You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
464 lines
17 KiB
PHP
464 lines
17 KiB
PHP
<?php
|
|
/*******************************************************************************
|
|
* Title: Help Desk Software HESK
|
|
* Version: 2.6.5 from 28th August 2015
|
|
* Author: Klemen Stirn
|
|
* Website: http://www.hesk.com
|
|
********************************************************************************
|
|
* COPYRIGHT AND TRADEMARK NOTICE
|
|
* Copyright 2005-2015 Klemen Stirn. All Rights Reserved.
|
|
* HESK is a registered trademark of Klemen Stirn.
|
|
|
|
* The HESK may be used and modified free of charge by anyone
|
|
* AS LONG AS COPYRIGHT NOTICES AND ALL THE COMMENTS REMAIN INTACT.
|
|
* By using this code you agree to indemnify Klemen Stirn from any
|
|
* liability that might arise from it's use.
|
|
|
|
* Selling the code for this program, in part or full, without prior
|
|
* written consent is expressly forbidden.
|
|
|
|
* Using this code, in part or full, to create derivate work,
|
|
* new scripts or products is expressly forbidden. Obtain permission
|
|
* before redistributing this software over the Internet or in
|
|
* any other medium. In all cases copyright and header must remain intact.
|
|
* This Copyright is in full effect in any country that has International
|
|
* Trade Agreements with the United States of America or
|
|
* with the European Union.
|
|
|
|
* Removing any of the copyright notices without purchasing a license
|
|
* is expressly forbidden. To remove HESK copyright notice you must purchase
|
|
* a license for this script. For more information on how to obtain
|
|
* a license please visit the page below:
|
|
* https://www.hesk.com/buy.php
|
|
*******************************************************************************/
|
|
|
|
define('IN_SCRIPT',1);
|
|
define('HESK_PATH','../');
|
|
|
|
/* Get all the required files and functions */
|
|
require(HESK_PATH . 'hesk_settings.inc.php');
|
|
require(HESK_PATH . 'inc/common.inc.php');
|
|
require(HESK_PATH . 'inc/admin_functions.inc.php');
|
|
hesk_load_database_functions();
|
|
|
|
hesk_session_start();
|
|
hesk_dbConnect();
|
|
hesk_isLoggedIn();
|
|
|
|
/* Check permissions for this feature */
|
|
hesk_checkPermission('can_ban_ips');
|
|
$can_unban = hesk_checkPermission('can_unban_ips', 0);
|
|
|
|
// Define required constants
|
|
define('LOAD_TABS',1);
|
|
|
|
// What should we do?
|
|
if ( $action = hesk_REQUEST('a') )
|
|
{
|
|
if ( defined('HESK_DEMO') ) {hesk_process_messages($hesklang['ddemo'], 'banned_ips.php', 'NOTICE');}
|
|
elseif ($action == 'ban') {ban_ip();}
|
|
elseif ($action == 'unban' && $can_unban) {unban_ip();}
|
|
elseif ($action == 'unbantemp' && $can_unban) {unban_temp_ip();}
|
|
}
|
|
|
|
/* Print header */
|
|
require_once(HESK_PATH . 'inc/headerAdmin.inc.php');
|
|
|
|
/* Print main manage users page */
|
|
require_once(HESK_PATH . 'inc/show_admin_nav.inc.php');
|
|
?>
|
|
|
|
<div class="row" style="padding: 20px">
|
|
<ul class="nav nav-tabs" role="tablist">
|
|
<?php
|
|
// Show a link to banned_emails.php if user has permission to do so
|
|
if ( hesk_checkPermission('can_ban_emails',0) )
|
|
{
|
|
echo '
|
|
<li role="presentation">
|
|
<a title="' . $hesklang['banemail'] . '" href="banned_emails.php">' . $hesklang['banemail'] . '</a>
|
|
</li>';
|
|
}
|
|
?>
|
|
<li role="presentation" class="active">
|
|
<a href="#"><?php echo $hesklang['banip']; ?> <i class="fa fa-question-circle settingsquestionmark" onclick="javascript:alert('<?php echo hesk_makeJsString($hesklang['banip_intro']); ?>')"></i></a>
|
|
</li>
|
|
<?php
|
|
// Show a link to status_message.php if user has permission to do so
|
|
if ( hesk_checkPermission('can_service_msg',0) )
|
|
{
|
|
echo '
|
|
<li role="presentation">
|
|
<a title="' . $hesklang['sm_title'] . '" href="service_messages.php">' . $hesklang['sm_title'] . '</a>
|
|
</li>';
|
|
}
|
|
|
|
// Show a link to email tpl management if user has permission to do so
|
|
if (hesk_checkPermission('can_man_email_tpl', 0)) {
|
|
echo '
|
|
<li role="presentation">
|
|
<a title="'.$hesklang['email_templates'].'" href="manage_email_templates.php">'.$hesklang['email_templates'].'</a>
|
|
</li>
|
|
';
|
|
}
|
|
if (hesk_checkPermission('can_man_ticket_statuses',0))
|
|
{
|
|
echo '
|
|
<li role="presentation">
|
|
<a title="'.$hesklang['statuses'].'" href="manage_statuses.php">'.$hesklang['statuses'].'</a>
|
|
</li>
|
|
';
|
|
}
|
|
?>
|
|
</ul>
|
|
<div class="tab-content summaryList tabPadding">
|
|
<script language="javascript" type="text/javascript"><!--
|
|
function confirm_delete()
|
|
{
|
|
if (confirm('<?php echo hesk_makeJsString($hesklang['delban_confirm']); ?>')) {return true;}
|
|
else {return false;}
|
|
}
|
|
//-->
|
|
</script>
|
|
<div class="row">
|
|
<div class="col-md-8">
|
|
<?php
|
|
/* This will handle error, success and notice messages */
|
|
hesk_handle_messages();
|
|
?>
|
|
<form action="banned_ips.php" method="post" name="form1" role="form" class="form-horizontal">
|
|
<div class="form-group">
|
|
<label for="ip" class="col-sm-3 control-label"><?php echo $hesklang['bananip']; ?></label>
|
|
<div class="col-sm-9">
|
|
<input type="text" name="ip" size="30" maxlength="255" class="form-control" placeholder="<?php echo htmlspecialchars($hesklang['iprange']); ?>">
|
|
<input type="hidden" name="token" value="<?php hesk_token_echo(); ?>" />
|
|
<input type="hidden" name="a" value="ban" />
|
|
</div>
|
|
</div>
|
|
<div class="form-group">
|
|
<div class="col-sm-9 col-sm-offset-3">
|
|
<input type="submit" value="<?php echo $hesklang['savebanip']; ?>" class="btn btn-default">
|
|
</div>
|
|
</div>
|
|
</form>
|
|
</div>
|
|
<div class="col-md-4">
|
|
<h6 style="font-weight: bold"><?php echo $hesklang['banex']; ?></h6>
|
|
<div class="footerWithBorder blankSpace"></div>
|
|
<b>123.0.0.0</b><br />
|
|
<b>123.0.0.1 - 123.0.0.53</b><br />
|
|
<b>123.0.0.0/24</b><br />
|
|
<b>123.0.*.*</b>
|
|
</div>
|
|
</div>
|
|
<div class="row">
|
|
<?php
|
|
|
|
// Get login failures
|
|
$res = hesk_dbQuery("SELECT `ip`, TIMESTAMPDIFF(MINUTE, NOW(), DATE_ADD(`last_attempt`, INTERVAL ".intval($hesk_settings['attempt_banmin'])." MINUTE) ) AS `minutes` FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."logins` WHERE `number` >= ".intval($hesk_settings['attempt_limit'])." AND `last_attempt` > (NOW() - INTERVAL ".intval($hesk_settings['attempt_banmin'])." MINUTE)");
|
|
$num = hesk_dbNumRows($res);
|
|
|
|
echo '<h4>'.$hesklang['iptemp'].'</h4>';
|
|
|
|
if ($num > 0)
|
|
{
|
|
?>
|
|
<table class="table table-hover">
|
|
<thead>
|
|
<tr>
|
|
<th><?php echo $hesklang['ip']; ?></th>
|
|
<th><?php echo $hesklang['m2e']; ?></th>
|
|
<?php
|
|
if ($can_unban)
|
|
{
|
|
?>
|
|
<th><?php echo $hesklang['opt']; ?></th>
|
|
<?php
|
|
}
|
|
?>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<?php
|
|
while ($ban=hesk_dbFetchAssoc($res))
|
|
{
|
|
echo '
|
|
<tr>
|
|
<td>'.$ban['ip'].'</td>
|
|
<td>'.$ban['minutes'].'</td>
|
|
';
|
|
|
|
if ($can_unban)
|
|
{
|
|
echo '
|
|
<td>
|
|
<a href="banned_ips.php?a=ban&ip='.urlencode($ban['ip']).'&token='.hesk_token_echo(0).'">
|
|
<i class="fa fa-ban" style="color: red; font-size: 16px" data-toggle="tooltip" data-placement="top" data-original-title="'.$hesklang['ippermban'].'"></i></a>
|
|
<a href="banned_ips.php?a=unbantemp&ip='.urlencode($ban['ip']).'&token='.hesk_token_echo(0).'" onclick="return confirm_delete();">
|
|
<i class="fa fa-times" style="color: red; font-size: 16px"data-toggle="tooltip" data-placement="top" data-original-title="'.$hesklang['delban'].'"></i></a>
|
|
</td>
|
|
';
|
|
}
|
|
|
|
echo '</tr>';
|
|
} // End while
|
|
|
|
?>
|
|
</tbody>
|
|
</table>
|
|
<?php
|
|
} else
|
|
{
|
|
echo '<p>'.$hesklang['no_banips'].'</p>';
|
|
}
|
|
|
|
// Get banned ips from database
|
|
$res = hesk_dbQuery('SELECT * FROM `'.hesk_dbEscape($hesk_settings['db_pfix']).'banned_ips` ORDER BY `ip_from` ASC');
|
|
$num = hesk_dbNumRows($res);
|
|
|
|
echo '<br><h4>'.$hesklang['ipperm'].'</h4>';
|
|
|
|
if ($num < 1)
|
|
{
|
|
echo '<p>'.$hesklang['no_banips'].'</p>';
|
|
}
|
|
else
|
|
{
|
|
// List of staff
|
|
if ( ! isset($admins) )
|
|
{
|
|
$admins = array();
|
|
$res2 = hesk_dbQuery("SELECT `id`,`name` FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."users`");
|
|
while ($row=hesk_dbFetchAssoc($res2))
|
|
{
|
|
$admins[$row['id']]=$row['name'];
|
|
}
|
|
}
|
|
|
|
?>
|
|
<table class="table table-hover">
|
|
<thead>
|
|
<tr>
|
|
<th><?php echo $hesklang['ip']; ?></th>
|
|
<th><?php echo $hesklang['iprange']; ?></th>
|
|
<th><?php echo $hesklang['banby']; ?></th>
|
|
<th><?php echo $hesklang['date']; ?></th>
|
|
<?php
|
|
if ($can_unban)
|
|
{
|
|
?>
|
|
<th><?php echo $hesklang['opt']; ?></th>
|
|
<?php
|
|
}
|
|
?>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<?php
|
|
while ($ban=hesk_dbFetchAssoc($res))
|
|
{
|
|
$color = '';
|
|
if (isset($_SESSION['ban_ip']['id']) && $ban['id'] == $_SESSION['ban_ip']['id'])
|
|
{
|
|
$color = 'success';
|
|
unset($_SESSION['ban_ip']['id']);
|
|
}
|
|
|
|
echo '
|
|
<tr>
|
|
<td class="'.$color.'">'.$ban['ip_display'].'</td>
|
|
<td class="'.$color.'">'.( ($ban['ip_to'] == $ban['ip_from']) ? long2ip($ban['ip_to']) : long2ip($ban['ip_from']).' - '.long2ip($ban['ip_to']) ).'</td>
|
|
<td class="'.$color.'">'.(isset($admins[$ban['banned_by']]) ? $admins[$ban['banned_by']] : $hesklang['e_udel']).'</td>
|
|
<td class="'.$color.'">'.$ban['dt'].'</td>
|
|
';
|
|
|
|
if ($can_unban)
|
|
{
|
|
echo '
|
|
<td class="'.$color.'" style="text-align:left;">
|
|
<a href="banned_ips.php?a=unban&id='.$ban['id'].'&token='.hesk_token_echo(0).'" onclick="return confirm_delete();">
|
|
<i class="fa fa-times" style="color: red; font-size: 16px" data-toggle="tooltip" data-placement="top" data-original-title="'.$hesklang['delban'].'"></i></a>
|
|
</td>
|
|
';
|
|
}
|
|
|
|
echo '</tr>';
|
|
} // End while
|
|
?>
|
|
</tbody>
|
|
</table>
|
|
<?php
|
|
}
|
|
|
|
?>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<?php
|
|
require_once(HESK_PATH . 'inc/footer.inc.php');
|
|
exit();
|
|
|
|
|
|
/*** START FUNCTIONS ***/
|
|
|
|
function ban_ip()
|
|
{
|
|
global $hesk_settings, $hesklang;
|
|
|
|
// A security check
|
|
hesk_token_check();
|
|
|
|
// Get the ip
|
|
$ip = preg_replace('/[^0-9\.\-\/\*]/', '', hesk_REQUEST('ip') );
|
|
$ip_display = str_replace('-', ' - ', $ip);
|
|
|
|
// Nothing entered?
|
|
if ( ! strlen($ip) )
|
|
{
|
|
hesk_process_messages($hesklang['enterbanip'],'banned_ips.php');
|
|
}
|
|
|
|
// Convert asterisk to ranges
|
|
if ( strpos($ip, '*') !== false )
|
|
{
|
|
$ip = str_replace('*', '0', $ip) . '-' . str_replace('*', '255', $ip);
|
|
}
|
|
|
|
$ip_regex = '(([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])';
|
|
|
|
// Is this a single IP address?
|
|
if ( preg_match('/^'.$ip_regex.'$/', $ip) )
|
|
{
|
|
$ip_from = ip2long($ip);
|
|
$ip_to = $ip_from;
|
|
}
|
|
// Is this an IP range?
|
|
elseif ( preg_match('/^'.$ip_regex.'\-'.$ip_regex.'$/', $ip) )
|
|
{
|
|
list($ip_from, $ip_to) = explode('-', $ip);
|
|
$ip_from = ip2long($ip_from);
|
|
$ip_to = ip2long($ip_to);
|
|
}
|
|
// Is this an IP with CIDR?
|
|
elseif ( preg_match('/^'.$ip_regex.'\/([0-9]{1,2})$/', $ip, $matches) && $matches[4] >= 0 && $matches[4] <= 32)
|
|
{
|
|
list($ip_from, $ip_to) = hesk_cidr_to_range($ip);
|
|
}
|
|
// Not a valid input
|
|
else
|
|
{
|
|
hesk_process_messages($hesklang['validbanip'],'banned_ips.php');
|
|
}
|
|
|
|
// Make sure we have valid ranges
|
|
if ($ip_from < 0)
|
|
{
|
|
$ip_from += 4294967296;
|
|
}
|
|
elseif ($ip_from > 4294967296)
|
|
{
|
|
$ip_from = 4294967296;
|
|
}
|
|
if ($ip_to < 0)
|
|
{
|
|
$ip_to += 4294967296;
|
|
}
|
|
elseif ($ip_to > 4294967296)
|
|
{
|
|
$ip_to = 4294967296;
|
|
}
|
|
|
|
// Make sure $ip_to is not lower that $ip_from
|
|
if ($ip_to < $ip_from)
|
|
{
|
|
$tmp = $ip_to;
|
|
$ip_to = $ip_from;
|
|
$ip_from = $tmp;
|
|
}
|
|
|
|
// Is this IP address already banned?
|
|
$res = hesk_dbQuery("SELECT `id` FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."banned_ips` WHERE {$ip_from} BETWEEN `ip_from` AND `ip_to` AND {$ip_to} BETWEEN `ip_from` AND `ip_to` LIMIT 1");
|
|
if ( hesk_dbNumRows($res) == 1 )
|
|
{
|
|
$_SESSION['ban_ip']['id'] = hesk_dbResult($res);
|
|
$hesklang['ipbanexists'] = ($ip_to == $ip_from) ? sprintf($hesklang['ipbanexists'], long2ip($ip_to) ) : sprintf($hesklang['iprbanexists'], long2ip($ip_from).' - '.long2ip($ip_to) );
|
|
hesk_process_messages($hesklang['ipbanexists'],'banned_ips.php','NOTICE');
|
|
}
|
|
|
|
// Delete any duplicate banned IP or ranges that are within the new banned range
|
|
hesk_dbQuery("DELETE FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."banned_ips` WHERE `ip_from` >= {$ip_from} AND `ip_to` <= {$ip_to}");
|
|
|
|
// Delete temporary bans from logins table
|
|
if ($ip_to == $ip_from)
|
|
{
|
|
hesk_dbQuery("DELETE FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."logins` WHERE `ip`='".hesk_dbEscape($ip_display)."' LIMIT 1");
|
|
}
|
|
|
|
// Redirect either to banned ips or ticket page from now on
|
|
$redirect_to = ($trackingID = hesk_cleanID()) ? 'admin_ticket.php?track='.$trackingID.'&Refresh='.mt_rand(10000,99999) : 'banned_ips.php';
|
|
|
|
// Insert the ip address into database
|
|
hesk_dbQuery("INSERT INTO `".hesk_dbEscape($hesk_settings['db_pfix'])."banned_ips` (`ip_from`,`ip_to`,`ip_display`,`banned_by`) VALUES ({$ip_from}, {$ip_to},'".hesk_dbEscape($ip_display)."','".intval($_SESSION['id'])."')");
|
|
|
|
// Remember ip that got banned
|
|
$_SESSION['ban_ip']['id'] = hesk_dbInsertID();
|
|
|
|
// Generate success message
|
|
$hesklang['ip_banned'] = ($ip_to == $ip_from) ? sprintf($hesklang['ip_banned'], long2ip($ip_to) ) : sprintf($hesklang['ip_rbanned'], long2ip($ip_from).' - '.long2ip($ip_to) );
|
|
|
|
// Show success
|
|
hesk_process_messages( sprintf($hesklang['ip_banned'], $ip) ,$redirect_to,'SUCCESS');
|
|
|
|
} // End ban_ip()
|
|
|
|
|
|
function unban_temp_ip()
|
|
{
|
|
global $hesk_settings, $hesklang;
|
|
|
|
// A security check
|
|
hesk_token_check();
|
|
|
|
// Get the ip
|
|
$ip = preg_replace('/[^0-9\.\-\/\*]/', '', hesk_REQUEST('ip') );
|
|
|
|
// Delete from bans
|
|
hesk_dbQuery("DELETE FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."logins` WHERE `ip`='" . hesk_dbEscape($ip) . "' LIMIT 1");
|
|
|
|
// Show success
|
|
hesk_process_messages($hesklang['ip_tempun'],'banned_ips.php','SUCCESS');
|
|
|
|
} // End unban_temp_ip()
|
|
|
|
|
|
function unban_ip()
|
|
{
|
|
global $hesk_settings, $hesklang;
|
|
|
|
// A security check
|
|
hesk_token_check();
|
|
|
|
// Delete from bans
|
|
hesk_dbQuery("DELETE FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."banned_ips` WHERE `id`=" . intval( hesk_GET('id') ) . " LIMIT 1");
|
|
|
|
// Redirect either to banned ips or ticket page from now on
|
|
$redirect_to = ($trackingID = hesk_cleanID()) ? 'admin_ticket.php?track='.$trackingID.'&Refresh='.mt_rand(10000,99999) : 'banned_ips.php';
|
|
|
|
// Show success
|
|
hesk_process_messages($hesklang['ip_unbanned'],$redirect_to,'SUCCESS');
|
|
|
|
} // End unban_ip()
|
|
|
|
|
|
function hesk_cidr_to_range($cidr)
|
|
{
|
|
$range = array();
|
|
$cidr = explode('/', $cidr);
|
|
$range[0] = (ip2long($cidr[0])) & ((-1 << (32 - (int)$cidr[1])));
|
|
$range[1] = (ip2long($cidr[0])) + pow(2, (32 - (int)$cidr[1])) - 1;
|
|
return $range;
|
|
} // END hesk_cidr_to_range()
|
|
|
|
?>
|