HTTP Authentication stopped working

New Member Joined: Jan 24, 2005 Posts: 12

Hi, I've installed NukeSentinel before and I've had it work on all the sites I've used it on. However I've recompiled PHP on the server and now it seems that HTTP Auth has stopped working. I can't seem to figure out why it has. I've tried reinstalling PHP Nuke and then reinstalling Sentinel and that didn't seem to work. It also seems to have stopped working on a server I have no control over. What seems to have happened? Is it something I did? Does the fact that I'm using Netscape have anything to do with it?

Thanks for the help.

Posted: Mon Jan 24, 2005 4:34 pm

Find out what version of Apache, PHP and how PHP is installed (as a CGI or as an Apache module).

Posted: Mon Jan 24, 2005 6:22 pm

This is my server. Its configured as an Apache module.

Quote:

'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-mysql=/usr' '--with-xml' '--with-dom' '--with-curl' '--with-pear' '--with-zlib' '--enable-track-vars' '--enable-magic-quotes' '--enable-versioning' '--enable-calendar' '--enable-ftp' '--enable-bcmath' '--enable-sockets' '--enable-discard-path' '--with-xpm-dir=/usr/X11R6' '--with-gd' '--with-jpeg-dir=/usr' '--with-freetype-dir=/usr' '--with-png-dir=/usr'

The other server pretty much has the same thing.

Quote:

'./configure' '--with-apxs=/usr/local/apache/bin/apxs' '--with-xml' '--enable-bcmath' '--enable-calendar' '--enable-ftp' '--with-gd' '--with-jpeg-dir=/usr/local' '--with-png-dir=/usr' '--with-xpm-dir=/usr/X11R6' '--enable-magic-quotes' '--with-mysql' '--enable-discard-path' '--with-pear' '--enable-sockets' '--enable-track-vars' '--enable-versioning' '--with-zlib'

Both are Apache version 1.3.33.[/quote]

Posted: Mon Jan 24, 2005 6:59 pm

Not PHP5 by chance?

Posted: Mon Jan 24, 2005 9:27 pm

No its 4.3.10

Posted: Mon Jan 24, 2005 9:51 pm

Then I'm as out of ideas as you are I'm using 4.3.10 myself on a couple of servers. Maybe Bob or Raven will have heard of something simular but everything "Sounds right" from what you have said I can't think of anything that should prevent it from working unless something went very wrong with the php update.

Posted: Mon Jan 24, 2005 9:53 pm

Didn't accidently get the wrong Nuke-Sentinel version?
760 for phpnuke 7.6
UNI for all previous versions

Posted: Mon Jan 24, 2005 10:16 pm

No I'm using 7.5 and the proper Sentinel versions for those. For some reason I set the whole ting up as instructed and then after I put the user name and password in. The uner name and password doesn't work at all.

Posted: Mon Jan 24, 2005 10:34 pm

Ok maybe we're on to something here this came up in another thread where 7.5 was being used. No solution but at least we know this isn't an isolated incident.

Posted: Tue Jan 25, 2005 2:24 am

Another thing of note here. If I use 2.1.2 then it works fine. If I go to 2.1.3 it breaks. Weird.

update: I tried a fresh install and I followed the instructions to the T. It didn't help. This is very frustrating. I can't see any reason why HTTP Authentication is failing and I can't seem to trace what its doing. If I knew where Sentinel did the authentication I could probably figure this out.

1. downloaded fresh copy of 7.5
2. downloaded fresh copy of 7.5 patched
3. download fresh copy of NukeSentinel 2.1.3 UNI

unzipped 7.5 and unzipped patched, applied patched version to originalversion
unzipped NukeSentinel and applied that to patched PHPNuke, went through the install instructions and made the adjustments as instructed then uploaded the whole thing.

Set up the admin account and then ran nsnst.php to install NukeSentinel. Set up HTTPAuth and bang. Same problem.

Should I set up PHPNuke before uploading NukeSentinel and setting that up?

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

There is nothing at all that is tied to the php version. When you say HTTPAuth has stopped working, do you mean it errors out or it just doesn't come up anymore?

Posted: Tue Jan 25, 2005 11:03 am

Do you mean that you can't log into any nuke website? Because if you do then I had this same problem after upgrading my Win2K a few months back. It took me forever to figure out that the problem was with my browser. I hadn't changed any settings, but the Windows upgrade had changed them. Internet Explorer/Tools/Internet Options/Security Tab/Choose Zone/ then Custom Level Button ... then scroll all the way to the bottom of the page and make sure Authentication is set to "Prompt for User Name and Password."

Silly Windows.

Posted: Tue Jan 25, 2005 1:29 pm

I don't use Internet Explorer though. Not if I can help it. I'm using Netscape. For what its worth though I did try with IE. It did ask for the user name and password just like netscape did, however the password didn't go through. HTTPAuth will not take the password I set. If I turn off HTTPAuth I can get in fine with the password I set. It just doesn't take the password. I go in and change the password, both of them, and set it to be the same and it still doesn't work. Seems like the program isn't matching the passwords up correctly.

Sorry if I misled or confused anyone by saying HTTP Auth didn't work meaning I get errors. I don't. What happens is the password doesn't work. Not even if I turn it off through the DB and then reset the password again, and then turn HTTPAuth back on. There's only one user and password at this time in the system and thats the God user.

Posted: Tue Jan 25, 2005 3:10 pm

I hate to even bring it up but you are aware that the Username and Pass are case sensitive?

Posted: Tue Jan 25, 2005 3:43 pm

I'm very aware that it is and no I don't have the caps lock on. Smile

Posted: Tue Jan 25, 2005 4:23 pm

I solved the problem and this could apply to others who are having this problem as well. As a security measure I turned off register_globals as cPanel seems to like (for convenience, they say) to turn it on by default. Once I re-enabled register_globals HTTPAuth magicaly worked again. How did I find this out? I poured through the sentinel code and saw that HTTPAuth REQUIRES register_globals to be on in order for it to work. So for those who are having the same problems as I did you need to turn it on either in your php.ini or by using ini_set("register_globals", "On"); at the begining of the program. For now I'll keep it on untill I figure out where to put the ini_set so I can turn it off again. I'm not to happy that it didn't register in my head that it broke when I turned register_globals off, but then again it wasn't obvious untill I delved in to the code.

I'd like to thank everyone who posted for helping.

Posted: Tue Jan 25, 2005 4:30 pm

You have solved one of the mysteries of the universe!!! I never even thought to look at that. Thank you SO much for posting back.

Posted: Tue Jan 25, 2005 4:30 pm

Sorry Specks I should have guessed that might be the underlying issue.

Posted: Wed Jan 26, 2005 2:03 am

You can do a simple check in includes/sentinel.php for this setting. Open includes/sentinel.php and at the end find:

Code:

$sapi_name = strtolower(php_sapi_name());


$apass = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_nsnst_admins WHERE password_md5='' OR password=''"));


if($apass > 0 AND $ab_config['http_auth'] > 0) {


  require_once("admin/modules/sentinel/functions.php");


  absave_config("http_auth",'0');


}


if($ab_config['http_auth'] == 1 AND strpos($sapi_name,"cgi")===FALSE) {


  if (basename($_SERVER['PHP_SELF'], '.php')==$admin_file) {


    $allowPassageToAdmin = FALSE;


    $authresult = $db->sql_query("SELECT login, password_md5 FROM ".$prefix."_nsnst_admins");


    while ($getauth = $db->sql_fetchrow($authresult)) {


      if ($PHP_AUTH_USER==$getauth['login'] AND md5($PHP_AUTH_PW)==trim($getauth['password_md5'])) {


        $allowPassageToAdmin = TRUE;


        break;


      }


    }


    if (!$allowPassageToAdmin) {


      header("WWW-Authenticate: Basic realm=Protected");


      header("HTTP/1.0 401 Unauthorized");


      die(_AB_GETOUT);


    }


  }


}

Replace it with:

Code:

if(ini_get("register_globals")) {


  $sapi_name = strtolower(php_sapi_name());


  $apass = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_nsnst_admins WHERE password_md5='' OR password=''"));


  if($apass > 0 AND $ab_config['http_auth'] > 0) {


    require_once("admin/modules/sentinel/functions.php");


    absave_config("http_auth",'0');


  }


  if($ab_config['http_auth'] == 1 AND strpos($sapi_name,"cgi")===FALSE) {


    if (basename($_SERVER['PHP_SELF'], '.php')==$admin_file) {


      $allowPassageToAdmin = FALSE;


      $authresult = $db->sql_query("SELECT login, password_md5 FROM ".$prefix."_nsnst_admins");


      while ($getauth = $db->sql_fetchrow($authresult)) {


        if ($PHP_AUTH_USER==$getauth['login'] AND md5($PHP_AUTH_PW)==trim($getauth['password_md5'])) {


          $allowPassageToAdmin = TRUE;


          break;


        }


      }


      if (!$allowPassageToAdmin) {


        header("WWW-Authenticate: Basic realm=Protected");


        header("HTTP/1.0 401 Unauthorized");


        die(_AB_GETOUT);


      }


    }


  }


}

Posted: Fri Feb 04, 2005 2:05 pm

The only problem with that is it still breaks the HTTPAuth when register globals is turned off. Why not just place:

Code:




if (!ini_get("register_globals")) {


       ini_set("register_globals", "On");


}


if (ini_get("register_globals")) {


        $sapi_name = strtolower(php_sapi_name());


        $apass = $db->sql_numrows($db->sql_query("SELECT * FROM                       ".$prefix."_nsnst_admins WHERE password_md5='' OR password=''"));


        if($apass > 0 AND $ab_config['http_auth'] > 0) {


            require_once("admin/modules/sentinel/functions.php");


            absave_config("http_auth",'0');


        }


        if($ab_config['http_auth'] == 1 AND strpos($sapi_name,"cgi")===FALSE) {


        if (basename($_SERVER['PHP_SELF'], '.php')==$admin_file) {


            $allowPassageToAdmin = FALSE;


            $authresult = $db->sql_query("SELECT login, password_md5 FROM ".$prefix."_nsnst_admins");


            while ($getauth = $db->sql_fetchrow($authresult)) {


                if ($PHP_AUTH_USER==$getauth['login'] AND                   md5($PHP_AUTH_PW)==trim($getauth['password_md5'])) {


          $allowPassageToAdmin = TRUE;


          break;


        }


      }


      if (!$allowPassageToAdmin) {


        header("WWW-Authenticate: Basic realm=Protected");


        header("HTTP/1.0 401 Unauthorized");


        die(_AB_GETOUT);


      }


    }


  }


}

That way sentinel tries to turn on register globals and if it doesn't then it breaks.

Update: I just realised how Mickey Moused that was so I redid it. I still think its Klugy. There's got to be a better way.

Posted: Fri Feb 04, 2005 4:02 pm

register_globals will not work this way. By the time your script is called, it is too late to change the setting. The only place that register_globals can be changed (and work) is php.ini or .htaccess.

Posted: Mon Feb 07, 2005 2:53 am

For a site with register_globals turned off use CGIAuth instead. That way it is called from the .htaccess file and provides server level protection for your admin.php file Smile