index.php

       if ($_REQUEST['attempt'] >= 3 && empty($_GET['lp'])) {
               // Check recaptcha
               $secret = '6Lcb8yYUAAAAAI_TS_c88LNH4_gcud1Ay6ZdO71A';
               $code   = $_REQUEST['g-recaptcha-response'];
               $verify = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret={$secret}&response={$code}");
               $response = json_decode($verify);
               if ($response->success != true) {
               $msg = '<div class="rows error">';
               $msg .= '<h3>Error</h3>';
               $msg .= '<p>Demasiados intentos fallidos, pruebe nuevamente</p>';
               $msg .= '</div>';
                       $smarty = new MailtrackSmarty();
                       $smarty->assign(array(
                           'dest'       => $_REQUEST['dest'],
                           'message'    => $msg,
                           'rememberMe' => $rememberMe,
                           'username'   => $username,
                           'attempt'    => $_REQUEST['attempt'],
                           'version'    => $GLOBALS['app_namever']));
                       if($GLOBALS['config']['csrf_login']) {
                       echo csrfguard_replace_forms($smarty->fetch('login.tpl'));
                       } else {
                       $smarty->display('login.tpl');
                       }
                   exit();
               }
       }

php-ahah-request_server.php

if ($_REQUEST['action'] === 'recover_pwd') {
       // Check recaptcha
       $secret = '6Lcb8yYUAAAAAI_TS_c88LNH4_gcud1Ay6ZdO71A';
       $code   = $_REQUEST['g-recaptcha-response'];
       $verify = file_get_contents("https://www.google.com/recaptcha/api/siteverify?secret={$secret}&response={$code}");
       if ($verify === false) {
           // Communication to google failed!
               echo var_dump($verify);
               exit();
       }
       $response = json_decode($verify);
       if ($response->success != true) {
           $ret['result'] = "bad_captcha";
           echo json_encode($ret);
           exit();
       }

       $valid  = ['email', 'CSRFName', 'CSRFToken', 'action'];
       foreach($_REQUEST as $key => $val) {
               if (in_array($key, $valid) === FALSE) unset($_REQUEST[$key]); // DELETE if not needed for this operation
       }

} else {
       // If NOT RECOVER_PWD... then it must be logged in!
       if (empty($_SESSION['session_ClientID']) === true || empty($_SESSION) === true) {
               die();
       }
}

// CLEAN F*CKED UP VARIABLES, THANKS OSDE!

// FILTER, allow only numbers and commas (mzalazar Jun-2017)
if (!empty($_REQUEST['ids'])) $_REQUEST['ids'] = preg_replace("/[^0-9,]+/", "", $_REQUEST['ids']);

// FILTER, allow only some characters in email (mzalazar Jun-2017)
if (!empty($_REQUEST['email']) && preg_match("/[^0-9a-z@_\.%-]+/i", $_REQUEST['email'])) {
    $ret['result'] = "not_found";
    $ret['msg'] = "El correo ingresado no es valido.";
    echo json_encode($ret);
    exit();
}

php-classes-db_functions.class.php

//                  echo sprintf($query, $GLOBALS['config']['nom_database'], $email);// WTF esto estaba descomentado

php-index.php

if(!in_array($_SERVER['REMOTE_ADDR'], $GLOBALS['config']['superadmin_secure_ip'])) {
       if($_REQUEST['table'] == 'servers' || ($_REQUEST['fe_type'] == 'superadmin' && ($_REQUEST['action'] == 'new' || $_REQUEST['action'] == 'edit'))) {
               header('HTTP/1.0 403 Forbidden');
               echo 'You are forbidden!';
               exit(0);
       }
}

// If we try to use "superadmin" and we are NOT superadmin, then DIE mf*cka!!!!
if ($_REQUEST['fe_type'] == 'superadmin' && $_SESSION['session_ClientID'] != 'SUPER_ADMIN' || empty($_SESSION) === true) {
       die();
}