Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
jiralhanae
New Member
New Member


Joined: Sep 02, 2007
Posts: 5

PostPosted: Sun Sep 02, 2007 6:48 pm Reply with quote

Hello!

I have recently installed NukeSentinel 2.5.11 on phpnuke 7.6(patched 3.3) and it works without any complications. Smile

I'm using adminCGIauth having this inside my .htaccess file(which is in the root dir):
Code:
<Files .ftaccess>

  deny from all
</Files>

<Files .staccess>
  deny from all
</Files>

<Files admin.php>
   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile /my/path/to/.staccess
</Files>


And it works like it should, so far. But it seems that it also protects files named admin.php that are outside of the root dir. I'm using Vwar, a module for adding clanmatches, organizing members and so on.(for online gaming clans)

This module's admin section uses %rootdir%/modules/vWar/admin/admin.php for adding new matches, for example. But it seems that it's protected by the .htaccess file from the root dir. I would like to allow regular users to administrate vWar, so I'm looking for a good solution to only protect %rootdir%/admin.php with adminCGIauth.

Any ideas for a good solution? Is it possible to rename/move the admin.php maybe?

Thanks in advance for your help, I appreciate it very much. Smile
 
View user's profile Send private message
fkelly
Former Moderator in Good Standing


Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY

PostPosted: Sun Sep 02, 2007 7:32 pm Reply with quote

You can rename the admin file in standard RN. Instructions for this are in the config.php file in your nuke root directory. I would think that you would then have to change the htaccess file in your root directory to protect "whatever_youve_renamed_it_to.php" instead of admin.php. But I haven't tried this and can't guarantee it would work. I can pretty much guarantee that the basic renaming that's detailed in config.php will work unless you have some third party module that refers to a hard-coded admin.php file.

There might be a simpler way. How do you know that cgiauth is extending to that file in the /vwar directory? It doesn't look right to me but I don't have an easy way to test it here. Maybe one of the htaccess gurus here can help with this before you start renaming the admin files.
 
View user's profile Send private message Visit poster's website
Gremmie
Former Moderator in Good Standing


Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA

PostPosted: Sun Sep 02, 2007 8:19 pm Reply with quote

I am really surprised that it is protecting that other admin.php. .htaccess works on a per-directory basis from what I understand. Are you sure you don't have another .htaccess in the vwar subdirectory?

_________________
Only registered users can see links on this board! Get registered or login! - An Event Calendar for PHP-Nuke
Only registered users can see links on this board! Get registered or login! - A Google Maps Nuke Module 
View user's profile Send private message
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9456
Location: Arizona

PostPosted: Sun Sep 02, 2007 9:09 pm Reply with quote

Actually, Apache inherits the .htaccess on down the directory structure. You would have to do something like this in the other directory with the admin.php:

Add a .htaccess file in that directory with this in it:

<FilesMatch "admin.php">
allow from all
</FilesMatch>

This may not be the exact syntax, but should give you some ideas...

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
fkelly
PostPosted: Mon Sep 03, 2007 7:27 am Reply with quote

Thanks M. I learned something new this morning.
 
jiralhanae
PostPosted: Mon Sep 03, 2007 9:19 am Reply with quote

Quote:
You can rename the admin file in standard RN. Instructions for this..

Yea, I tried this already some time ago, but it didn't work out well, because nearly all modules weren't accessable via [othernamethan'admin'].php, even the basic ones like "Preferences".

Quote:
I am really surprised that it is protecting that other admin.php. .htaccess works on a per-directory basis from what I understand. Are you sure you don't have another .htaccess in the vwar subdirectory?

Yes, I double-checked. No .htaccess file in the entire vWar directory. I'm pretty sure that the root .htaccess file is the "problem", because the vwar administration wasn't protected anymore when I removed it.

Quote:
Actually, Apache inherits the .htaccess on down the directory structure. You would have to do something like this in the other directory with the admin.php:

Ah, thanks a lot. I will try it out. Smile
 
jiralhanae
PostPosted: Mon Sep 03, 2007 9:41 am Reply with quote

I tried some different kind of entries for vWar/admin/.htaccess:
Code:
allow from all

Code:
<Files admin.php>

  allow from all
</Files>

Code:
<FilesMatch "admin.php"> 

allow from all
</FilesMatch>

But nothing worked. But I noticed something else. Not only vWar/admin/admin.php is protected. vWar/admin/index.php is as well.
But at the same time, all other pages in that directory, e.g. vWar/admin/server.php or vWar/admin/cash.php are not protected.

And, if I remove the .htaccess file from the root dir, vWar/admin/admin.php,index.php are not protected anymore.


Last edited by jiralhanae on Mon Sep 03, 2007 9:55 am; edited 1 time in total 
fkelly
PostPosted: Mon Sep 03, 2007 9:42 am Reply with quote

I am pretty sure that renaming works reliably in the latest RN. There were lots of corrections needed to get rid of the hard coded admin.php in previous versions. But as I said in my previous posts add on modules could still have problems.

That's neither here nor there for your present problem. Montego's suggestion is by far the best way to go. We don't really recommend renaming admin.php here, the added protection (if any) is not worth the potential problems. If someone is determined to hack your system and they can get to admin.php then they can most likely figure out what you've renamed that to and get to that also.
 
montego
PostPosted: Tue Sep 04, 2007 6:48 am Reply with quote

jiralhanae, this is definitely odd. I wonder now if you have some settings in your host control panel that is stopping these, because I just don't understand why "vWar/admin/index.php" would be "caught" by the root .htaccess file.

Also, are you certain that it is the exact same error and it is popping up the same pop-up login window?
 
jiralhanae
PostPosted: Tue Sep 04, 2007 7:19 pm Reply with quote

Quote:
Also, are you certain that it is the exact same error and it is popping up the same pop-up login window?

Yea, it's definetely 100% the same.

I did some more testing and it seems that index.php is only protected when you're logged in to vWar(normal vWar account/vWar admin is combined), so that issue might be caused by the index.php accessing the admin.php or vice versa..at least that's my guess, not sure if that's possible/makes sense.

As for the .htacces entries I tried, my guess would be that they do not overwrite whats written in the root .htaccess file. What I mean:

Code:
<Files admin.php> 

  allow from all
</Files>

Does not overwrite
Code:
<Files admin.php>

   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile /path/to/.staccess
</Files>


But again, just my guess. But I'm not sure how a working("overwriting") entry would look like.
 
montego
PostPosted: Wed Sep 05, 2007 5:39 am Reply with quote

Ok, I was hoping to find an easier override, but try this:

Code:


<Files admin.php>
  <LimitExcept GET POST PUT>
    require valid-user
  </LimitExcept>
   AuthName "Restricted"
   AuthType Basic
   AuthUserFile /path/to/.staccess
</Files>


Use this in your sub-directory...
 
jiralhanae
PostPosted: Thu Sep 06, 2007 11:31 am Reply with quote

Exclamation It works. Very Happy

Very nice. Thank you very much!
 
montego
PostPosted: Fri Sep 07, 2007 6:35 am Reply with quote

Excellent! You are most welcome.

RavensScripts
 
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©