Security fix: unauthorized access (#10091)

* Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

* git mv html/includes/ includes/html
git mv html/pages/ includes/html/

includes/html/graphs/application/bind_sockets_active.inc.php

@@ -0,0 +1,45 @@
+<?php
+$name = 'bind';
+$app_id = $app['app_id'];
+$unit_text     = 'active sockets';
+$colours       = 'psychedelic';
+$dostack       = 0;
+$printtotal    = 0;
+$addarea       = 1;
+$transparency  = 15;
+
+$rrd_filename = rrd_name($device['hostname'], array('app', 'bind', $app['app_id'], 'sockets'));
+
+$rrd_list=array();
+if (rrdtool_check_rrd_exists($rrd_filename)) {
+    $rrd_list[]=array(
+        'filename' => $rrd_filename,
+        'descr'    => 'UDP/IPv4',
+        'ds'       => 'ui4sa',
+    );
+    $rrd_list[]=array(
+        'filename' => $rrd_filename,
+        'descr'    => 'UDP/IPv6',
+        'ds'       => 'ui6sa',
+    );
+# This appears to be buggy on various versions of BIND named and acts as a counter instead.
+#    $rrd_list[]=array(
+#        'filename' => $rrd_filename,
+#        'descr'    => 'TCP/IPv4',
+#        'ds'       => 'ti4sa',
+#    );
+    $rrd_list[]=array(
+        'filename' => $rrd_filename,
+        'descr'    => 'TCP/IPv6',
+        'ds'       => 'ti6sa',
+    );
+    $rrd_list[]=array(
+        'filename' => $rrd_filename,
+        'descr'    => 'Raw',
+        'ds'       => 'rsa',
+    );
+} else {
+    d_echo('RRD "'.$rrd_filename.'" not found');
+}
+
+require 'includes/html/graphs/generic_multi_line.inc.php';