(he-il) .rtl textarea,:lang(he-il) .rtl input,:lang(he-il) .rtl submit{font-family:'Microsoft YaHei',Arial,sans-serif}@media only screen and (max-width:799px){body{margin-top:115px}#logo a{margin:-125px auto 30px}}@media screen and (max-width:782px){.form-table{margin-top:0}.form-table th,.form-table td{display:block;width:auto;vertical-align:middle}.form-table th{padding:20px 0 0}.form-table td{padding:5px 0;border:0;margin:0}textarea,input{font-size:16px}.form-table td input[type="text"],.form-table td input[type="email"],.form-table td input[type="url"],.form-table td input[type="password"],.form-table td select,.form-table td textarea,.form-table span.description{width:100%;font-size:16px;line-height:1.5;padding:7px 10px;display:block;max-width:none;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}}#encrypt_enable,#keep_session_enable,#mail_enable,#xff_enable,#admin_ip_check_enable{margin-right:200px}.core-ui .button{color:#555;border-color:#ccc;background:#f7f7f7;-webkit-box-shadow:0 1px 0 #ccc;box-shadow:0 1px 0 #ccc;vertical-align:top;display:inline-block;text-decoration:none;font-size:13px;line-height:26px;height:28px;margin:0;padding:0 10px 1px;cursor:pointer;border-width:1px;border-style:solid;-webkit-appearance:none;-webkit-border-radius:3px;border-radius:3px;white-space:nowrap;-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box}
|
||||
Reference in New Issue
Block a user