Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™
Author Message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Wed Sep 08, 2004 10:13 am Reply with quote

Thanks for letting me know. We will work this into NukeSentinel™ now that I know it works. Now we'll wait for 64bitguy to try it. BTW, you can add more names, one on each line. You can also assign names to groups. There's much that you can do with it. I just wanted to hammer out the bare necessities Wink I will post this as a sticky once I get 64bitguy's feedback.
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Wed Sep 08, 2004 10:25 am Reply with quote

Since I knew the name of the secret file, I entered it in the browser and was able to view it. So, I moved it to a non-viewable directory and changed the .htaccess file accordingly.
 
View user's profile Send private message
Raven
PostPosted: Wed Sep 08, 2004 10:46 am Reply with quote

Absolutely! That's why you use the REALPATH. You can place it outside of the root web folder. You can also chmod the permissions to only allow execute privledges.
 
Raven
PostPosted: Wed Sep 08, 2004 10:55 am Reply with quote

An even easier way to protect your secret file is to just add another directive to .htaccess Smile

<Files .secretfile>
deny from all
</Files>
 
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Wed Sep 08, 2004 2:46 pm Reply with quote

Now THIS is a set of instructions if I ever saw them!

Who's the man? worship Raven's the man! RavensScripts Worked like a charm!

EXCELLENT SMITHERS... EXCELLENT! Wave

Thanks bigtime!

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
GeekyGuy
Client


Joined: Jun 03, 2004
Posts: 302
Location: Huber Heights Ohio

PostPosted: Wed Sep 08, 2004 6:35 pm Reply with quote

Sounds like a new section for the User Guide is in the near future. kguske, 64bitguy, since you both have experience at implementing this, would you mind sharing with me the steps you took?

_________________
"The Daytona 500 is ours! We won it, we won it, we won it!", Dale Earnhardt, February 15th, 1998, Daytona 500 
View user's profile Send private message Send e-mail Visit poster's website Yahoo Messenger MSN Messenger ICQ Number
kguske
PostPosted: Wed Sep 08, 2004 9:26 pm Reply with quote

I'd be glad to send a write up, but if Raven & Co. include it in the next version of NukeSentinel, the write up would be very different. Raven's instructions were pretty straightforward and easy to follow, and his sample and utility code performed flawlessly. It would be pretty easy to build on that and make it more user friendly, but I think that's what Raven has in mind for the next release (I would gladly test / document / do whatever to assist)..

Again - I MUST share my sincere appreciation and gratitude to Raven for proving his logo: quality with simplicity. It may not be rocket science, but the level of detail (now captured in a sticky) shows how carefully he thought this through. THANKS AGAIN!
 
GeekyGuy
PostPosted: Wed Sep 08, 2004 9:39 pm Reply with quote

Thanks, I'd appreciate your help, I'll re-read the sticky tomorrow and get started writing it up. Anything you can provide will help.

And I agree 100%, these guys are GOOD!

RavensScripts
 
RaDiKaL
New Member
New Member


Joined: Jun 10, 2004
Posts: 23

PostPosted: Thu Sep 09, 2004 2:43 am Reply with quote

Hey guys I just wanted to note that I'm waiting for the access logs. As soon as I have them I'll post any foundings.
 
View user's profile Send private message
oprime2001
Worker
Worker


Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA

PostPosted: Thu Sep 09, 2004 1:51 pm Reply with quote

Raven wrote:

So, let's assume that your secret file is named 64bitsecret. I would make it hidden by naming it .64bitsecret. Now, the contents will be a username:password, like 64bitguy:secretpass, except secretpass needs to be encrypted with the crypt() function. I will not attempt an explanation of the function, but I will provide a short script I wrote to help you Smile. The salt value can be whatever you like.
Code:
<form method='post'>

Enter password to be encrypted using crypt(): <input name='pw'><br /><br />
Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />
<input type='submit' name='submit' value='Encrypt'><br /><br />
<?
if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {
   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";
}
?>


I dropped that code snippet into an html file, and uploaded it to my phpnuke directory. When I click on the Encrypt button, I get
Quote:
The requested method POST is not allowed for the URL /encrypt.htm.
Am I missing something?

Also, is there an ETA as to when the next version of NukeSentinel will have this type of HTTP Authentication Using PHP CGI and Apache? I'd rather wait on an "official" NukeSentinel upgrade than place this hack temproraily, then later upgrade anyways. Thanks.
 
View user's profile Send private message
Raven
PostPosted: Thu Sep 09, 2004 2:01 pm Reply with quote

This 'hack' will be the 'official' Wink

Are you somehow blocking POST in .htaccess as a security measure?
 
kguske
PostPosted: Thu Sep 09, 2004 2:04 pm Reply with quote

It should be a .php file. e.g. encrypt.php not encrypt.html
 
oprime2001
PostPosted: Thu Sep 09, 2004 3:39 pm Reply with quote

I couldn't get Raven's encrypt sample to work so a quick search on google, and I found the following alternative:
Code:
<?php


// Get string to encrypt
$string = 'mypassword';   // password to encrypt

// Hash string
$hash = 'XX';   // two character salt

// Encrypt string
$output = crypt($string, $hash);

// Send to browser
print('Input: ' . $string . "\n");
print('Output: ' . $output);

?>

Nice! Laughing Now to get HTTP Authentication implemented on the rest of websites that I maintain! Thanks again, Raven!
 
64bitguy
PostPosted: Thu Sep 09, 2004 4:01 pm Reply with quote

GeekyGuy wrote:
Sounds like a new section for the User Guide is in the near future. kguske, 64bitguy, since you both have experience at implementing this, would you mind sharing with me the steps you took?


Are you talking about Raven's Enhanced Admin.php Protection? I'm calling it REAP for short!

I simply followed his instructions:
1) Use encrypt.php to create new encrypted password:
Code:
<form method='post'>

Enter password to be encrypted using crypt(): <input name='pw'><br /><br />
Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />
<input type='submit' name='submit' value='Encrypt'><br /><br />
<?
if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {
   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";
}
?>


2) I then created the hidden file (in this case, a level that is not under the path of the /public_html/ folder, (so nobody can get to it) containing the username that I wanted to use, followed by a colon : and then the output results of encrypt.php.

I then place my .secretfile in the hidden folder I called /home/USERNAME/.htpasswords/. Again, in this case, it is located outside of my user accessible path of /home/USERNAME/public_html so nobody can get to it.

This also eliminates the need for Raven's new part of the script that must protect the password file itself.

Anyway, my /home/USERNAME/.htpasswords/.secretfile looked just like Raven said it should:
Code:
username:encrypted_password


To get it there, I uploaded the file saved simply as "secretfile" (without the period) to my /home/USERNAME/ directory using my FTP software. I then moved it (using my host provide Cpanel function, "File Manager") to my hidden .htpasswords folder (at /home/USERNAME/.htpasswords/).

Finally, I then used Cpanel's "File Manager" once more to rename the file from secretfile to .secretfile

3) Next, (again using Raven's instructions) I modified my .htaccess file (located at /home/USERNAME/public_html/) to reflect the new information:
Code:
<Files admin.php>

   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile /home/USERNAME/.htpasswords/.secretfile
</Files>


Again, you would simply modify the /USERNAME/ section to accurately reflect the username assigned to you by your host.

TADA!

That's it! Works like a charm!


Last edited by 64bitguy on Thu Sep 09, 2004 6:37 pm; edited 5 times in total 
GeekyGuy
PostPosted: Thu Sep 09, 2004 4:27 pm Reply with quote

Thanks for all the info guys. In the next couple of days, I'll get this written up and send it to you to proof read, then it will go in the Official NukeSentinel REAP User Guide Laughing
 
Raven
PostPosted: Thu Sep 09, 2004 5:43 pm Reply with quote

oprime2001 wrote:
I couldn't get Raven's encrypt sample to work so a quick search on google, and I found the following alternative:
Code:
<?php


// Get string to encrypt
$string = 'mypassword';   // password to encrypt

// Hash string
$hash = 'XX';   // two character salt

// Encrypt string
$output = crypt($string, $hash);

// Send to browser
print('Input: ' . $string . "\n");
print('Output: ' . $output);

?>

Nice! Laughing Now to get HTTP Authentication implemented on the rest of websites that I maintain! Thanks again, Raven!
Since you got the password encrypted it's moot, but that script works. Rename it as kguske said (a .php file) and report back please.
 
oprime2001
PostPosted: Thu Sep 09, 2004 6:20 pm Reply with quote

I renamed Raven's sample code below to encrypt.php (instead of encrypt.html), and the script works Very Happy !
Code:
<form method='post'>

Enter password to be encrypted using crypt(): <input name='pw'><br /><br />
Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />
<input type='submit' name='submit' value='Encrypt'><br /><br />
<?
if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {
   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";
}
?>
 
Raven
PostPosted: Thu Sep 09, 2004 6:57 pm Reply with quote

Smile - Sorry, I thought it was understood that all scripts with php code should be named *.php. I'll be more explicit from now on.
 
oprime2001
PostPosted: Fri Sep 10, 2004 8:53 am Reply with quote

What confused me was this part
Code:
<?

if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {
   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";
}
?>
I am used to seeing this
Code:
<? 


?>
in embedded php in HTML
 
Raven
PostPosted: Fri Sep 10, 2004 9:20 am Reply with quote

Now you're confusing me Laughing That code starts with <? and ends with ?>. What makes it different from your code that you are used to seeing?
 
oprime2001
PostPosted: Fri Sep 10, 2004 11:05 am Reply with quote

Let me clarify myself. Your code as originally posted was
Code:
<form method='post'>

Enter password to be encrypted using crypt(): <input name='pw'><br /><br />
Enter the 'salt' value for the encryption (2 long): <input name='salt' maxlength='2'><br /><br />
<input type='submit' name='submit' value='Encrypt'><br /><br />
<?
if (isset($_POST['submit'])&&isset($_POST['pw'])&&!empty($_POST['pw'])) {
   echo "Password <b>".$_POST['pw']."</b> translated is <b>".crypt($_POST['pw'],$_POST['salt'])."</b>";
}
?>

This did not start with <?php as most php files that I've seen. Instead, we don't see the <? until line 5. Is the <? on line 5 even necessary if the entire file is a php file?
 
kguske
PostPosted: Fri Sep 10, 2004 12:28 pm Reply with quote

Yes. PHP can handle embedded HTML - if the file has a .php extension (or a mod rewrite causes the server to treat other extensions like .shtml or even .html as PHP). The <? tells PHP where the PHP code starts.. But, as far as I know, HTML servers can't handle embedded PHP.
 
Raven
PostPosted: Fri Sep 10, 2004 1:14 pm Reply with quote

Actually they can. You can tell Apache to treat all.htm* as .php and so it will parse the .htm* files looking for php code
Code:
AddType application/x-httpd-php .phtml .php .php3 .htm .html
That is overhead, as all files must pass through the php parser, but it is a popular method. That aside, the fact that code snippets have <? and ?> in them alert you to the fact that it must be a .php file type. As I said, I made a bad assumption on that and I am wiser for it Wink
 
Deseroka
Client


Joined: Apr 15, 2003
Posts: 466
Location: FL

PostPosted: Sat Sep 11, 2004 8:44 pm Reply with quote

Believe me--you need the http authentication. I made the same mistake and left a hole open--and they got me. Thanks to Raven I am back up and running again. (I got some serious ring kissing to do here--I am running over to make a donation to this site for the help I received, anyone wanna come along???)
 
View user's profile Send private message
GeekyGuy
PostPosted: Sat Sep 11, 2004 8:55 pm Reply with quote

I'll be tossing a few nickels Raven's way here in a bit myself. I came in here to get the latest tidbits of info from this thread to add to the completely reworked and reformatted NukeSentinel™ User Guide FAQ. Raven tossed out a few tidbits of code, and I think it was in this thread. Gonna look great, and help out a lot of people when I finish the rewrite. And I have to admit, I've really enjoyed all this coding
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©