Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Mon Jun 05, 2006 11:18 pm Reply with quote

The phpbb exploits that were used this past weekend utilized an old exploit in phpbb and 2 very sophisticated remote scripts. NukeSentinel(tm) v2.4.2 pl8 should now block those attacks, but here is another way (or an additional way) if you use Apache. Use a CGIAuth challenge in the modules/Forums/admin folder. This is how to set it up:

In modules/Forums/admin use/add the .htaccess file and the password file .staccess

.htaccess

<Files .staccess>
deny from all
</Files>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/CPANEL_USER_NAME/public_html/modules/Forums/admin/.staccess

.staccess
username:password

Where username can be any name you want and password is encrypted using crypt(). For more information on CGIAUTH and how to use crypt, please see Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Tue Jun 06, 2006 4:40 am Reply with quote

Thanks!

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Tue Jun 06, 2006 8:07 am Reply with quote

Another thank you!
 
View user's profile Send private message Send e-mail
Nomad
Client


Joined: Jan 21, 2006
Posts: 87
Location: Arizona

PostPosted: Wed Jun 21, 2006 9:06 am Reply with quote

Does anybody else get a 500 error when they try this?

error log:
[Wed Jun 21 10:40:25 2006] [alert] /home/CPANEL_USER_NAME/public_html/modules/Forums/admin/.htaccess: Missing </Files> directive at end-of-file

I did the htaccess files/staccess files as listed above, didnt change anything except CPANEL_USER_NAME and the password

_________________
Nomad!~! 
View user's profile Send private message Visit poster's website AIM Address
Raven
PostPosted: Wed Jun 21, 2006 9:16 am Reply with quote

You have to wrap that ina <Files> </Files> container.
 
Nomad
PostPosted: Wed Jun 21, 2006 9:45 am Reply with quote

Here is my htaccess file
Code:


<Files .staccess>
deny from all
</Files>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/cpanelname/public_html/modules/Forums/admin/.staccess


I've tried
Code:


<Files .staccess>
deny from all
</Files>

<Files index.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/cpanelname/public_html/modules/Forums/admin/.staccess
</Files>

Code:


<Files>
<Files .staccess>
deny from all
</Files>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/cpanelname/public_html/modules/Forums/admin/.staccess
</Files>

Code:


<Files index.php>
<Files .staccess>
deny from all
</Files>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/cpanelname/public_html/modules/Forums/admin/.staccess
</Files>


and a few other combos. Now I have ran out of wrap Bang Head
 
Raven
PostPosted: Wed Jun 21, 2006 1:47 pm Reply with quote

My first post is the correct post. That is all you need.
 
Tao_Man
Involved
Involved


Joined: Jul 15, 2004
Posts: 252
Location: OKC, OK

PostPosted: Wed Jun 21, 2006 2:34 pm Reply with quote

I can't see whay it would cause that error and the only thing I can see diffrent froms yours and mine is you do have a trailing bit of whitspace after the last line

AuthUserFile /home/cpanelname/public_html/modules/Forums/admin/.staccess

would test it out myself but I am in the process of changing hosting servers and kinda MOS right now

_________________
------------------------------------------
To strive, to seek, to find, but not to yield!
I don't know Kara-te but I do know cra-zy, and I WILL use it! 
View user's profile Send private message Visit poster's website
blith
Client


Joined: Jul 18, 2003
Posts: 977

PostPosted: Thu Jun 22, 2006 11:25 am Reply with quote

I did this and had no problem, I am only posting that cause you asked if anyone has had a problem...
 
View user's profile Send private message Visit poster's website
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Fri Jun 23, 2006 8:18 pm Reply with quote

I have also just checked, and I believe all the files under that directory should be included from somewhere else, right? Could we not use a simple "deny from all" statement in an .htaccess file under that directory?

Just asking because I really hate having to type in user id's and passwords... Laughing

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Fri Jun 23, 2006 10:32 pm Reply with quote

Possibly, but you could possibly form an exploit that creates a URL that executes an include('http://somewhere.com/blahblah/include(admin_file)');

I am not saying it would work, but from what I have seen with this exploit, I don't know that I would trust just a deny. It is a good thought worth exploring. If it works, functionally, then I will use both!
 
montego
PostPosted: Sat Jun 24, 2006 1:53 pm Reply with quote

Oooooohhhh.... never thought of that. As always worship
 
bugsTHoR
Involved
Involved


Joined: Apr 05, 2006
Posts: 261

PostPosted: Fri Aug 18, 2006 7:18 am Reply with quote

what should i have in the .staccess file , at present i have 3 god acount with the md5
passwords

anything else??

also i remember something about having the .htaccess in all folders i want it to protect is that true ?

_________________
Only registered users can see links on this board! Get registered or login! LUV RAVEN DISTROBUTION BEBE

Clanthemes.com are great (free advertisements for now until i get to 20,000 posts LoL) 
View user's profile Send private message Visit poster's website
montego
PostPosted: Fri Aug 18, 2006 7:24 am Reply with quote

Raven's original post says it all...

Well, almost. Laughing Regarding this:

Quote:

also i remember something about having the .htaccess in all folders i want it to protect is that true ?

The answer is you would need the .htaccess/.staccess pair in each directory that you want to protect in this manner.
 
bugsTHoR
PostPosted: Fri Aug 18, 2006 7:25 am Reply with quote

yeah i got Raven post, just checking Very Happy noob alert
[EDITED]

I got this in my .htaccess file now
Quote:
# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files >
deny from all
</Files>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/CPANEL_USER_NAME/public_html/modules/Forums/admin/.staccess


<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile
</Files>


now this bit
Quote:
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/CPANEL_USER_NAME/public_html/modules/Forums/admin/.staccess

would it stop my normal (not God) Admin`s getting in or Our Forum Members Loging in ???

3 have said they cannot 1 admin (CAN)from his home but not from elsewhere 1 from America and 1 uk ? seems they the only ones but i cant see why it would just affect them.

i have put it in
modules/forum/admin
/root
/abuse
/admin
/forum
and most other folders taking no chances
is this correct ??
 
oprime2001
Worker
Worker


Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA

PostPosted: Tue Aug 29, 2006 7:52 am Reply with quote

Would the addition of a CGIAuth challenge in the modules/Forums/admin folder affect simple forum moderators?

Thanks.
 
View user's profile Send private message
Raven
PostPosted: Tue Aug 29, 2006 9:26 am Reply with quote

Only if they are trying to do admin activities.
 
Bluezzz
Involved
Involved


Joined: Feb 08, 2005
Posts: 290
Location: USA

PostPosted: Fri Sep 01, 2006 10:51 pm Reply with quote

I tried the above suggestion but I don't think it's working. For instance, when I go to mydomain.com/public_html/mynuke/Forums/admin or even worse yet I can access the edit smilies page just by sending it to my desktop ... how can I have that so that it cannot be accessed unless via the normal path through admin console? This is a major security problem I'd think!? I'm using RN76 2.02.02 and the included Sentinel. The Forums/admin folder should not be this exposed, nor should any file within!

_________________
Bluezzz
~ Stop & smell the roses, while you can! ~ 
View user's profile Send private message
Guardian2003
PostPosted: Sat Sep 02, 2006 2:58 am Reply with quote

Do you have a htaccess file and an emty index.html file in the admin folder?
 
Bluezzz
PostPosted: Sat Sep 02, 2006 3:18 am Reply with quote

Ummmm no, it didn't say to do that in instructions, it just said to set up the forums before installing sentinel. Nothing about securing the forums. I only figured that it wasn't secure because I sent Edit Smilies to the desktop and then a day or so later (after I'd closed all browsers, etc) I was able to double click that icon and go right to edit smilies ... that's not good is it LOL ruuuuuuuuuh rooooooooooh! So what exactly should I do to secure the forums pages so they don't get hacked? I also didn't do any other security measures for the main site aside from what was mentioned in the installation files.
 
Guardian2003
PostPosted: Sat Sep 02, 2006 3:43 am Reply with quote

That happened only because you were still logged in as an admin and the session cookie had not expired.
Raven gave extensive instructions for securing the admin area in the first post of this thread.
 
Bluezzz
PostPosted: Sat Sep 02, 2006 4:20 am Reply with quote

Yes I tried that but it's not prompting me for a login/pw still ... still it allows me to go directly to that page (Edit Smilies and/or admin folder). I didn't see anything above on having a blank index page either. All it said above was to make an .htaccess and an .staccess page, I'm not sure if I'm suppose to make these as shown above or copy the two main ones from the site ... I did as shown above but am not being prompted for login/pw.
 
Guardian2003
PostPosted: Sat Sep 02, 2006 6:48 am Reply with quote

Does your hosting provider give you a control panel like cPanel?
If so it might be easier for you to use that.
Let me know and I'll post the instructions.
 
Bluezzz
PostPosted: Sat Sep 02, 2006 5:47 pm Reply with quote

Yes, as a matter of a fact I'm a reseller host myself, but I really don't know much about being a reseller ... I have cPanel and I see that I can protect directories but I'm not sure how to do that. Please advize : o} Thanks!
 
Guardian2003
PostPosted: Sat Sep 02, 2006 6:25 pm Reply with quote

Go to your cPanel and find the 'Password protect directories' link - click it.
You should now see a list of folders (directories).
Click - the folder icon next to 'modules'
Click - the folder icon next to 'Forums'
Click - the WORD admin (not the folder icon).

You will now be given some options.
Check the box where it says
Quote:
Directory requires a password to access via the web (you must check this to activate password protection).

In the box thats asks for a 'Mask' Type something so you know what it is, like 'Forum Admin'.
The rest is pretty self explanatory Smile
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©