1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

admin interface hidden by ht-access

Discussion in 'XenForo Questions and Support' started by erich37, Aug 11, 2011.

  1. erich37

    erich37 Well-Known Member

    I do have my ACP admin interface hidden with ht-access.

    So when you go to domain.com/admin.php then it will show an Error-message "401 Authorization required" to the visitors which is fine.

    But when I view the "source code" of that page which shows this "401 Error", then there is certain information visible regarding the XF-code.

    Would this be a possible security-issue when a hacker is seeing this code ?
  2. Mike

    Mike XenForo Developer Staff Member

    That page won't have anything from XF - the htaccess is implemented by Apache. XF won't even be executed without getting through it. That's down to Apache configuration.
  3. erich37

    erich37 Well-Known Member

    this is showing up in the source-code:

    <!DOCTYPE html>
    <html id="XenForo" lang="en-US" class="Login">
        <meta charset="utf-8" />
        <meta name="robots" content="noindex" />
        <title>domain.com Admin Control Panel Login | Admin CP - domain.com - </title>
        <link rel="stylesheet" type="text/css" href="admin.php?_css/&amp;css=public%3Axenforo%2Cpublic%3Aform%2Clogin_page&amp;d=1313028638" />
        <script type="text/javascript" src="js/jquery/jquery-1.4.4.min.js"></script>
    <script type="text/javascript" src="js/jquery/jquery.xenforo.rollup.js?_v=21d5099e"></script>
    <script type="text/javascript" src="js/xenforo/xenforo.js?_v=21d5099e"></script>
    <script type="text/javascript">
    jQuery.extend(true, XenForo,
        serverTimeInfo: { now: 1313032162, today: 1313013600, todayDow: 4 },
        _enableOverlays: "1",
        _animationSpeedMultiplier: "1",
            top: "10%",
            speed: 200,
            closeSpeed: 100,
                color: "rgb(255, 255, 255)",
                opacity: "0.6",
                loadSpeed: 200,
                closeSpeed: 100
        _loadedScripts: {"js\/xenforo\/acp_login.js?_v=21d5099e":true},
        _cookieConfig: { path: "/", domain: "", prefix: "xf_"},
        _csrfToken: "",
        _csrfRefreshUrl: "admin.php?login/csrf-token-refresh",
        _jsversion: "21d5099e"
        cancel: "Cancel",
        a_moment_ago:    "A moment ago",
        one_minute_ago:  "1 minute ago",
        x_minutes_ago:  "%minutes% minutes ago",
        today_at_x:      "Today at %time%",
        yesterday_at_x:  "Yesterday at %time%",
        day_x_at_time_y: "%day% at %time%",
        day0: "Sunday",
        day1: "Monday",
        day2: "Tuesday",
        day3: "Wednesday",
        day4: "Thursday",
        day5: "Friday",
        day6: "Saturday",
        _months: "January,February,March,April,May,June,July,August,September,October,November,December",
        _daysShort: "Sun,Mon,Tue,Wed,Thu,Fri,Sat",
        following_error_occurred: "The following error occurred",
            server_did_not_respond_in_time_try_again: "The server did not respond in time. Please try again.",
        click_image_show_full_size_version: "Click this image to show the full-size version.",
        no_items_matched_your_filter: "No items matched your filter."
            <script type="text/javascript" src="js/xenforo/acp_login.js?_v=21d5099e"></script>
        <img src="styles/default/xenforo/XenForo.png" id="loginLogo" alt="Logo" />
                <form action="admin.php?login/login" class="xenForm formOverlay AcpLoginForm" method="post">
        <fieldset id="loginControls">
            <h1>domain.com - Admin Control Panel Login</h1>
            <span class="avatar"><img src="data/avatars/s/0/1.jpg?1299461715" alt="Your avatar" /></span>
            <div class="controlWrapper">
                <label>Name or Email: <span><input type="text" name="login" value="domain.com" class="textCtrl" id="ctrl_login" /></span></label>
                <label>Password: <span><input type="password" name="password" value="" title="Password" class="textCtrl" id="ctrl_password" /></span></label>
                <label>&nbsp; <span><input type="submit" value="Log in" class="button primary" /></span></label>
                <div id="errorMessage"></div>
        <input type="hidden" name="cookie_check" value="1" />
        <input type="hidden" name="redirect" value="/admin.php" />
    <input type="hidden" name="_xfToken" value="" />
  4. Mike

    Mike XenForo Developer Staff Member

    That's just the standard login page, so the htaccess didn't actually block anything. (I'm also confused as to why you'd get that message but have the source of the full login page. That's the only report of that.)
  5. erich37

    erich37 Well-Known Member

    I have dropped you a message via Private Conversation.


Share This Page