Normal
Here, replace it by this: http://pastie.org/private/zgpebrk4xuc1t3kxlyx6sw ; Now go to your class.core.php:replace this:[PHP] final public function handleCall($k) { global $users, $template, $_CONFIG; if($_CONFIG['hotel']['in_maint'] == false) { if(!isset($_SESSION['user']['id'])) { switch($k) { case "index": case null: case "login": $users->login(); break; case "register": $users->register(); break; case "forgot": $users->forgotten(); break; case "maintenance": case "ToS": // break; case "me": case "account": case "news": header('Location: '.$_CONFIG['hotel']['url'].'/index'); exit; break; default: //Nothing break; } } else { if($_SESSION['user']['ip_last'] != $_SERVER['REMOTE_ADDR']) { header('Location: '.$_CONFIG['hotel']['url'].'/logout'); } switch($k) { case "index": case null: header('Location: '.$_CONFIG['hotel']['url'].'/me'); exit; break; case "register": header('Location: '.$_CONFIG['hotel']['url'].'/me'); exit; break; case "forgot": header('Location: '.$_CONFIG['hotel']['url'].'/me'); exit; break; case "client": $users->createSSO($_SESSION['user']['id']); $users->updateUser($_SESSION['user']['id'], 'ip_last', $_SERVER['REMOTE_ADDR']); $template->setParams('sso', $users->getInfo($_SESSION['user']['id'], 'auth_ticket')); break; case "help": $users->help(); break; case "account": $users->updateAccount(); break; default: //nothing break; } } } elseif($_GET['url'] != 'maintenance') { header('Location: '.$_CONFIG['hotel']['url'].'/maintenance'); exit; } }[/PHP]by this:[PHP] final public function handleCall($k) { global $users, $template, $_CONFIG; if($_CONFIG['hotel']['in_maint'] == false) { if(!isset($_SESSION['user']['id'])) { switch($k) { case "index": case null: case "login": $users->login(); break; case "register": $users->register(); break; case "maintenance": // break; case "me": case "account": case "news": header('Location: '.$_CONFIG['hotel']['url'].'/index'); exit; break; default: //Nothing break; } } else { if($_SESSION['user']['ip_last'] != $_SERVER['REMOTE_ADDR']) { header('Location: '.$_CONFIG['hotel']['url'].'/logout'); } switch($k) { case "index": case null: header('Location: '.$_CONFIG['hotel']['url'].'/me'); exit; break; case "register": header('Location: '.$_CONFIG['hotel']['url'].'/me'); exit; break; case "client": $users->createSSO($_SESSION['user']['id']); $users->updateUser($_SESSION['user']['id'], 'ip_last', $_SERVER['REMOTE_ADDR']); $template->setParams('sso', $users->getInfo($_SESSION['user']['id'], 'auth_ticket')); break; case "account": $users->updateAccount(); break; default: //nothing break; } } } elseif($_GET['url'] != 'maintenance') { header('Location: '.$_CONFIG['hotel']['url'].'/maintenance'); exit; } }[/PHP]Now go on 'interface.users.php' and remove: 'public function forgotten();' & 'public function help();'. Make sure you do this, if you don't it will return a blank white page or an error.See if the attackers can cause damage again, let me know if they do.
Here, replace it by this: http://pastie.org/private/zgpebrk4xuc1t3kxlyx6sw ; Now go to your class.core.php:
replace this:
[PHP] final public function handleCall($k)
{
global $users, $template, $_CONFIG;
if($_CONFIG['hotel']['in_maint'] == false)
if(!isset($_SESSION['user']['id']))
switch($k)
case "index":
case null:
case "login":
$users->login();
break;
case "register":
$users->register();
case "forgot":
$users->forgotten();
case "maintenance":
case "ToS":
//
case "me":
case "account":
case "news":
header('Location: '.$_CONFIG['hotel']['url'].'/index');
exit;
default:
//Nothing
}
else
if($_SESSION['user']['ip_last'] != $_SERVER['REMOTE_ADDR'])
header('Location: '.$_CONFIG['hotel']['url'].'/logout');
header('Location: '.$_CONFIG['hotel']['url'].'/me');
case "client":
$users->createSSO($_SESSION['user']['id']);
$users->updateUser($_SESSION['user']['id'], 'ip_last', $_SERVER['REMOTE_ADDR']);
$template->setParams('sso', $users->getInfo($_SESSION['user']['id'], 'auth_ticket'));
case "help":
$users->help();
$users->updateAccount();
//nothing
elseif($_GET['url'] != 'maintenance')
header('Location: '.$_CONFIG['hotel']['url'].'/maintenance');
}[/PHP]
by this:
Now go on 'interface.users.php' and remove: 'public function forgotten();' & 'public function help();'. Make sure you do this, if you don't it will return a blank white page or an error.
See if the attackers can cause damage again, let me know if they do.