Context Navigation

adminsettings.php

Revision 704, 19.5 KB (checked in by brieb, 2 years ago)
Fixed several SQL injection vulnerabilities Fixed several XSS vulnerabilities due to PHP_SELF and REQUREST_URI Fixed severa path disclosure errors
Property svn:keywords set to `LastChangedBy LastChangedDate LastChangedRevision`

Line
1	<?php
2	/*
3	$Rev$ \| $LastChangedBy$
4	$LastChangedDate$
5	+-------------------------------------------------------------------------+
6	\| Copyright (c) 2004 - 2010, Kreotek LLC \|
7	\| All rights reserved. \|
8	+-------------------------------------------------------------------------+
9	\| \|
10	\| Redistribution and use in source and binary forms, with or without \|
11	\| modification, are permitted provided that the following conditions are \|
12	\| met: \|
13	\| \|
14	\| - Redistributions of source code must retain the above copyright \|
15	\| notice, this list of conditions and the following disclaimer. \|
16	\| \|
17	\| - Redistributions in binary form must reproduce the above copyright \|
18	\| notice, this list of conditions and the following disclaimer in the \|
19	\| documentation and/or other materials provided with the distribution. \|
20	\| \|
21	\| - Neither the name of Kreotek LLC nor the names of its contributore may \|
22	\| be used to endorse or promote products derived from this software \|
23	\| without specific prior written permission. \|
24	\| \|
25	\| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \|
26	\| "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT \|
27	\| LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A \|
28	\| PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT \|
29	\| OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, \|
30	\| SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT \|
31	\| LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, \|
32	\| DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY \|
33	\| THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT \|
34	\| (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE \|
35	\| OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. \|
36	\| \|
37	+-------------------------------------------------------------------------+
38	*/
39
40	require_once("../../include/session.php");
41	require_once("include/fields.php");
42
43	foreach($phpbms->modules as $module => $moduleinfo)
44	if($module != "base" && file_exists("../".$module."/adminsettings.php"))
45	include("modules/".$module."/adminsettings.php");
46
47
48	require_once("modules/base/include/adminsettings_include.php");
49	$settings = new settings($db);
50
51	if(!hasRights("Admin"))
52	goURL(APP_PATH."noaccess.php");
53
54	if (isset($_POST["command"]))
55	$statusmessage = $settings->processForm($_POST);
56
57	$therecord = $settings->getSettings();
58
59	$pageTitle="Configuration";
60
61	$phpbms->cssIncludes[] = "pages/base/adminsettings.css";
62	$phpbms->jsIncludes[] = "modules/base/javascript/adminsettings.js";
63
64	foreach($phpbms->modules as $module => $moduleinfo)
65	if($module != "base" && file_exists("../".$module."/javascript/adminsettings.js"))
66	$phpbms->jsIncludes[] = "modules/".$module."/javascript/adminsettings.js";
67
68	//Form Elements
69	//==============================================================
70	$theform = new phpbmsForm();
71	$theform->enctype="multiform/form-data";
72
73	$theinput = new inputField("application_name",$therecord["application_name"],"application name",true);
74	$theform->addField($theinput);
75
76	$theinput = new inputField("application_uuid", $therecord["application_uuid"], "application uuid", false, NULL, 40);
77	$theinput->setAttribute("readonly","readonly");
78	$theinput->setAttribute("class","uneditable");
79	$theform->addField($theinput);
80
81	$theinput = new inputCheckbox("auto_check_update", $therecord["auto_check_update"], "automatically check for updates");
82	$theform->addField($theinput);
83
84	$theinput = new inputCheckbox("send_metrics", $therecord["send_metrics"], "send additional metrics");
85	$theform->addField($theinput);
86
87	$theinput = new inputField("last_update_check", $therecord["last_update_check"], "last update check");
88	$theinput->setAttribute("readonly","readonly");
89	$theinput->setAttribute("class","uneditable");
90	$theform->addField($theinput);
91
92	$theinput = new inputField("record_limit",$therecord["record_limit"],"record display limit",true,"integer",5,3);
93	$theform->addField($theinput);
94
95	$theinput = new inputField("default_load_page",$therecord["default_load_page"],"default page",true);
96	$theform->addField($theinput);
97
98	$theinput = new inputField("encryption_seed",$therecord["encryption_seed"],"user password encryption seed",true);
99	$theinput->setAttribute("readonly","readonly");
100	$theinput->setAttribute("class","uneditable");
101	$theform->addField($theinput);
102
103	$theinput = new inputField("currency_sym",$therecord["currency_sym"],"currency symbol",true,NULL,5,5);
104	$theform->addField($theinput);
105
106	$theinput = new inputField("currency_accuracy",$therecord["currency_accuracy"],"currency decimal points of accuracy",true,"integer",4,1);
107	$theform->addField($theinput);
108
109	$theinput = new inputField("decimal_symbol",$therecord["decimal_symbol"],"decimal symbol",true,NULL,4,1);
110	$theform->addField($theinput);
111
112	$theinput = new inputField("thousands_separator",$therecord["thousands_separator"],"thousands separator",true,NULL,4,1);
113	$theform->addField($theinput);
114
115	$theinput = new inputCheckbox("persistent_login",$therecord["persistent_login"],"persistent login");
116	$theform->addField($theinput);
117
118	$theinput = new inputField("login_refresh",$therecord["login_refresh"],"login refresh (minutes)",true,"integer",4,1);
119	$theform->addField($theinput);
120
121
122	$theform->extraModules = array();
123	foreach($phpbms->modules as $module => $moduleinfo)
124	if($module != "base" && class_exists($module."Display")){
125
126	$class = $module."Display";
127
128	$theform->extraModules[$module]["displayname"] = $moduleinfo["displayname"];
129	$theform->extraModules[$module]["obj"] = new $class();
130
131	if(method_exists($theform->extraModules[$module]["obj"],"getFields"))
132	$additionalFields = $theform->extraModules[$module]["obj"]->getFields($therecord);
133
134	foreach($additionalFields as $field)
135	$theform->addField($field);
136
137	}//endif
138
139
140	$theform->jsMerge();
141	//==============================================================
142	//End Form Elements
143
144	include("header.php");
145	?>
146	<div class="bodyline">
147	<form action="<?php echo htmlentities($_SERVER["PHP_SELF"]); ?>" method="post" enctype="multipart/form-data" id="record" name="record" onsubmit="return false;">
148	<input type="hidden" id="command" name="command" value="save"/>
149
150	<h1 id="h1Title"><span><?php echo $pageTitle ?></span></h1>
151
152	<div id="phpbmsSplash" class="box">
153
154	<div id="phpbmslogo">
155	<a href="../../info.php"><span>phpBMS logo</span></a>
156	</div>
157
158	<div id="splashTitle" class="small">
159	<h2>phpBMS</h2>
160	Business Management Web Application
161	</div>
162
163	</div>
164
165	<div class="box" id="configWarnings">
166	<h2>Configuration Warnings</h2>
167
168	<ul>
169	<li id="cronWarning">
170	<strong>cron script accessible from outside</strong><br />
171	The modules/base/cron.php file should only be allowed to run from server (localhost). Because
172	this file will be run via command line PHP by cron (or your scheduler program) you should
173	modify your web server's configuration (apache site file) to restrict access to this file.
174	</li>
175	<?php if(!$settings->checkForSchedulerRunning()) {?>
176	<li id="cronRun">
177	<strong>cron script not running</strong><br />
178	Many features of phpBMS (such as importing, triggers, and recurring invoices)
179	will not work if the scheduler has not been configured. Check the scheduler
180	section of the system menu for instructions on how to activate the scheduler.
181	</li>
182	<?php }//endif ?>
183	</ul>
184
185	</div>
186
187	<h2 class="moduleButtons">Main System (Base Module)</h2>
188
189	<div class="moduleSections">
190	<div class="containers">
191
192	<div class="moduleTab" title="general">
193	<fieldset>
194	<legend>general</legend>
195
196	<p class="big"><?php $theform->showField("application_name");?></p>
197
198	<p class="notes">
199	<strong>Example:</strong> Replace this with your company name + BMS (e.g. "Kreotek BMS"). Replacing
200	the application name will reset the session cookie, and require you to log in again.
201	</p>
202
203	<p><?php $theform->showfield("application_uuid"); ?></p>
204	<p><?php $theform->showfield("auto_check_update"); ?></p>
205	<p><?php $theform->showfield("send_metrics"); ?>
206	<br/>
207	<span class="notes">
208	These metrics are general metrics about your bms.
209	</span>
210	</p>
211	<p><?php $theform->showfield("last_update_check"); ?></p>
212	<p>
213	<button class="Buttons" type="button" id="updateCheck">
214	check for updates
215	</button>
216	<span id="processSpan" style="display:none">
217	<img src="../../common/image/spinner.gif" id="spinner" alt="processing..." />
218	Processing...
219	</span>
220	</p>
221	<p id="responseP" style="display:none">
222
223	</p>
224
225
226	<p><?php $theform->showField("record_limit"); ?></p>
227
228	<p><?php $theform->showField("default_load_page")?></p>
229
230	<p>
231	<label for="stylesheet">web style set (stylesheets)</label><br />
232	<select id="stylesheet" name="stylesheet">
233	<?php $settings->displayStylesheets($therecord["stylesheet"]);?>
234	</select>
235	</p>
236	</fieldset>
237	<p class="updateButtonP"><button type="button" class="Buttons UpdateButtons">save</button></p>
238	</div>
239
240	<div class="moduleTab" title="company">
241	<fieldset>
242	<legend>company</legend>
243	<p>
244	<label for="company_name">company name</label><br />
245	<input id="company_name" name="company_name" type="text" size="40" maxlength="128" value="<?php echo htmlQuotes($therecord["company_name"]) ?>" />
246	</p>
247
248	<p>
249	<label for="company_address">address</label><br />
250	<input id="company_address" name="company_address" type="text" value="<?php echo htmlQuotes($therecord["company_address"]) ?>" size="40" maxlength="128" />
251	</p>
252
253	<p>
254	<label for="company_csz">city, state/province and zip/postal code</label><br />
255	<input id="company_csz" name="company_csz" type="text" size="40" maxlength="128" value="<?php echo htmlQuotes($therecord["company_csz"]) ?>" />
256	</p>
257
258	<p>
259	<label for="company_phone">phone number</label><br />
260	<input id="company_phone" name="company_phone" type="text" value="<?php echo htmlQuotes($therecord["company_phone"]) ?>" size="40" maxlength="128" />
261	</p>
262
263	<?php if(isset($therecord["company_taxid"])){?>
264	<p>
265	<label for="company_taxid">company tax id</label><br />
266	<input id="company_taxid" name="company_taxid" type="text" value="<?php echo htmlQuotes($therecord["company_taxid"]) ?>" size="40" maxlength="128" />
267	</p>
268	<?php }//endif - tax id?>
269
270	<div class="fauxP">
271	print logo
272	<div id="graphicHolder"><img alt="logo" src="<?php echo APP_PATH?>dbgraphic.php?t=file&r=1" /></div>
273	</div>
274
275	<p>
276	<label for="printedlogo">upload new logo file</label> <span class="notes">(PNG or JPEG format)</span><br />
277	<input id="printedlogo" name="printedlogo" type="file" size="64" /><br />
278	</p>
279
280	<p class="notes">
281	<strong>Note:</strong> This graphic is used on some reports. <br />
282	On PDF reports, phpBMS prints the logo at maximum dimensions of 1.75" x 1.75".<br />
283	If you are uploading a PNG, <strong>it must be an 8-bit (256 color) non-interlaced PNG without transparency or alpha channels/layers.</strong>.
284	</p>
285
286	</fieldset>
287	<p class="updateButtonP"><button type="button" class="Buttons UpdateButtons">save</button></p>
288	</div>
289
290	<div class="moduleTab" title="localization">
291	<fieldset>
292	<legend>Localization</legend>
293	<p>
294	<label for="phone_format">phone format</label><br />
295	<select id="phone_format" name="phone_format">
296	<option value="US - Strict" <?php if($therecord["phone_format"] == "US - Strict") echo "selected=\"selected\"";?>>US - Strict</option>
297	<option value="US - Loose" <?php if($therecord["phone_format"] == "US - Loose") echo "selected=\"selected\"";?>>US - Loose</option>
298	<option value="UK - Loose" <?php if($therecord["phone_format"] == "UK - Loose") echo "selected=\"selected\"";?>>UK - Loose</option>
299	<option value="International" <?php if($therecord["phone_format"] == "International") echo "selected=\"selected\"";?>>International</option>
300	<option value="No Verification" <?php if($therecord["phone_format"] == "No Verification") echo "selected=\"selected\"";?>>No Verification</option>
301	</select>
302	</p>
303	<p>
304	<label for="date_format">date format</label><br />
305	<select id="date_format" name="date_format">
306	<option value="SQL" <?php if($therecord["date_format"] == "SQL") echo "selected=\"selected\"";?>>SQL (<?php echo dateToString(mktime() ,"SQL")?>)</option>
307	<option value="English, US" <?php if($therecord["date_format"] == "English, US") echo "selected=\"selected\"";?>>English, US (<?php echo dateToString(mktime(),"English, US")?>)</option>
308	<option value="English, UK" <?php if($therecord["date_format"] == "English, UK") echo "selected=\"selected\"";?>>English, UK (<?php echo dateToString(mktime(),"English, UK")?>)</option>
309	<option value="Dutch, NL" <?php if($therecord["date_format"] == "Dutch, NL") echo "selected=\"selected\"";?>>Dutch, NL (<?php echo dateToString(mktime(),"Dutch, NL")?>)</option>
310	</select>
311	</p>
312	<p>
313	<label for="time_format">time format</label><br />
314	<select id="time_format" name="time_format">
315	<option value="24 Hour" <?php if($therecord["time_format"]=="24 Hour") echo "selected=\"selected\"";?>>24 Hour (<?php echo timeToString(mktime() ,"24 Hour")?>)</option>
316	<option value="12 Hour" <?php if($therecord["time_format"]=="12 Hour") echo "selected=\"selected\"";?>>12 Hour (<?php echo timeToString(mktime(),"12 Hour")?>)</option>
317	</select>
318	</p>
319
320	<p> </p>
321
322	<p><?php $theform->showField("currency_sym"); ?></p>
323
324	<p><?php $theform->showField("currency_accuracy"); ?></p>
325
326	<p><?php $theform->showField("decimal_symbol"); ?></p>
327
328	<p><?php $theform->showField("thousands_separator"); ?></p>
329
330	</fieldset>
331	<p class="updateButtonP"><button type="button" class="Buttons UpdateButtons">save</button></p>
332	</div>
333
334
335	<div class="moduleTab" title="encryption seed">
336	<fieldset>
337	<legend>encryption seed</legend>
338
339	<p class="notes">
340	<strong>Note:</strong>
341	The encryption seed is used to encrypt all passwords before storing them in the database.<br />
342	Changing the encryption seed will void all current passwords. By entering your admin password,<br />
343	your password will be reencrypted with the new seed. All other users passwords will be voided<br />
344	and need to be reentered.
345	</p>
346
347	<p><input type="checkbox" value="1" name="changeseed" id="changeseed" onchange="toggleEncryptionEdit(this)" class="radiochecks"/><label for="changeseed">change seed</label></p>
348
349	<p><?php $theform->showField("encryption_seed");?></p>
350
351	<p>
352	<label for="currentpassword">current password</label><br />
353	<input type="password" name="currentpassword" id="currentpassword" size="32" readonly="readonly" class="uneditable"/>
354	</p>
355
356	</fieldset>
357
358	<p class="updateButtonP"><input type="submit" id="updateEncryptionButton" class="Buttons" value="update encryption seed" disabled="disabled"/></p>
359
360	</div>
361
362	<div class="moduleTab" title="log in security">
363	<fieldset>
364	<legend>log in security</legend>
365
366	<p><?php $theform->showField("persistent_login"); ?></p>
367
368	<p><?php $theform->showField("login_refresh"); ?></p>
369
370	<p class="notes">
371	<strong>Note:</strong> persistent login will keep you logged in, even when idle. The refresh
372	defines how often (in minutes) phpbms will send a logged in notice.
373	</p>
374
375	<p class="notes"><strong>Note:</strong> Does not work with Microsoft Internet Explorer versions less than 7.</p>
376
377	</fieldset>
378
379	<p class="updateButtonP"><button type="button" class="Buttons UpdateButtons">save</button></p>
380	</div>
381
382	</div>
383	</div>
384
385
386	<?php
387	foreach($theform->extraModules as $module => $moduleInfo){
388
389	if(method_exists($moduleInfo["obj"],"display")){
390
391	?><h2 class="moduleButtons"><?php echo $moduleInfo["displayname"] ?></h2><div class="moduleSections"><div class="containers">
392	<?php
393	$moduleInfo["obj"]->display($theform,$therecord);
394	?></div></div><?php
395
396	}//endif
397
398	}//eendforeach
399	?>
400	</form>
401	</div>
402	<?php include("footer.php"); ?>

Note: See TracBrowser for help on using the browser.

phpBMS

Context Navigation

root/trunk/phpbms/modules/base/adminsettings.php

Download in other formats: