Initial commit

www/CRS-top.jsp

@@ -0,0 +1 @@
+<html><head><meta http-equiv="Refresh" content="1; url=login.php"></head></html>

www/README.txt

@@ -0,0 +1,4 @@
+- The content of this folder must be served by a webserver.
+- DNS of https://www01.kddi-mmbb.jp/00000010/ must be redirected to this folder.
+- Keep an eye on the used SSL-ciphers, most of them are weak and you should harden your webserver
+- using a self-signed certificate works

www/db_cred.php

@@ -0,0 +1,12 @@
+<?php
+    $serv = 'localhost';
+    $datb = 'bioserver2';
+    $user = 'bioserver';
+    $pass = 'xxxxxxxxxxxxxxxx';
+    
+    $conn = mysql_connect($serv, $user, $pass)
+        or die ("connection error");
+
+    mysql_select_db($datb, $conn)
+        or die("database failure");
+?>

www/enterareas.html

@@ -0,0 +1,24 @@
+<html>
+<head>
+<!--CRS-lbs-info-get-->
+<META HTTP-EQUIV=Content-Type CONTENT=text/html;CHARSET=UTF-8>
+</head>
+<!-- Results -->
+<!-- LBS domain name + port number -->
+<!-- connecting people -->
+<!-- Maximum number of connections -->
+<!-- Additional Information 1 -->
+<!-- Additional Information 2 -->
+<!-- Additional Information 3 -->
+<!--
+<CSV>
+"OK",
+"www01.kddi-mmbb.jp:8200",
+"0",
+"999",
+"0ad601082008,ALPHA SERVER",
+"<BODY>Please select the server.<END>",
+"  ",
+</CSV>
+-->
+</html>

www/footer.php

@@ -0,0 +1,14 @@
+			<br></br>
+			<br></br>
+
+				<font size="-2"><br></br><br></br></font>
+				<table border="1" width="80%" cellspacing="0" cellpadding="0"></table>
+				<font size="-2"><br></br></font>
+
+				<font size="-2" color="#aaaaaa">
+					OBSRV - Fan Made Biohazard Outbreak(tm) Server
+					<br></br>
+					(c)2013-<?php echo date('Y'); ?> obsrv.org
+				</font>
+		</center>
+</body></html>

www/header.php

@@ -0,0 +1,10 @@
+<html><head><!--CRS-top-->
+   <title><?php echo 'non production server'; ?></title>
+   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+</head>
+<body text="#D7E0FF" background="ps2_bg.png" bgcolor="black" link="#224EAB">
+		<center>
+			<img src="ps2_logo.png" width="320" height="109"></img>
+
+			<br></br>
+			<font size="-2"><br></br></font>

www/login.php

@@ -0,0 +1,53 @@
+<?php
+	session_start();
+	include('header.php');
+?>
+
+<font size="-2"><br></br></font>			
+<table align="center" width="100%" cellspacing="0" cellpadding="0">
+	<tr align="center" valign="top">
+		<td align="center" width="50%">
+			<form method="post" action="login_form.php">
+				Login with existing account:<br></br>
+				<table>
+					<tr>
+						<td>ID:</td>
+						<td><input type="text" name="username"></input></td>
+					</tr>
+					
+					<tr>
+						<td>Password:</td>
+						<td><input type="password" name="password"></input></td>
+					</tr>
+					
+					<input type="hidden" name="login" value="manual"></input>
+					<tr><td></td><td><input type="submit" value="LOGIN"></input></td></tr>
+					
+				</table>
+			</form>
+		</td>
+
+		<td align="center" width="50%">
+			<form method="post" action="login_form.php">
+				Create new account and login:<br></br>
+				<table>
+					<tr>
+						<td>ID:</td>
+						<td><input type="text" name="username"></input></td>
+					</tr>
+					
+					<tr>
+						<td>Password:</td>
+						<td><input type="password" name="password"></input></td>
+					</tr>
+					
+					<input type="hidden" name="login" value="newaccount"></input>
+					<tr><td></td><td><input type="submit" value="LOGIN"></input></td></tr>
+					
+				</table>
+			</form>
+		</td>
+	</tr>
+</table>
+
+<?php include('footer.php'); ?>

www/login_form.php

@@ -0,0 +1,92 @@
+<?php
+	session_start();
+	
+	require_once('db_cred.php');
+
+        function create_sessid() {
+		for(;;) {
+			$sessid = (mt_rand(10000000,99999999));
+			$res = mysql_query('select count(*) as cnt from sessions where sessid='.$sessid);
+			$row = mysql_fetch_array($res);
+			if($row["cnt"] == 0) break;
+		}
+        	return($sessid);
+        }
+        
+
+	$login_result = '';
+	if ($_POST["login"] == 'manual') {
+		// kind of sanitizing
+		$username  = substr(preg_replace("/[^A-Za-z0-9 _]/", "", $_POST["username"]), 0, 14);
+		$password  = substr(preg_replace("/[^A-Za-z0-9 _]/", "", $_POST["password"]), 0, 14);
+
+		// no password entered, return to login page
+		if($password == "" || $username=="") {
+			header('Location: CRS-top.jsp');
+			exit();
+		}
+
+		$res = mysql_query('select count(*) as cnt from users where userid="'.$username.'" and passwd="'.$password.'"');
+		$row = mysql_fetch_array($res);
+		$authc = false;
+		if($row["cnt"] == 1) $authc = true;
+		
+		if($authc == false) {
+			$login_result = 'Login failed. Your login/password combination is wrong.';
+			$login_result .= '<br><a href="CRS-top.jsp">back</a>';
+		} else {
+			// login was successful, now delete old sessions and create a new one
+			mysql_query('delete from sessions where lower(userid) = lower("'.$username.'")');
+			$ip = $_SERVER["REMOTE_ADDR"];    // get the ip number of the user
+			$port = $_SERVER["REMOTE_PORT"];  // get the port of the user
+			
+			// setup session
+			$sessid = create_sessid();
+			$res = mysql_query('insert into sessions (userid,ip,port,sessid,lastlogin) values(lower("'.$username.'"),"'.$ip.'","'.$port.'","'.$sessid.'",now())');
+			if(!$res) $login_result = 'Login successful. Session creation failed.<br><a href="login.php">Back to menu</a>';
+			else $login_result = 'Login successful.<br><a href="startsession.php?sessid='.$sessid.'.">Enter lobbies</a>';
+		}
+
+        } else if ($_POST["login"] == 'newaccount') {
+		// kind of sanitizing
+		$username  = substr(preg_replace("/[^A-Za-z0-9 _]/", "", $_POST["username"]), 0, 14);
+		$password  = substr(preg_replace("/[^A-Za-z0-9 _]/", "", $_POST["password"]), 0, 14);
+
+		// no password entered, return to login page
+		if($password == "" || $username=="") {
+			header('Location: CRS-top.jsp');
+			exit();
+		}
+
+		// add new user
+	        $res2 = mysql_query('insert into users (userid, passwd) values("'.$username.'","'.$password.'")');
+		if($res2) {
+			$ip = $_SERVER["REMOTE_ADDR"];    // get the ip number of the user
+			$port = $_SERVER["REMOTE_PORT"];  // get the port of the user
+			
+			// setup session
+			$sessid = create_sessid();
+			$res = mysql_query('insert into sessions (userid,ip,port,sessid,lastlogin) values(lower("'.$username.'"),"'.$ip.'","'.$port.'","'.$sessid.'",now())');
+			if(!$res) $login_result = 'Login successful. Session creation failed.<br><a href="login.php">Back to menu</a>';
+			else $login_result = 'Login successful.<br><a href="startsession.php?sessid='.$sessid.'.">Enter lobbies</a>';
+                }
+		else {
+		        $login_result = 'Login failed. User already exists.<br><a href="CRS-top.jsp">back</a>';
+                }
+                
+	} else {
+		$login_result = 'Login failed.<br><a href="CRS-top.jsp">back</a>';
+	}
+	
+	include('header.php');
+?>
+
+<br></br>
+<br></br>
+
+<?php echo $login_result; ?>
+
+<br></br>
+<br></br>
+
+<?php include('footer.php'); ?>

www/startsession.php

@@ -0,0 +1,8 @@
+<?php
+    echo ("<html><head><!--CRS-game-start-->");
+    echo ("<META HTTP-EQUIV=Content-Type CONTENT=text/html;CHARSET=EUC-JP></head>");
+    echo ("<!--result--><!--connection id--><!--start the game url--><!--exit game url-->");
+    echo ("<!--<CSV>\"OK\",\"".$_GET["sessid"]."\",");
+    echo ("\"https://www01.kddi-mmbb.jp/00000010/enterareas.html\",");
+    echo ("\"https://www01.kddi-mmbb.jp/00000010/login.php\",</CSV>--></html>");
+?>