admin interface hidden by ht-access

erich37

erich37

Well-known member
I do have my ACP admin interface hidden with ht-access.

So when you go to domain.com/admin.php then it will show an Error-message "401 Authorization required" to the visitors which is fine.

But when I view the "source code" of that page which shows this "401 Error", then there is certain information visible regarding the XF-code.

Would this be a possible security-issue when a hacker is seeing this code ?
 
Sort by date Sort by votes
That page won't have anything from XF - the htaccess is implemented by Apache. XF won't even be executed without getting through it. That's down to Apache configuration.
 
Upvote 0 Downvote
this is showing up in the source-code:

Code: 
<!DOCTYPE html>
<html id="XenForo" lang="en-US" class="Login">
<head>
    <meta charset="utf-8" />
    <meta name="robots" content="noindex" />
    <title>domain.com Admin Control Panel Login | Admin CP - domain.com - </title>

    <link rel="stylesheet" type="text/css" href="admin.php?_css/&amp;css=public%3Axenforo%2Cpublic%3Aform%2Clogin_page&amp;d=1313028638" />
 
    <script type="text/javascript" src="js/jquery/jquery-1.4.4.min.js"></script>
<script type="text/javascript" src="js/jquery/jquery.xenforo.rollup.js?_v=21d5099e"></script>

<script type="text/javascript" src="js/xenforo/xenforo.js?_v=21d5099e"></script>

<script type="text/javascript">
<!--
jQuery.extend(true, XenForo,
{
    serverTimeInfo: { now: 1313032162, today: 1313013600, todayDow: 4 },
    _enableOverlays: "1",
    _animationSpeedMultiplier: "1",
    _overlayConfig:
    {
        top: "10%",
        speed: 200,
        closeSpeed: 100,
        mask:
        {
            color: "rgb(255, 255, 255)",
            opacity: "0.6",
            loadSpeed: 200,
            closeSpeed: 100
        }
    },
    _loadedScripts: {"js\/xenforo\/acp_login.js?_v=21d5099e":true},
    _cookieConfig: { path: "/", domain: "", prefix: "xf_"},
    _csrfToken: "",
    _csrfRefreshUrl: "admin.php?login/csrf-token-refresh",
    _jsversion: "21d5099e"
});

jQuery.extend(XenForo.phrases,
{
    cancel: "Cancel",

    a_moment_ago:    "A moment ago",
    one_minute_ago:  "1 minute ago",
    x_minutes_ago:  "%minutes% minutes ago",
    today_at_x:      "Today at %time%",
    yesterday_at_x:  "Yesterday at %time%",
    day_x_at_time_y: "%day% at %time%",

    day0: "Sunday",
    day1: "Monday",
    day2: "Tuesday",
    day3: "Wednesday",
    day4: "Thursday",
    day5: "Friday",
    day6: "Saturday",

    _months: "January,February,March,April,May,June,July,August,September,October,November,December",
    _daysShort: "Sun,Mon,Tue,Wed,Thu,Fri,Sat",

    following_error_occurred: "The following error occurred",
        server_did_not_respond_in_time_try_again: "The server did not respond in time. Please try again.",
    click_image_show_full_size_version: "Click this image to show the full-size version.",
    no_items_matched_your_filter: "No items matched your filter."
});
//-->
</script>
        <script type="text/javascript" src="js/xenforo/acp_login.js?_v=21d5099e"></script>
 
</head>
<body>

    <img src="styles/default/xenforo/XenForo.png" id="loginLogo" alt="Logo" />
     
            <form action="admin.php?login/login" class="xenForm formOverlay AcpLoginForm" method="post">

    <fieldset id="loginControls">

        <h1>domain.com - Admin Control Panel Login</h1>
        <span class="avatar"><img src="data/avatars/s/0/1.jpg?1299461715" alt="Your avatar" /></span>
        <div class="controlWrapper">
            <label>Name or Email: <span><input type="text" name="login" value="domain.com" class="textCtrl" id="ctrl_login" /></span></label>
            <label>Password: <span><input type="password" name="password" value="" title="Password" class="textCtrl" id="ctrl_password" /></span></label>
            <label>&nbsp; <span><input type="submit" value="Log in" class="button primary" /></span></label>
            <div id="errorMessage"></div>

        </div>
    </fieldset>

    <input type="hidden" name="cookie_check" value="1" />
    <input type="hidden" name="redirect" value="/admin.php" />
  
<input type="hidden" name="_xfToken" value="" />
</form>
 
</body>
</html>
 
Upvote 0 Downvote
That's just the standard login page, so the htaccess didn't actually block anything. (I'm also confused as to why you'd get that message but have the source of the full login page. That's the only report of that.)
 
Upvote 0 Downvote
Mike said:
That's just the standard login page, so the htaccess didn't actually block anything. (I'm also confused as to why you'd get that message but have the source of the full login page. That's the only report of that.)
Click to expand...

I have dropped you a message via Private Conversation.

Thanks!
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

X
Uninstalling an add-on breaks other add-ons which implement a permissions using interface groups from the first add-on
Replies
9
Views
602
Xon
X
KhanTastic
  • Question Question
XF 2.2 scheduled jobs outstanding Error in side admin panel
Replies
4
Views
253
KhanTastic
KhanTastic
N
  • Question Question
XF 2.2 ERR_TOO_MANY_REDIRECTS
Replies
2
Views
355
K a M a L
K
radon
  • Question Question
XF 2.2 Admin user_edit secondary usergroups not displaying as expected
Replies
3
Views
557
radon
radon
Ludachris
  • Question Question
XF 2.2 Question about the 2FA process in XF
Replies
1
Views
920
Kirby
K
Top Bottom