Fix For All Admin.php Exploits (Maybe?)

Raven · Posted: Mon May 03, 2004 9:50 pm

I have been testing using HTTP Basic Authentication to add a top level security layer for admin access. It requires 2 id and password authentication. You have a private file that contains an id and encrypted password. Then, in admin.php, that file is used to verify top level authentication using HTTP Basic Authentication. Once that is passed, the regular nuke admin functionality kicks in. Here is what the private file (myprivatefile.php) might look like

Code:

<?
$ravenAdminID = 'secretID';
$ravenAdminPASS = '8eee3efdde1eb6cf6639a58848362bf4';
?>

Then, this code can be placed in a file also, like (basicauthfile.php). This code is from phpmyadmin.

Code:

<?
// Grabs the $PHP_AUTH_USER variable whatever are the values of the
// 'register_globals' and the 'variables_order' directives
// loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+
if (empty($PHP_AUTH_USER)) {
if (!empty($_SERVER) && isset($_SERVER['PHP_AUTH_USER'])) {
   $PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER'];
}
else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['PHP_AUTH_USER'])) {
   $PHP_AUTH_USER = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
}
else if (isset($REMOTE_USER)) {
   $PHP_AUTH_USER = $REMOTE_USER;
}
else if (!empty($_ENV) && isset($_ENV['REMOTE_USER'])) {
   $PHP_AUTH_USER = $_ENV['REMOTE_USER'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['REMOTE_USER'])) {
   $PHP_AUTH_USER = $HTTP_ENV_VARS['REMOTE_USER'];
}
else if (@getenv('REMOTE_USER')) {
   $PHP_AUTH_USER = getenv('REMOTE_USER');
}
// Fix from Matthias Fichtner for WebSite Professional - Part 1
else if (isset($AUTH_USER)) {
   $PHP_AUTH_USER = $AUTH_USER;
}
else if (!empty($_ENV) && isset($_ENV['AUTH_USER'])) {
   $PHP_AUTH_USER = $_ENV['AUTH_USER'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['AUTH_USER'])) {
   $PHP_AUTH_USER = $HTTP_ENV_VARS['AUTH_USER'];
}
else if (@getenv('AUTH_USER')) {
   $PHP_AUTH_USER = getenv('AUTH_USER');
}
}
// Grabs the $PHP_AUTH_PW variable whatever are the values of the
// 'register_globals' and the 'variables_order' directives
// loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+
if (empty($PHP_AUTH_PW)) {
if (!empty($_SERVER) && isset($_SERVER['PHP_AUTH_PW'])) {
   $PHP_AUTH_PW = $_SERVER['PHP_AUTH_PW'];
}
else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['PHP_AUTH_PW'])) {
   $PHP_AUTH_PW = $HTTP_SERVER_VARS['PHP_AUTH_PW'];
}
else if (isset($REMOTE_PASSWORD)) {
   $PHP_AUTH_PW = $REMOTE_PASSWORD;
}
else if (!empty($_ENV) && isset($_ENV['REMOTE_PASSWORD'])) {
   $PHP_AUTH_PW = $_ENV['REMOTE_PASSWORD'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['REMOTE_PASSWORD'])) {
   $PHP_AUTH_PW = $HTTP_ENV_VARS['REMOTE_PASSWORD'];
}
else if (@getenv('REMOTE_PASSWORD')) {
   $PHP_AUTH_PW = getenv('REMOTE_PASSWORD');
}
// Fix from Matthias Fichtner for WebSite Professional - Part 2
else if (isset($AUTH_PASSWORD)) {
   $PHP_AUTH_PW = $AUTH_PASSWORD;
}
else if (!empty($_ENV) && isset($_ENV['AUTH_PASSWORD'])) {
   $PHP_AUTH_PW = $_ENV['AUTH_PASSWORD'];
}
else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['AUTH_PASSWORD'])) {
   $PHP_AUTH_PW = $HTTP_ENV_VARS['AUTH_PASSWORD'];
}
else if (@getenv('AUTH_PASSWORD')) {
   $PHP_AUTH_PW = getenv('AUTH_PASSWORD');
}
}
// Gets authenticated user settings with IIS
if (empty($PHP_AUTH_USER) && empty($PHP_AUTH_PW)
&& function_exists('base64_decode')) {
if (!empty($HTTP_AUTHORIZATION)
   && ereg('^Basic ', $HTTP_AUTHORIZATION)) {
   list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr($HTTP_AUTHORIZATION, 6)));
}
else if (!empty($_ENV)
   && isset($_ENV['HTTP_AUTHORIZATION'])
   && ereg('^Basic ', $_ENV['HTTP_AUTHORIZATION'])) {
   list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr($_ENV['HTTP_AUTHORIZATION'], 6)));
}
else if (!empty($HTTP_ENV_VARS)
      && isset($HTTP_ENV_VARS['HTTP_AUTHORIZATION'])
      && ereg('^Basic ', $HTTP_ENV_VARS['HTTP_AUTHORIZATION'])) {
   list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr($HTTP_ENV_VARS['HTTP_AUTHORIZATION'], 6)));
}
else if (@getenv('HTTP_AUTHORIZATION')
      && ereg('^Basic ', getenv('HTTP_AUTHORIZATION'))) {
   list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr(getenv('HTTP_AUTHORIZATION'), 6)));
}
} // end IIS

if (!($HTTP_SERVER_VARS['PHP_AUTH_USER']=="$ravenAdminID" && md5($HTTP_SERVER_VARS['PHP_AUTH_PW'])==trim("$ravenAdminPASS"))) {
header("WWW-Authenticate: Basic realm=Protected");
header("HTTP/1.0 401 Unauthorized");
echo "Get Out Of Here!";
echo "<br /><br />";
die();
}
?>

Now, in admin.php, place these 2 lines

Code:

require_once('myprivatefile.php');
require_once('basicauthfile.php');

right before

Code:

require("auth.php");

The beauty is that you can place those files wherever you want and you can name the variables whatever you want. Let me know your thoughts and experiences. Obviously, you can use this technique elsewhere too.

Also, here is a little script to help you md5() your password. You could use whatever hash/crypt routine you wanted as long as you adjust the HTTP Auth code

Code:

<?
echo md5("testpw");
?>

You could also redirect the three strikes and you're out to my hackalert script instead of just 'Get out of here'. It is very flexible Smile

sharlein · Posted: Tue May 04, 2004 12:11 am

Raven, I have it on my site. The only problem I had was that I had to logout as admin, and then log back on.

GanjaUK · Posted: Tue May 04, 2004 2:27 am

I will have to try this again later, tried it earlier and it didnt work, it displayed the contents of basicauthfile.php above the header when viewing admin.php. Its late though, so I probably messed something up. HitsFan

Raven · Posted: Tue May 04, 2004 4:24 am

sharlein wrote:

Raven, I have it on my site. The only problem I had was that I had to logout as admin, and then log back on.

That would be true. HTTP Basic Auth requires 1 login per browser session. Meaning, the signon is valid only for the duration of that browser session. If you open up a new instance of the browser it will require a new login. If you were logged in as admin and then added this code, the browser has never seen the HTTP Auth so it will require authorization one time for that browser session.

Coldy · Posted: Tue May 04, 2004 5:06 am

Hi!

I've test some different variations, and it works very good!
But i have an other question about this:

Code:

<?
echo md5("testpw");
?>

Should i take this in a new file? Confused

Coldy

sixonetonoffun · Posted: Tue May 04, 2004 5:31 am

Nice truely platform independent makes robot and brute force attacks very expensive. Simple cookie traps too which is getting more common all the time.

Raven · Posted: Tue May 04, 2004 5:38 am

Coldy wrote:

Hi!

I've test some different variations, and it works very good!
But i have an other question about this:

Code:

<?
echo md5("testpw");
?>

Should i take this in a new file? Confused

Coldy

Yes. Just save that to a file and call it whatever you want. It is simply a utility to one-way encode your secret password that you will place in your private file. Keep in mind that you could also hide the id and pass in a table and read the table. It's very flexible.

Coldy · Posted: Tue May 04, 2004 8:46 am

Thx!

Now it works pervect!
I test it on 5.6, 6.0, 6.5, and 7.1 without any problems!

Coldy Cool

Rikk03 · Worker Joined: Feb 16, 2004 Posts: 164

Check out the new NSN Admin Secure

Raven · Posted: Tue May 04, 2004 9:20 am

Rikk03 wrote:

Check out the new NSN Admin Secure

Why? I don't mind references to other sites/applications, but some editorial content would help. Thanks.

Rikk03 · Worker Joined: Feb 16, 2004 Posts: 164

Sorry - it just sounds like something similar ........to secure admin and i thought it would be of interest since it is the topic of this Forum

Raven · Posted: Tue May 04, 2004 9:29 am

I'm sure there are many variations on a theme Laughing

. That's why it becomes a little silly to try to copyright everything and claim you are the first, etc. I have never looked at that application as I tend to write all of my own, for better or worse. And with all the accusations flying around these days, that's all the more reason that I just do my own thing, so to speak. Bob writes very good applications also. You usually won't go wrong with his stuff. The purpose of this thread is to gather feedback on my offering so that I can publish it. That's why I needed to know how your post fit. Thanks.

sharlein · Posted: Tue May 04, 2004 10:18 am

Are you able to use multiple admins with this code?

Raven · Posted: Tue May 04, 2004 10:24 am

As shown here all admins require the same id and password for the initial passcode. This could easily be rewritten to query the authors table and use the nuke adminid/password. With about the same amount of effort, it could be modified to have multiple ids/passwords in the private file.

sharlein · Posted: Tue May 04, 2004 10:29 am

Thank you. Very Happy

Goldberg · New Member Joined: Feb 09, 2004 Posts: 18

THis is a simmular mod as the one from Telli

Only registered users can see links on this board!
Get registered or login to the forums!

ecxept for the fact that you've ibuild a new .php file. I will try yours to and see which one I like best (maybe use both if possible..)

Raven · Posted: Tue May 04, 2004 11:54 am

Never saw that one either. I've been using/testing/perfecting mine since a least the first of April. As I said, variations on a theme - a two tier approach to security. Mine is written to be platform independent and to be able to resolve cookie issues as well as variable issues.

Goldberg · New Member Joined: Feb 09, 2004 Posts: 18

I can't get it to work properly. On the admin login i get the entire basicauthfile.php on top of the page. I can't login. Does the basicauthfile.php needs to be between <? and ?> ?

Raven · Posted: Tue May 04, 2004 12:12 pm

Nope. If you are using some other code they may be clashing. It works if edited exactly as stated.

GanjaUK · Posted: Tue May 04, 2004 1:08 pm

Goldberg wrote:

I can't get it to work properly. On the admin login i get the entire basicauthfile.php on top of the page. I can't login. Does the basicauthfile.php needs to be between <? and ?> ?

Yeah, thats excactly the same problem I had last night. It also makes the security code show a 404. Thought I had done it wrong to start with, guess not.

Raven · Posted: Tue May 04, 2004 1:17 pm

As I said above, I imagine it's some other security code you have on top of this. Please post everything that is above the require("auth.php") line and I will look at it.

GanjaUK · Posted: Tue May 04, 2004 1:20 pm

Code:

if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {
die("Illegal Operation");
}
$checkurl = $_SERVER['REQUEST_URI'];

if (preg_match("/\?admin/", "$checkurl")) {
echo "die";
exit;
}
require_once("mainfile.php");
get_lang(admin);

function create_first($name, $url, $email, $pwd, $user_new) {
global $prefix, $db, $user_prefix;
$first = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors"));
if ($first == 0) {
$pwd = md5($pwd);
$the_adm = "God";
$db->sql_query("INSERT INTO ".$prefix."_authors VALUES ('$name', '$the_adm', '$url', '$email', '$pwd', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '1', '')");
if ($user_new == 1) {
   $user_regdate = date("M d, Y");
   $user_avatar = "gallery/blank.gif";
   $commentlimit = 4096;
   if ($url == "http://") { $url = ""; }
$db->sql_query("INSERT INTO ".$user_prefix."_users (user_id, username, user_email, user_website, user_avatar, user_regdate, user_password, theme, commentmax, user_level, user_lang, user_dateformat) VALUES (NULL,'$name','$email','$url','$user_avatar','$user_regdate','$pwd','$Default_Theme','$commentlimit', '2', 'english','D M d, Y g:i a')");
}
login();
}
}

$the_first = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors"));
if ($the_first == 0) {
if (!$name) {
include("header.php");
title("$sitename: "._ADMINISTRATION."");
OpenTable();
echo "<center><b>"._NOADMINYET."</b></center><br><br>"
."<form action=\"admin.php\" method=\"post\">"
."<table border=\"0\">"
."<tr><td><b>"._NICKNAME.":</b></td><td><input type=\"text\" name=\"name\" size=\"30\" maxlength=\"25\"></td></tr>"
."<tr><td><b>"._HOMEPAGE.":</b></td><td><input type=\"text\" name=\"url\" size=\"30\" maxlength=\"255\" value=\"http://\"></td></tr>"
."<tr><td><b>"._EMAIL.":</b></td><td><input type=\"text\" name=\"email\" size=\"30\" maxlength=\"255\"></td></tr>"
."<tr><td><b>"._PASSWORD.":</b></td><td><input type=\"password\" name=\"pwd\" size=\"11\" maxlength=\"10\"></td></tr>"
."<tr><td colspan=\"2\">"._CREATEUSERDATA." <input type=\"radio\" name=\"user_new\" value=\"1\" checked>"._YES."  <input type=\"radio\" name=\"user_new\" value=\"0\">"._NO."</td></tr>"
."<tr><td><input type=\"hidden\" name=\"fop\" value=\"create_first\">"
."<input type=\"submit\" value=\""._SUBMIT."\">"
."</td></tr></table></form>";
CloseTable();
include("footer.php");
}
switch($fop) {
case "create_first":
create_first($name, $url, $email, $pwd, $user_new);
break;
}
die();
}

require("auth.php");

Raven · Posted: Tue May 04, 2004 1:30 pm

Are these two files in the same folder as mainfile.php?

require_once('myprivatefile.php');
require_once('basicauthfile.php');

GanjaUK · Posted: Tue May 04, 2004 1:36 pm

I actually put them in another folder in admin, you said you could put them anywhere didnt you? I just had the contents of basicauthfile displayed in text above the header.

Raven · Posted: Tue May 04, 2004 1:36 pm

The code was missing the <? and ?> tags - sorry! Add those and see if that fixes it.