forked from ggpsystemsltd/sugarcrm
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSugarSecurity.php
159 lines (135 loc) · 4.71 KB
/
SugarSecurity.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
<?PHP
/*********************************************************************************
* The contents of this file are subject to the SugarCRM Master Subscription
* Agreement ("License") which can be viewed at
* http://www.sugarcrm.com/crm/master-subscription-agreement
* By installing or using this file, You have unconditionally agreed to the
* terms and conditions of the License, and You may not use this file except in
* compliance with the License. Under the terms of the license, You shall not,
* among other things: 1) sublicense, resell, rent, lease, redistribute, assign
* or otherwise transfer Your rights to the Software, and 2) use the Software
* for timesharing or service bureau purposes such as hosting the Software for
* commercial gain and/or for the benefit of a third party. Use of the Software
* may be subject to applicable fees and any use of the Software without first
* paying applicable fees is strictly prohibited. You do not have the right to
* remove SugarCRM copyrights from the source code or user interface.
*
* All copies of the Covered Code must include on each user interface screen:
* (i) the "Powered by SugarCRM" logo and
* (ii) the SugarCRM copyright notice
* in the same form as they appear in the distribution. See full license for
* requirements.
*
* Your Warranty, Limitations of liability and Indemnity are expressly stated
* in the License. Please refer to the License for the specific language
* governing these rights and limitations under the License. Portions created
* by SugarCRM are Copyright (C) 2004-2012 SugarCRM, Inc.; All Rights Reserved.
********************************************************************************/
class SugarSecure{
var $results = array();
function display(){
echo '<table>';
foreach($this->results as $result){
echo '<tr><td>' . nl2br($result) . '</td></tr>';
}
echo '</table>';
}
function save($file=''){
$fp = fopen($file, 'a');
foreach($this->results as $result){
fwrite($fp , $result);
}
fclose($fp);
}
function scan($path= '.', $ext = '.php'){
$dir = dir($path);
while($entry = $dir->read()){
if(is_dir($path . '/' . $entry) && $entry != '.' && $entry != '..'){
$this->scan($path .'/' . $entry);
}
if(is_file($path . '/'. $entry) && substr($entry, strlen($entry) - strlen($ext), strlen($ext)) == $ext){
$contents = file_get_contents($path .'/'. $entry);
$this->scanContents($contents, $path .'/'. $entry);
}
}
}
function scanContents($contents){
return;
}
}
class ScanFileIncludes extends SugarSecure{
function scanContents($contents, $file){
$results = array();
$found = '';
/*preg_match_all("'(require_once\([^\)]*\\$[^\)]*\))'si", $contents, $results, PREG_SET_ORDER);
foreach($results as $result){
$found .= "\n" . $result[0];
}
$results = array();
preg_match_all("'include_once\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
foreach($results as $result){
$found .= "\n" . $result[0];
}
*/
$results = array();
preg_match_all("'require\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
foreach($results as $result){
$found .= "\n" . $result[0];
}
$results = array();
preg_match_all("'include\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
foreach($results as $result){
$found .= "\n" . $result[0];
}
$results = array();
preg_match_all("'require_once\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
foreach($results as $result){
$found .= "\n" . $result[0];
}
$results = array();
preg_match_all("'fopen\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
foreach($results as $result){
$found .= "\n" . $result[0];
}
$results = array();
preg_match_all("'file_get_contents\([^\)]*\\$[^\)]*\)'si", $contents, $results, PREG_SET_ORDER);
foreach($results as $result){
$found .= "\n" . $result[0];
}
if(!empty($found)){
$this->results[] = $file . $found."\n\n";
}
}
}
class SugarSecureManager{
var $scanners = array();
function registerScan($class){
$this->scanners[] = new $class();
}
function scan(){
while($scanner = current($this->scanners)){
$scanner->scan();
$scanner = next($this->scanners);
}
reset($this->scanners);
}
function display(){
while($scanner = current($this->scanners)){
echo 'Scan Results: ';
$scanner->display();
$scanner = next($this->scanners);
}
reset($this->scanners);
}
function save(){
//reset($this->scanners);
$name = 'SugarSecure'. time() . '.txt';
while($this->scanners = next($this->scanners)){
$scanner->save($name);
}
}
}
$secure = new SugarSecureManager();
$secure->registerScan('ScanFileIncludes');
$secure->scan();
$secure->display();