Fix For All Admin.php Exploits (Maybe?)

Raven · Posted: Mon Jul 19, 2004 7:52 am

Well, sorry to here about the dDos atack, but I am glad to hear that your website is safe!

jonmcc33 · Posted: Mon Oct 04, 2004 11:13 pm

Question:

In PHPNuke 7.5 the auth.php file is no longer used so where would you put the following code in the admin.php file:

Code:

require_once('myprivatefile.php');
require_once('basicauthfile.php');

I've been using your script since PHPNuke 7.1 and it's been awesome. I'd like to continue using it.

Raven · Posted: Tue Oct 05, 2004 12:06 am

Actually auth.php is still used - it's just already included in admin.php instead of being an 'included' file. In admin.php, find

Code:

if (ereg("[^a-zA-Z0-9_-]",trim($aid))) {
die("Begone");
}
$aid = substr("$aid", 0,25);
$pwd = substr("$pwd", 0,18);

which is the beginning of the auth.php code. Place the 2 require_once statments right before the above code like

Code:

require_once('myprivatefile.php');
require_once('basicauthfile.php');
if (ereg("[^a-zA-Z0-9_-]",trim($aid))) {
die("Begone");
}
$aid = substr("$aid", 0,25);
$pwd = substr("$pwd", 0,18);

Having said that, I would strongly recommend using NukeSentinel instead as it incorporates all of my original script and so much more for protection.

mrisis · New Member Joined: Jan 01, 2005 Posts: 3

Edited

Raven · Posted: Sat Jan 01, 2005 2:22 pm

HTTPAuth is the default NukeSentinel authorization method. It does not require .htaccess.

mrisis · New Member Joined: Jan 01, 2005 Posts: 3

Yes, But only when you run it as an apache module

Raven · Posted: Sat Jan 01, 2005 2:31 pm

I understand that. But, that's what your link provides, standard HTTPAuth, so, that's why I responded in kind.

mrisis · New Member Joined: Jan 01, 2005 Posts: 3

Very good point, dont take me wrong as I use sentinel on my main site

MaSePoes · New Member Joined: Apr 11, 2005 Posts: 21

this is one of the best methods I've used. I use them on all my sites. In fact I didn't use it on one site and that one got hacked. For months I haven't been hacked becuase I use this method with Nuke Sentinel.

okay one can never be 100% secure, but you can try.

Raven · Posted: Fri Jul 01, 2005 7:52 am

Thanks for the testimonial RavensScripts

hero · New Member Joined: Oct 08, 2005 Posts: 4

Hi Raven,

I'm newbie at phpnuke. I have a server with nukesentinel installed. I was actually looking for a very secured HTTP AUTH program for my site. Luckily, I found this topic and follow every single instruction that you wrote here. Fortunately, I made it work on my site without any errors. Thanx dude !!!!

There is one question I wanted to ask..... since you said the beauty about those 2 files ( myprivate.php & basicauthfile.php) are that we can put it any where we want. Right now I placed those 2 files inside my html folder and its working. But, my question is, what if I wanted to put those files outside my html folder ? Are these still gonna work ?

I am running my server through my computer. So, I want my admin can only access to the admin.php from my computer not any other remote computer. How, can I make this work ? Any help will be appriceated.

Thanx in advance

hero · New Member Joined: Oct 08, 2005 Posts: 4

actually I just changed the path of those 2 files which is out of my html folder ...and its working !!!!!!

require_once('c:\Myserver\myprivatefile.php');
require_once('c:\Myserver\basicauthfile.php');

do you think that will do the trick ? do you think people can access to my admin.php file from remote computer ????

Raven · Posted: Sat Oct 08, 2005 7:49 am

That should do the trick. Regardless of where those files are stored, it provides the same protection. The added benefit of moving the files outside of the web root is that there is no way that they can view the files from their browser unless you have bad code elsewhere that allows a hole or access otherwise.

CoffeeOD · New Member Joined: Nov 05, 2005 Posts: 11

Hey Raven, im using phpnuke 7.7 and this script looks nice but (thereï¿½s always but, eh?) I dont find this line

Code:

require("auth.php");

I thinked that I could place it before

Code:

require_once("mainfile.php");

, but I wanna be sure.

[admin.php - admin fix] Also, I tried that admin fix you said earlier (http://www.ravenphpscripts.com/postt345.html), but I cannot find

Code:

require_once("mainfile.php");
get_lang(admin);

in my include/auth.php and I dont got any other auth.php

[auth.php admin fix] I tried that admin fix you said earlier about auth.php, (http://www.ravenphpscripts.com/postt349.html), I dont find those two starting lines, my starting lines are

Code:

if ( !defined('IN_PHPBB') )
{
die("Hacking attempt");
exit;

I didnt see answers in those threads, or maybe I didnt look enough. I use newest Sentinel and thanks for that, itï¿½s great tool and just the thing I have been looking for.

Raven · Posted: Mon Jan 16, 2006 8:36 am

As stated above, auth.php was integrated into admin.php in v7.5. But if you use NukeSentinel(tm) this thread is irrellevant.

redhairz · Worker Joined: Nov 17, 2006 Posts: 222

i think someone hacked my phpmyadmin when i log out exit it promt me wrong user and wrong password could it be hacked?

evaders99 · Posted: Mon Dec 04, 2006 4:39 pm

I'm not sure what you mean. You say you cannot log into phpMyAdmin?
Or the saved forms in your browser are incorrect - that just sounds like a browser thing

redhairz · Worker Joined: Nov 17, 2006 Posts: 222

hey evaders99 Smile

i always get this (Wrong username/password. Access denied.) when exiting from phpmyadmin...... i can use the phpmyadmin but when i login out as exit i will get the message above. becos there have been 2 incident when hacker deleted all the DB. the hosting admin restored back eventually. my question is could the hacker edit the user of the phpmyadmin which cause the above message to appear? i login into the phpmyadmin from cpanel mysql. what is your view? i had disable ftp and change pword. could the hacker hack into the nuke portal to do that kind of damage? from admin or folder cmod 777?

evaders99 · Posted: Mon Dec 04, 2006 9:17 pm

I don't think so. It may just be its trying to read some login value that is no longer there since you logged out. Don't worry about

shock1964 · New Member Joined: Apr 28, 2007 Posts: 1

hey, i got this md4 bf off of a friend. the creator is matthias fichtner and its supposed to unlock the halo 3 beta on my xbox 360, can anyone tell me what it really does? i can send u the file if u email me or add me on my msn

Only registered users can see links on this board!
Get registered or login to the forums!

evaders99 · Posted: Sat Apr 28, 2007 11:12 pm

What? This has nothing to do with this thread, or phpNuke for that matter.
Spam?