Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Thu Dec 23, 2004 4:14 pm Reply with quote

I was just wondering.
Renaming the admin.php is great but what if you use a admin login block like from nukescript just to name one ?
When you just click login without entering a name and pass it brings you to the admin.php......so wouldnt that bring you to the secret admin(renamed) page also ?
Or is there a solution to this...?
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Fri Dec 24, 2004 8:26 am Reply with quote

That's a good point. But the benefit of renaming the admin.php is to prevent problems like cross site scripting or other attacks directly on the admin.php. Simpy renaming would force attackers to investigate further, which is more than most script kiddies are likely willing to do and also probably over most of their heads.

You could also create an interim script to validate that a user is entered and valid for redirecting to your renamed admin.php

But all that is a lot of work - why not use use admin authentication?

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
hitwalker
PostPosted: Fri Dec 24, 2004 8:33 am Reply with quote

hi,

yeah thats possible but i was just wondering...
if i were a hacker i just click on the login button and it automatically shows me the new admin renamed page.
that makes it so easy after that.
so in order to prevent that the block needs to be changed that all fields must be entered correctly and if not it should go to a defined default page...
 
kguske
PostPosted: Fri Dec 24, 2004 8:42 am Reply with quote

Right. If you want to rename the admin and have a login block, you could use the same fields on an interim page that does only some simple admin user verification, and, if it passes, goes on to the real renamed admin page.

If you're using Apache, I'd recommend the admin authentication approach because it's very effective. You could even use it on a renamed admin page for extra security.
 
hitwalker
PostPosted: Fri Dec 24, 2004 8:44 am Reply with quote

yeah nice idea....gonna play around...
 
BobMarion
Former Admin in Good Standing


Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)

PostPosted: Sat Dec 25, 2004 12:24 am Reply with quote

The renamed admin file is a stop gap like kguske noted. To help prevent cross site scripting. Just like using a $prefix other then nuke is important to help stop cross site scripting and sql injection attacks. No one solution is 100% perfect but a grouping of protection is the best solution.

_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©