Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Mon May 03, 2004 9:50 pm Reply with quote

I have been testing using HTTP Basic Authentication to add a top level security layer for admin access. It requires 2 id and password authentication. You have a private file that contains an id and encrypted password. Then, in admin.php, that file is used to verify top level authentication using HTTP Basic Authentication. Once that is passed, the regular nuke admin functionality kicks in. Here is what the private file (myprivatefile.php) might look like
Code:
<?

$ravenAdminID   = 'secretID';
$ravenAdminPASS = '8eee3efdde1eb6cf6639a58848362bf4';
?>
Then, this code can be placed in a file also, like (basicauthfile.php). This code is from phpmyadmin.
Code:
<?

// Grabs the $PHP_AUTH_USER variable whatever are the values of the
// 'register_globals' and the 'variables_order' directives
// loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+
if (empty($PHP_AUTH_USER)) {
   if (!empty($_SERVER) && isset($_SERVER['PHP_AUTH_USER'])) {
      $PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER'];
   }
   else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['PHP_AUTH_USER'])) {
      $PHP_AUTH_USER = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
   }
   else if (isset($REMOTE_USER)) {
      $PHP_AUTH_USER = $REMOTE_USER;
   }
   else if (!empty($_ENV) && isset($_ENV['REMOTE_USER'])) {
      $PHP_AUTH_USER = $_ENV['REMOTE_USER'];
   }
   else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['REMOTE_USER'])) {
      $PHP_AUTH_USER = $HTTP_ENV_VARS['REMOTE_USER'];
   }
   else if (@getenv('REMOTE_USER')) {
      $PHP_AUTH_USER = getenv('REMOTE_USER');
   }
   // Fix from Matthias Fichtner for WebSite Professional - Part 1
   else if (isset($AUTH_USER)) {
      $PHP_AUTH_USER = $AUTH_USER;
   }
   else if (!empty($_ENV) && isset($_ENV['AUTH_USER'])) {
      $PHP_AUTH_USER = $_ENV['AUTH_USER'];
   }
   else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['AUTH_USER'])) {
      $PHP_AUTH_USER = $HTTP_ENV_VARS['AUTH_USER'];
   }
   else if (@getenv('AUTH_USER')) {
      $PHP_AUTH_USER = getenv('AUTH_USER');
   }
}
// Grabs the $PHP_AUTH_PW variable whatever are the values of the
// 'register_globals' and the 'variables_order' directives
// loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+
if (empty($PHP_AUTH_PW)) {
   if (!empty($_SERVER) && isset($_SERVER['PHP_AUTH_PW'])) {
      $PHP_AUTH_PW = $_SERVER['PHP_AUTH_PW'];
   }
   else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['PHP_AUTH_PW'])) {
      $PHP_AUTH_PW = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
   }
   else if (isset($REMOTE_PASSWORD)) {
      $PHP_AUTH_PW = $REMOTE_PASSWORD;
   }
   else if (!empty($_ENV) && isset($_ENV['REMOTE_PASSWORD'])) {
      $PHP_AUTH_PW = $_ENV['REMOTE_PASSWORD'];
   }
   else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['REMOTE_PASSWORD'])) {
      $PHP_AUTH_PW = $HTTP_ENV_VARS['REMOTE_PASSWORD'];
   }
   else if (@getenv('REMOTE_PASSWORD')) {
      $PHP_AUTH_PW = getenv('REMOTE_PASSWORD');
   }
   // Fix from Matthias Fichtner for WebSite Professional - Part 2
   else if (isset($AUTH_PASSWORD)) {
      $PHP_AUTH_PW = $AUTH_PASSWORD;
   }
   else if (!empty($_ENV) && isset($_ENV['AUTH_PASSWORD'])) {
      $PHP_AUTH_PW = $_ENV['AUTH_PASSWORD'];
   }
   else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['AUTH_PASSWORD'])) {
      $PHP_AUTH_PW = $HTTP_ENV_VARS['AUTH_PASSWORD'];
   }
   else if (@getenv('AUTH_PASSWORD')) {
      $PHP_AUTH_PW = getenv('AUTH_PASSWORD');
   }
}
// Gets authenticated user settings with IIS
if (empty($PHP_AUTH_USER) && empty($PHP_AUTH_PW)
   && function_exists('base64_decode')) {
   if (!empty($HTTP_AUTHORIZATION)
      && ereg('^Basic ', $HTTP_AUTHORIZATION)) {
      list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr($HTTP_AUTHORIZATION, 6)));
   }
   else if (!empty($_ENV)
       && isset($_ENV['HTTP_AUTHORIZATION'])
       && ereg('^Basic ', $_ENV['HTTP_AUTHORIZATION'])) {
      list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr($_ENV['HTTP_AUTHORIZATION'], 6)));
   }
   else if (!empty($HTTP_ENV_VARS)
          && isset($HTTP_ENV_VARS['HTTP_AUTHORIZATION'])
          && ereg('^Basic ', $HTTP_ENV_VARS['HTTP_AUTHORIZATION'])) {
      list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr($HTTP_ENV_VARS['HTTP_AUTHORIZATION'], 6)));
   }
   else if (@getenv('HTTP_AUTHORIZATION')
          && ereg('^Basic ', getenv('HTTP_AUTHORIZATION'))) {
      list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr(getenv('HTTP_AUTHORIZATION'), 6)));
   }
} // end IIS

if (!($HTTP_SERVER_VARS['PHP_AUTH_USER']=="$ravenAdminID" && md5($HTTP_SERVER_VARS['PHP_AUTH_PW'])==trim("$ravenAdminPASS"))) {
   header("WWW-Authenticate: Basic realm=Protected");
   header("HTTP/1.0 401 Unauthorized");
   echo "Get Out Of Here!";
   echo "<br /><br />";
   die();
}
?>
Now, in admin.php, place these 2 lines
Code:
require_once('myprivatefile.php');

require_once('basicauthfile.php');
right before
Code:
require("auth.php");

The beauty is that you can place those files wherever you want and you can name the variables whatever you want. Let me know your thoughts and experiences. Obviously, you can use this technique elsewhere too.

Also, here is a little script to help you md5() your password. You could use whatever hash/crypt routine you wanted as long as you adjust the HTTP Auth code
Code:
<?

echo md5("testpw");
?>


You could also redirect the three strikes and you're out to my hackalert script instead of just 'Get out of here'. It is very flexible Smile


Last edited by Raven on Tue May 04, 2004 1:35 pm; edited 2 times in total 
View user's profile Send private message
sharlein
Member Emeritus



Joined: Nov 19, 2002
Posts: 322
Location: On the Road

PostPosted: Tue May 04, 2004 12:11 am Reply with quote

Raven, I have it on my site. The only problem I had was that I had to logout as admin, and then log back on.
 
View user's profile Send private message
GanjaUK
Life Cycles Becoming CPU Cycles



Joined: Feb 14, 2004
Posts: 633
Location: England

PostPosted: Tue May 04, 2004 2:27 am Reply with quote

I will have to try this again later, tried it earlier and it didnt work, it displayed the contents of basicauthfile.php above the header when viewing admin.php. Its late though, so I probably messed something up. HitsFan

_________________
Image
Need a quality custom theme designed? PM me!
 
View user's profile Send private message Visit poster's website
Raven







PostPosted: Tue May 04, 2004 4:24 am Reply with quote

sharlein wrote:
Raven, I have it on my site. The only problem I had was that I had to logout as admin, and then log back on.
That would be true. HTTP Basic Auth requires 1 login per browser session. Meaning, the signon is valid only for the duration of that browser session. If you open up a new instance of the browser it will require a new login. If you were logged in as admin and then added this code, the browser has never seen the HTTP Auth so it will require authorization one time for that browser session.
 
Coldy
Hangin' Around



Joined: Apr 24, 2004
Posts: 48
Location: Austria

PostPosted: Tue May 04, 2004 5:06 am Reply with quote

Hi!

I've test some different variations, and it works very good!
But i have an other question about this:
Code:
<? 

echo md5("testpw");
?>

Should i take this in a new file? Confused

Coldy Cool
 
View user's profile Send private message
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Tue May 04, 2004 5:31 am Reply with quote

Nice truely platform independent makes robot and brute force attacks very expensive. Simple cookie traps too which is getting more common all the time.
 
View user's profile Send private message
Raven







PostPosted: Tue May 04, 2004 5:38 am Reply with quote

Coldy wrote:
Hi!

I've test some different variations, and it works very good!
But i have an other question about this:
Code:
<? 

echo md5("testpw");
?>

Should i take this in a new file? Confused

Coldy Cool
Yes. Just save that to a file and call it whatever you want. It is simply a utility to one-way encode your secret password that you will place in your private file. Keep in mind that you could also hide the id and pass in a table and read the table. It's very flexible.
 
Coldy







PostPosted: Tue May 04, 2004 8:46 am Reply with quote

Thx! Smile
Now it works pervect!
I test it on 5.6, 6.0, 6.5, and 7.1 without any problems!

Coldy Cool
 
Rikk03
Worker
Worker



Joined: Feb 16, 2004
Posts: 164

PostPosted: Tue May 04, 2004 9:13 am Reply with quote

Check out the new NSN Admin Secure
 
View user's profile Send private message
Raven







PostPosted: Tue May 04, 2004 9:20 am Reply with quote

Rikk03 wrote:
Check out the new NSN Admin Secure
Why? I don't mind references to other sites/applications, but some editorial content would help. Thanks.
 
Rikk03







PostPosted: Tue May 04, 2004 9:23 am Reply with quote

Sorry - it just sounds like something similar ........to secure admin and i thought it would be of interest since it is the topic of this Forum
 
Raven







PostPosted: Tue May 04, 2004 9:29 am Reply with quote

I'm sure there are many variations on a theme Laughing. That's why it becomes a little silly to try to copyright everything and claim you are the first, etc. I have never looked at that application as I tend to write all of my own, for better or worse. And with all the accusations flying around these days, that's all the more reason that I just do my own thing, so to speak. Bob writes very good applications also. You usually won't go wrong with his stuff. The purpose of this thread is to gather feedback on my offering so that I can publish it. That's why I needed to know how your post fit. Thanks.
 
sharlein







PostPosted: Tue May 04, 2004 10:18 am Reply with quote

Are you able to use multiple admins with this code?
 
Raven







PostPosted: Tue May 04, 2004 10:24 am Reply with quote

As shown here all admins require the same id and password for the initial passcode. This could easily be rewritten to query the authors table and use the nuke adminid/password. With about the same amount of effort, it could be modified to have multiple ids/passwords in the private file.
 
sharlein







PostPosted: Tue May 04, 2004 10:29 am Reply with quote

Thank you. Very Happy
 
Goldberg
New Member
New Member



Joined: Feb 09, 2004
Posts: 18

PostPosted: Tue May 04, 2004 11:41 am Reply with quote

THis is a simmular mod as the one from Telli [ Only registered users can see links on this board! Get registered or login! ] ecxept for the fact that you've ibuild a new .php file. I will try yours to and see which one I like best (maybe use both if possible..)
 
View user's profile Send private message
Raven







PostPosted: Tue May 04, 2004 11:54 am Reply with quote

Never saw that one either. I've been using/testing/perfecting mine since a least the first of April. As I said, variations on a theme - a two tier approach to security. Mine is written to be platform independent and to be able to resolve cookie issues as well as variable issues.
 
Goldberg







PostPosted: Tue May 04, 2004 12:10 pm Reply with quote

I can't get it to work properly. On the admin login i get the entire basicauthfile.php on top of the page. I can't login. Does the basicauthfile.php needs to be between <? and ?> ?
 
Raven







PostPosted: Tue May 04, 2004 12:12 pm Reply with quote

Nope. If you are using some other code they may be clashing. It works if edited exactly as stated.
 
GanjaUK







PostPosted: Tue May 04, 2004 1:08 pm Reply with quote

Goldberg wrote:
I can't get it to work properly. On the admin login i get the entire basicauthfile.php on top of the page. I can't login. Does the basicauthfile.php needs to be between <? and ?> ?


Yeah, thats excactly the same problem I had last night. It also makes the security code show a 404. Thought I had done it wrong to start with, guess not.
 
Raven







PostPosted: Tue May 04, 2004 1:17 pm Reply with quote

As I said above, I imagine it's some other security code you have on top of this. Please post everything that is above the require("auth.php") line and I will look at it.
 
GanjaUK







PostPosted: Tue May 04, 2004 1:20 pm Reply with quote

Code:


if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {
die("Illegal Operation");
}
$checkurl = $_SERVER['REQUEST_URI'];

if (preg_match("/\?admin/", "$checkurl")) {
echo "die";
exit;
}
require_once("mainfile.php");
get_lang(admin);

function create_first($name, $url, $email, $pwd, $user_new) {
    global $prefix, $db, $user_prefix;
    $first = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors"));
    if ($first == 0) {
   $pwd = md5($pwd);
   $the_adm = "God";
   $db->sql_query("INSERT INTO ".$prefix."_authors VALUES ('$name', '$the_adm', '$url', '$email', '$pwd', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '1', '')");
   if ($user_new == 1) {
       $user_regdate = date("M d, Y");
       $user_avatar = "gallery/blank.gif";
       $commentlimit = 4096;
       if ($url == "http://") { $url = ""; }
            $db->sql_query("INSERT INTO ".$user_prefix."_users (user_id, username, user_email, user_website, user_avatar, user_regdate, user_password, theme, commentmax, user_level, user_lang, user_dateformat) VALUES (NULL,'$name','$email','$url','$user_avatar','$user_regdate','$pwd','$Default_Theme','$commentlimit', '2', 'english','D M d, Y g:i a')");
   }
   login();
    }
}

$the_first = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors"));
if ($the_first == 0) {
    if (!$name) {
    include("header.php");
    title("$sitename: "._ADMINISTRATION."");
    OpenTable();
    echo "<center><b>"._NOADMINYET."</b></center><br><br>"
   ."<form action=\"admin.php\" method=\"post\">"
   ."<table border=\"0\">"
   ."<tr><td><b>"._NICKNAME.":</b></td><td><input type=\"text\" name=\"name\" size=\"30\" maxlength=\"25\"></td></tr>"
   ."<tr><td><b>"._HOMEPAGE.":</b></td><td><input type=\"text\" name=\"url\" size=\"30\" maxlength=\"255\" value=\"http://\"></td></tr>"
   ."<tr><td><b>"._EMAIL.":</b></td><td><input type=\"text\" name=\"email\" size=\"30\" maxlength=\"255\"></td></tr>"
   ."<tr><td><b>"._PASSWORD.":</b></td><td><input type=\"password\" name=\"pwd\" size=\"11\" maxlength=\"10\"></td></tr>"
   ."<tr><td colspan=\"2\">"._CREATEUSERDATA."  <input type=\"radio\" name=\"user_new\" value=\"1\" checked>"._YES."&nbsp;&nbsp;<input type=\"radio\" name=\"user_new\" value=\"0\">"._NO."</td></tr>"
   ."<tr><td><input type=\"hidden\" name=\"fop\" value=\"create_first\">"
   ."<input type=\"submit\" value=\""._SUBMIT."\">"
   ."</td></tr></table></form>";
    CloseTable();
    include("footer.php");
    }
    switch($fop) {
   case "create_first":
   create_first($name, $url, $email, $pwd, $user_new);
   break;
    }
    die();
}

require("auth.php");
 
Raven







PostPosted: Tue May 04, 2004 1:30 pm Reply with quote

Are these two files in the same folder as mainfile.php?

require_once('myprivatefile.php');
require_once('basicauthfile.php');
 
GanjaUK







PostPosted: Tue May 04, 2004 1:36 pm Reply with quote

I actually put them in another folder in admin, you said you could put them anywhere didnt you? I just had the contents of basicauthfile displayed in text above the header.
 
Raven







PostPosted: Tue May 04, 2004 1:36 pm Reply with quote

The code was missing the <? and ?> tags - sorry! Add those and see if that fixes it.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©