• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Protecting Admin CP with HTTP auth

Shamil

Well-known member
#3
I suppose one could use this:

Code:
define('USERNAME', 'administrator');
define('PASSWORD', 'temporary_Password:01');
    if (!empty($_SERVER['AUTH_TYPE']) && !empty($_SERVER['REMOTE_USER']) && strcasecmp($_SERVER['REMOTE_USER'], 'anonymous'))   {
if (!in_array(strtolower($_SERVER['REMOTE_USER']), array_map('strtolower', $user_allowed))  && !in_array('all', array_map('strtolower', $user_allowed)))    {
echo 'You are not authorised to view this page.';
exit;
}
}   else if ( !isset($_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) ||   $_SERVER['PHP_AUTH_USER'] != USERNAME || $_SERVER['PHP_AUTH_PW'] != PASSWORD ) {

header( 'WWW-Authenticate: Basic realm="XenForo Administrator Login"' );

header( 'HTTP/1.0 401 Unauthorized' );
exit;
}
 
F

Floris

Guest
#4
Just let .htaccess / .htpasswd deal with it.

Anyway;

Code:
AuthName "admincp"
AuthType Basic
AuthUserFile /home/floris/private/.htpasswd
AuthGroupFile /dev/null
<Files admin.php>
require valid-user
</Files>
 

Shamil

Well-known member
#5
Just let .htaccess / .htpasswd deal with it. Btw, there's a security exploit with that code you posted.

Anyway;

Code:
AuthName "admincp"
AuthType Basic
AuthUserFile /home/floris/private/.htpasswd
AuthGroupFile /dev/null
<Files admin.php>
require valid-user
</Files>
That works on linux, for Windows people, they could protect by using IIS' basic auth mechanism. Floris, can you PC me with details of the exploit?
 
F

Floris

Guest
#6
I misread the code, I am sure it's fine. It scrolled weird for me, overlooked something.

.htaccess/.htpassw can be used by Windows too btw. I am sure Apache works on Windows.
 

Shamil

Well-known member
#7
I misread the code, I am sure it's fine. It scrolled weird for me, overlooked something.

.htaccess/.htpassw can be used by Windows too btw. I am sure Apache works on Windows.
Phew, I was going to scream. (It's the standard script login issue for a few admin pages on a few of my sites.)
I keep forgetting that people use Apache on Windows. I'm going to try it, some day.
 
F

Floris

Guest
#10
It's a security issue that the pass is in the php code, in plain text, on it's own. But like you said, it's old code, and I am sure you're wise enough to not use it.
 

Shamil

Well-known member
#11
It's a security issue that the pass is in the php code, in plain text, on it's own. But like you said, it's old code, and I am sure you're wise enough to not use it.
Yeah, I'm slowly updating the remaining sites which use that code. The new system uses an AJAX login. More secure and easier.
 
F

Floris

Guest
#12
If you dont' use .htaccess/.htpasswd, store the data hashed with unique salt per user, in the database. his also grants you lots more control over the people that can and can not login, and you can apply tricks, so spoofing a host is a lot harder.
 

Andy Huang

Well-known member
#13
.htaccess method offers another benefit: Ability to share SSO with SVN, MediaWiki, and any other applications that you may use which offers support on .htaccess type of authentication :)
 

Shamil

Well-known member
#14
If you dont' use .htaccess/.htpasswd, store the data hashed with unique salt per user, in the database. his also grants you lots more control over the people that can and can not login, and you can apply tricks, so spoofing a host is a lot harder.
Yep, I'm using nearly the same mechanism as I thought vB was using. The intranet software uses two salts, one user specific and other site instance specific.
 

Shamil

Well-known member
#16
Compared to the code you posted above, I totally believe you :)
I wish there was a magic wand which did the updating for me :/

Code:
$salt = "L3549155"; // this is taken from site.config.php (software configuration file)
$userhash = "SELECT hash FROM .$db_config['tbl_user']." WHERE username = '".$u."'";
$sql = "SELECT * FROM ".$db_config['tbl_user']." WHERE username = '".$u."' AND userpassword = '".md5($salt.$p.$userhash)."'";
My method of authentication isn't the best, but I'm currently looking at the main functionality.

Back on topic though, it is possible.
 

Ben Davis

Active member
#17
vrtsolus, I was wondering. Do you mean that you hash it twice with two separate salts? Or that you only hash it once with the two separate salts? I'm a little confused.
 

Shamil

Well-known member
#18
vrtsolus, I was wondering. Do you mean that you hash it twice with two separate salts? Or that you only hash it once with the two separate salts? I'm a little confused.
This is what I do:

Code:
md5($salt.$p.$userhash);
where $userhash is the defined hash for that specific user.

I did consider

Code:
md5($salt.md5($userhash.$p));
 
F

Floris

Guest
#19
If you have a secret passwords, and hash it.
or
If you have a secret salt, and hash it.

It's the same.

A hash, without a salt.

Rainbow table the md5 and you get the secret salt (or secret pass) ..

So you need to have a unique salt for the hash, not hash the unique salt.

And that's how vBulletin basically did it:

md5(md5(md5('password') . user.salt) . licensenumber)
 

Brogan

XenForo moderator
Staff member
#20
I just had my IP server blocked by my host due to exceeding the number of attempts whilst trying to get password protection on my admin.php :D

As far as I can see everything looks correct but it just won't work :confused:

What is the path for the AuthUserFile?
Is it relative to the .htaccess or static from the server root?

I have this in my .htaccess file which is in the same directory as admin.php:
Code:
<Files admin.php>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /misc/.htpasswd
Require valid-user
</Files>
And then in the /misc directory (which is under my domain root - cliptheapex.com/misc), I have the .htpasswd file.

It just won't work though and I've tried every path I can think of: home/misc, ../misc, /misc, etc.