I get access denied in some admin modules

Regular Joined: Nov 02, 2004 Posts: 54 Location: Colombia

Hi,

I have installed v2.02.00

when i log in using god admin, i can access some modules and some not
I can access the administration menu, but not modules administration, I get a blank page saying access denied.

Thanks Shocked

Posted: Wed Aug 02, 2006 10:34 am

Help please is urgent worship

Posted: Wed Aug 02, 2006 11:15 am

I have change the name of the admin.php to myadmin.php and changed also in the config.php file the variable $admin_file = "myadmin";

when i do this is when happen the error describes obove

what can i do to fix this. Shocked

Posted: Wed Aug 02, 2006 3:21 pm

Changing the admin file name doesnt really offer any real benefit so you could change it back to the default.
This issue is fixed in the next release and is caused by some files still having the original authors references to hard coded to admin.php instead of $admin_file.'.php'

You should also be aware that that most of the older modules, blocks etc available from third parties may well have hard coded references to admin.php so changing the name of the admin file can break these where the third party author has not updated thir scripts.

Posted: Wed Aug 02, 2006 8:25 pm

well now everything is woorking, but the news module does post any news

what could be?

Posted: Wed Aug 02, 2006 8:31 pm

Do you have any illegal characters in the title?
I couldnt find a submit news on your site to test.

Involved Joined: Feb 08, 2005 Posts: 290 Location: USA

Guardian2003 wrote:

Changing the admin file name doesnt really offer any real benefit so you could change it back to the default.
This issue is fixed in the next release and is caused by some files still having the original authors references to hard coded to admin.php instead of $admin_file.'.php'

You should also be aware that that most of the older modules, blocks etc available from third parties may well have hard coded references to admin.php so changing the name of the admin file can break these where the third party author has not updated thir scripts.

In regard to "This issue is fixed in the next release", I'm on the next release, as a matter of a fact I'm on the latest RN76 2.02.02 ... this issue is not fixed. I changed the admin.php to another name without extension per instructions and then when I refreshed my browser I got the error message of Access Denied (for the main index page). And yes I put the new name in the config without extension. So I've put it back to what it was and it works fine. My problem didn't just occur from an Admin panel though, I just refreshed my main site page and got that error.

I'll go with the advice of leaving it as "admin" in config.

Yes I know, this is three years later but I felt it necessary to resurrect this post since it was the answer to my current problem.

Posted: Sat Aug 26, 2006 10:10 am

No you are on the current public release (and was the current public release at the time I posted).
The *next* release which is due to go into QA testing any time now is v2.10.00 and was the one I was referring to as the *next* release - just for clarity Smile

I'm still finding so many older modules and stuff that reference a hard coded admin file which will break when the location of the admin file is changed so for backward compatibility I still recommend leaving things in there default setting.

Yes, as you rightly point out, there were a few references we missed in v2.02.02 but these are definitely fixed in v2.10.00

Posted: Sat Aug 26, 2006 10:48 am

I'd like to get in on that testing and upgrade/Q&A for 2.10.00 since I plan to continue being very involved in this site I'm now creating. I'd like to get this site functioning correctly as is and then somehow back up the whole thing and then create yet a third so I can use the third to experiment in. I'm not sure how I'd do that tho LOL.

OH my, I just realized that my reference to *three year old post* was incorrect! I was looking at the Joined: dates, not the posted dates ... I'm sooooooooo sorry!

OK now, another thing I've noticed that I cannot do as suggested in the admin.php file is:

//Uncomment the following lines after setting the site url in the Administration
//global $domain;
//if (!stripos_clone($_SERVER['HTTP_HOST'], $domain)) {
// die("Access denied");
//}

If I do uncomment that out I can refresh my main site page ok but my Admin page shows Access Denied so I've had to go back in and use the // again. The site admin page is correct and works fine if I don't comment those lines out. Not sure why that is!?

Posted: Sat Aug 26, 2006 11:43 am

Bluezzz, You do not need to comment that out nor do folks need to rename their admin.php files. These were all very lame attempts by the author of PHP-Nuke (FB, NOT Raven) to give a sense of "security". NukeSentinel is protecting your admin.php file so you just need to let it do its job...

Posted: Sat Aug 26, 2006 2:13 pm

THANK YOU for those assurances! I did notice that for both of those attempted changes I got Access Denied results so I put them both back to normal (defaults).

All I can say to others is ... if the site works good for you at any time do a backup from Admin for both site & forums AND then before you make any changes to any .php or .access type files do a backup of it in case you need to *go back*, these procedures have saved me alot of time and trouble in the long run!

I guess I need to work on my Sentinel next, the module is on but I have to get the blocks going ... and even so, in the module from the instructions on the Install help pages I'm STUCK on the CGIAuth part LOL ... workin it out tho!

Posted: Sat Aug 26, 2006 2:44 pm

Well, ok, so its not protecting your admin.php file as yet... Gotta get that CGIAuth working luv!

Posted: Sat Aug 26, 2006 2:46 pm

Dang it!

I'm still getting with my host to find out why HTTPAdmin isn't there ... I think they've got my site as a module on Apache (thus CGIAuth) and not however it *should be* ... I really, really don't wanna do those recommended steps cause I'm afraid I'll mess it up LOL

Posted: Sat Aug 26, 2006 4:55 pm

Cgiauth is VERY affective none the less.

Posted: Sat Aug 26, 2006 5:00 pm

The instructions on how to make it work in that mode are kinda scary tho, I'm pretty good at this stuff but I'm sorta scared of this step ... last time I installed a phpnuke site it was HTTP ready so I didn't have to make changes to that in Sentinel, this site is a different host. Would someone care to explain the differences and how either one is effective? Maybe if I understand why I need to make these changes it'll help me when I tackle that.

Posted: Sat Aug 26, 2006 5:29 pm

There are many hacks (and not in a good sense) out there which were attacking vulnerabilities in the admin.php?<blah blah blah>... Although the patches assembled and distributed by Chatserv over the years closed many of those "holes", drop in a new module that is not written well, and new vulnerability.

HTTPAuth/CGIAuth protection on the admin.php script just gives an extra layer of "protection" in that in order to use that script AT ALL, they would have to figure out the login name and password. (Very similar to using cpanel to password protect a directory on your website.)

It is a very good thing to do and very much encouraged... Wink

Just follow the instructions in the HowToInstall manual related to the setup of CGIAuth and you should be fine. If you run into issues that you cannot figure out, search on CGIAuth here in the forums and you will find a wealth of historical knowledge...

Posted: Tue Aug 29, 2006 11:59 am

I have searched to no avail. If I leave in those 8 lines in (generated during setup of Sentinel) I get the login box continually popping up until after the third time when I get Authorization Failed page. I have the correct path in, I am using the right username/pw. I do have to run in CPIAuth unfortunately. I've had to comment out those sentinel lines in order to get back into my site. This is the last major hurdle before I open the site & I will continue searching but I need to get this fixed right ... any help would be appreciated!

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

Bluezzz, did you ever resolve this? And just for the record, even though we distinguish between HTTP and CGI authorization, they are one and the same from the browser standpoint. The difference is where the userid and password confirmation comes from. PHP does not pass the variables when compiled as CGI.

Posted: Tue Sep 05, 2006 11:59 pm

Again I think I resolved this and posted on another post. Yes, I am using the CGIAuth and had issues with it ... I redid the file that had those 8 lines and it was fine thereafter, seems I had the initial file wrong somehow ... fixed now tho. Thanks for answering Raven : o}

I do have to tell you that darklord, montego and Guardian2003 have been tremendous help and they are much appreciated! I think my site is working pretty good except one Forums admin concern which I've posted about and will double check soon to see if I did something wrong there. Thank you all!