T.ME/BIBIL_0DAY
CasperSecurity


Server : Apache/2
System : Linux server-15-235-50-60 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64
User : gositeme ( 1004)
PHP Version : 8.2.29
Disable Function : exec,system,passthru,shell_exec,proc_close,proc_open,dl,popen,show_source,posix_kill,posix_mkfifo,posix_getpwuid,posix_setpgid,posix_setsid,posix_setuid,posix_setgid,posix_seteuid,posix_setegid,posix_uname
Directory :  /home/gositeme/.cursor-server/data/User/History/-11ca1f8d/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : /home/gositeme/.cursor-server/data/User/History/-11ca1f8d/4jVK.php
<?php
/**
 * SECURITY INCLUDE FILE
 * Include this at the top of all PHP files for basic security
 */

// Prevent direct access
if (!defined('SECURE_ACCESS')) {
    define('SECURE_ACCESS', true);
}

// Start session if not already started
if (session_status() === PHP_SESSION_NONE) {
    session_start();
}

// Set security headers
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Referrer-Policy: strict-origin-when-cross-origin');

// Basic input validation functions
function validateInteger($value, $min = null, $max = null) {
    $int = filter_var($value, FILTER_VALIDATE_INT);
    if ($int === false) return null;
    if ($min !== null && $int < $min) return null;
    if ($max !== null && $int > $max) return null;
    return $int;
}

function validateEmail($email) {
    return filter_var($email, FILTER_VALIDATE_EMAIL) ? $email : null;
}

function sanitizeString($string, $maxLength = 255) {
    $string = trim($string);
    $string = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
    return strlen($string) > $maxLength ? substr($string, 0, $maxLength) : $string;
}

// CSRF Protection
function generateCSRFToken() {
    if (!isset($_SESSION['csrf_token'])) {
        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
    }
    return $_SESSION['csrf_token'];
}

function validateCSRFToken($token) {
    return isset($_SESSION['csrf_token']) && hash_equals($_SESSION['csrf_token'], $token);
}

// Session security
function secureSession() {
    // Set session timeout (2 hours)
    if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > 7200)) {
        session_unset();
        session_destroy();
        header('Location: /auth/login.php?timeout=1');
        exit;
    }
    $_SESSION['last_activity'] = time();
}

// Rate limiting
function checkRateLimit($action, $limit = 10, $window = 60) {
    $ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
    $key = "rate_limit_{$action}_{$ip}";
    
    if (!isset($_SESSION[$key])) {
        $_SESSION[$key] = ['count' => 0, 'reset_time' => time() + $window];
    }
    
    if (time() > $_SESSION[$key]['reset_time']) {
        $_SESSION[$key] = ['count' => 0, 'reset_time' => time() + $window];
    }
    
    if ($_SESSION[$key]['count'] >= $limit) {
        return false;
    }
    
    $_SESSION[$key]['count']++;
    return true;
}

// Admin access validation
function validateAdminAccess() {
    // Check if user is logged in
    if (!isset($_SESSION['user_id'])) {
        error_log("Unauthorized admin access attempt from IP: " . ($_SERVER['REMOTE_ADDR'] ?? 'unknown'));
        header('Location: /auth/login_new.php');
        exit;
    }
    
    // Check if user has admin privileges in session
    if (!isset($_SESSION['is_admin']) || !$_SESSION['is_admin']) {
        // Check database for admin status
        try {
            require_once __DIR__ . '/../config/database.php';
            $pdo = getDBConnection();
            $stmt = $pdo->prepare("SELECT is_admin FROM users WHERE id = ?");
            $stmt->execute([$_SESSION['user_id']]);
            $user = $stmt->fetch();
            
            if ($user && $user['is_admin']) {
                // Update session with admin status
                $_SESSION['is_admin'] = 1;
            } else {
                // Make the first user admin if no admin exists
                $stmt = $pdo->query("SELECT COUNT(*) as count FROM users WHERE is_admin = 1");
                $admin_count = $stmt->fetch()['count'];
                
                if ($admin_count == 0) {
                    // Make current user admin
                    $stmt = $pdo->prepare("UPDATE users SET is_admin = 1 WHERE id = ?");
                    $stmt->execute([$_SESSION['user_id']]);
                    $_SESSION['is_admin'] = 1;
                } else {
                    error_log("Unauthorized admin access attempt from IP: " . ($_SERVER['REMOTE_ADDR'] ?? 'unknown'));
                    header('Location: /auth/login_new.php');
                    exit;
                }
            }
        } catch (Exception $e) {
            error_log("Database error in validateAdminAccess: " . $e->getMessage());
            header('Location: /auth/login_new.php');
            exit;
        }
    }
}

// Secure error handling
function secureErrorHandler($errno, $errstr, $errfile, $errline) {
    error_log("Error [$errno]: $errstr in $errfile on line $errline");
    
    if (defined('DEBUG_MODE') && DEBUG_MODE) {
        return false;
    }
    
    return true;
}

// Initialize security
secureSession();
set_error_handler('secureErrorHandler');

?>

CasperSecurity Mini