Protecting Admin CP with HTTP auth

I suppose one could use this:

Code:
define('USERNAME', 'administrator');
define('PASSWORD', 'temporary_Password:01');
    if (!empty($_SERVER['AUTH_TYPE']) && !empty($_SERVER['REMOTE_USER']) && strcasecmp($_SERVER['REMOTE_USER'], 'anonymous'))   {
if (!in_array(strtolower($_SERVER['REMOTE_USER']), array_map('strtolower', $user_allowed))  && !in_array('all', array_map('strtolower', $user_allowed)))    {
echo 'You are not authorised to view this page.';
exit;
}
}   else if ( !isset($_SERVER['PHP_AUTH_USER'] ) || !isset( $_SERVER['PHP_AUTH_PW'] ) ||   $_SERVER['PHP_AUTH_USER'] != USERNAME || $_SERVER['PHP_AUTH_PW'] != PASSWORD ) {

header( 'WWW-Authenticate: Basic realm="XenForo Administrator Login"' );

header( 'HTTP/1.0 401 Unauthorized' );
exit;
}
 
Just let .htaccess / .htpasswd deal with it.

Anyway;

Code:
AuthName "admincp"
AuthType Basic
AuthUserFile /home/floris/private/.htpasswd
AuthGroupFile /dev/null
<Files admin.php>
require valid-user
</Files>
 
Just let .htaccess / .htpasswd deal with it. Btw, there's a security exploit with that code you posted.

Anyway;

Code:
AuthName "admincp"
AuthType Basic
AuthUserFile /home/floris/private/.htpasswd
AuthGroupFile /dev/null
<Files admin.php>
require valid-user
</Files>

That works on linux, for Windows people, they could protect by using IIS' basic auth mechanism. Floris, can you PC me with details of the exploit?
 
I misread the code, I am sure it's fine. It scrolled weird for me, overlooked something.

.htaccess/.htpassw can be used by Windows too btw. I am sure Apache works on Windows.
 
I misread the code, I am sure it's fine. It scrolled weird for me, overlooked something.

.htaccess/.htpassw can be used by Windows too btw. I am sure Apache works on Windows.

Phew, I was going to scream. (It's the standard script login issue for a few admin pages on a few of my sites.)
I keep forgetting that people use Apache on Windows. I'm going to try it, some day.
 
It's a security issue that the pass is in the php code, in plain text, on it's own. But like you said, it's old code, and I am sure you're wise enough to not use it.
 
It's a security issue that the pass is in the php code, in plain text, on it's own. But like you said, it's old code, and I am sure you're wise enough to not use it.

Yeah, I'm slowly updating the remaining sites which use that code. The new system uses an AJAX login. More secure and easier.
 
If you dont' use .htaccess/.htpasswd, store the data hashed with unique salt per user, in the database. his also grants you lots more control over the people that can and can not login, and you can apply tricks, so spoofing a host is a lot harder.
 
.htaccess method offers another benefit: Ability to share SSO with SVN, MediaWiki, and any other applications that you may use which offers support on .htaccess type of authentication :)
 
If you dont' use .htaccess/.htpasswd, store the data hashed with unique salt per user, in the database. his also grants you lots more control over the people that can and can not login, and you can apply tricks, so spoofing a host is a lot harder.

Yep, I'm using nearly the same mechanism as I thought vB was using. The intranet software uses two salts, one user specific and other site instance specific.
 
Compared to the code you posted above, I totally believe you :)
I wish there was a magic wand which did the updating for me :/

Code:
$salt = "L3549155"; // this is taken from site.config.php (software configuration file)
$userhash = "SELECT hash FROM .$db_config['tbl_user']." WHERE username = '".$u."'";
$sql = "SELECT * FROM ".$db_config['tbl_user']." WHERE username = '".$u."' AND userpassword = '".md5($salt.$p.$userhash)."'";

My method of authentication isn't the best, but I'm currently looking at the main functionality.

Back on topic though, it is possible.
 
vrtsolus, I was wondering. Do you mean that you hash it twice with two separate salts? Or that you only hash it once with the two separate salts? I'm a little confused.

This is what I do:

Code:
md5($salt.$p.$userhash);

where $userhash is the defined hash for that specific user.

I did consider

Code:
md5($salt.md5($userhash.$p));
 
If you have a secret passwords, and hash it.
or
If you have a secret salt, and hash it.

It's the same.

A hash, without a salt.

Rainbow table the md5 and you get the secret salt (or secret pass) ..

So you need to have a unique salt for the hash, not hash the unique salt.

And that's how vBulletin basically did it:

md5(md5(md5('password') . user.salt) . licensenumber)
 
I just had my IP server blocked by my host due to exceeding the number of attempts whilst trying to get password protection on my admin.php :D

As far as I can see everything looks correct but it just won't work :confused:

What is the path for the AuthUserFile?
Is it relative to the .htaccess or static from the server root?

I have this in my .htaccess file which is in the same directory as admin.php:
Code:
<Files admin.php>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /misc/.htpasswd
Require valid-user
</Files>

And then in the /misc directory (which is under my domain root - cliptheapex.com/misc), I have the .htpasswd file.

It just won't work though and I've tried every path I can think of: home/misc, ../misc, /misc, etc.
 
Top Bottom