shell bypass 403
<?php
/**
* @package admintools
* @copyright Copyright (c)2010-2023 Nicholas K. Dionysopoulos / Akeeba Ltd
* @license GNU General Public License version 3, or later
*/
use Joomla\CMS\Authentication\AuthenticationResponse;
use Joomla\CMS\Factory;
use Joomla\CMS\Language\Text;
defined('_JEXEC') || die;
class AtsystemFeatureEmailfailedadminlong extends AtsystemFeatureAbstract
{
protected $loadOrder = 810;
/**
* Is this feature enabled?
*
* @return bool
*/
public function isEnabled()
{
if ($this->cparams->getValue('trackfailedlogins', 0) == 1)
{
// When track failed logins is enabled we don't send emails through this feature
return false;
}
if (!$this->container->platform->isBackend())
{
return false;
}
$emailonfailedadmin = $this->cparams->getValue('emailonfailedadminlogin', '');
if (empty($emailonfailedadmin))
{
return false;
}
return true;
}
/**
* Sends an email upon a failed administrator login
*
* @param AuthenticationResponse $response
*
* @return void
*/
public function onUserLoginFailure($response)
{
// Do not email about failed logins as a result of an empty username
if (!isset($response['username']) || empty($response['username']))
{
return;
}
// Make sure we don't fire unless someone is still in the login page
$user = $this->container->platform->getUser();
if (!$user->guest)
{
return;
}
$option = $this->input->getCmd('option');
$task = $this->input->getCmd('task');
if (($option != 'com_login') && ($task != 'login'))
{
return;
}
// Exit if the IP is blacklisted; logins originating from blacklisted IPs will be blocked anyway
if ($this->parentPlugin->runBooleanFeature('isIPBlocked', false, []))
{
return;
}
// If we are STILL in the login task WITHOUT a valid user, we had a login failure.
// Load the component's administrator translation files
$jlang = Factory::getLanguage();
$jlang->load('com_admintools', JPATH_ADMINISTRATOR, 'en-GB', true);
$jlang->load('com_admintools', JPATH_ADMINISTRATOR, $jlang->getDefault(), true);
$jlang->load('com_admintools', JPATH_ADMINISTRATOR, null, true);
// Get the site name
$config = $this->container->platform->getConfig();
// Construct the replacement table
$substitutions = $this->exceptionsHandler->getEmailVariables(Text::_('COM_ADMINTOOLS_WAFEMAILTEMPLATE_REASON_ADMINLOGINFAIL'));
/**
* The code above primes the [USER] variable from the current Joomla user object. However, this user object is
* ALWAYS the Guest user since we're not logged in yet. We need to replace it with $response['username'] whcih
* is how Joomla communicates back to plugins the username that failed to log in.
*/
$substitutions['[USER]'] = $response['username'];
// Let's get the most suitable email template
$template = $this->exceptionsHandler->getEmailTemplate('adminloginfail', true);
// Got no template, the user didn't published any email template, or the template doesn't want us to
// send a notification email. Anyway, let's stop here.
if (!$template)
{
return;
}
$subject = $template[0];
$body = $template[1];
foreach ($substitutions as $k => $v)
{
$subject = str_replace($k, $v, $subject);
$body = str_replace($k, $v, $body);
}
// Send the email
try
{
$mailer = Factory::getMailer();
$mailfrom = $config->get('mailfrom');
$fromname = $config->get('fromname');
$recipients = explode(',', $this->cparams->getValue('emailonfailedadminlogin', ''));
$recipients = array_map('trim', $recipients);
foreach ($recipients as $recipient)
{
if (empty($recipient))
{
continue;
}
// This line is required because SpamAssassin is BROKEN
$mailer->Priority = 3;
$mailer->isHtml(true);
$mailer->setSender([$mailfrom, $fromname]);
// Resets the recipients, otherwise they will pile up
$mailer->clearAllRecipients();
if ($mailer->addRecipient($recipient) === false)
{
// Failed to add a recipient?
continue;
}
$mailer->setSubject($subject);
$mailer->setBody($body);
$mailer->Send();
}
}
catch (Exception $e)
{
// Joomla! 3.5 and later throw an exception when crap happens instead of suppressing it and returning false
}
}
}