PDA

View Full Version : htaccess Protection for admincp & any dir


Omranic
01-12-2006, 10:00 PM
this is a very simple hack
its only main function is to add htaccess protection for any dir by adding some small lines in the begining of Dir's index

our application will be on admincp's index (index.php)

Description: This hack will add htaccess protection to any folder by adding small lines in its index.php file & the user name & password for this protection is determined by two varables in the same file & if the data entered was wrong, the page will give a black background with a title (Unauthorized) & a content says (Enter Here Only) when clicking it, it will direct to forum's root (index.php by default), this means douple security (likes Look THIS (http://vbulletin.com/forum/admincp).

Please Note: The Default User Name & Paaaword for entering through this Protection Is (User: 123 / Pass: 321) See the last two line to know how to change this values

installation:
open the file index.php present in the dir admincp & search for the following code:
|| # ---------------- VBULLETIN IS NOT FREE SOFTWARE ---------------- # ||
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html # ||
|| ################################################## ################## ||
\*================================================ ======================*/

& put under it the following code:
$index['public'] = $index['public'];
$phpkd['username'] = "123"; // Here Is the User Name
$phpkd['password'] = "321"; // Here Is The htaccess Password

if(!$index['public']){
if($_SERVER['PHP_AUTH_USER'] != $phpkd['username'] || $_SERVER['PHP_AUTH_PW'] != $phpkd['password']){
Header("WWW-Authenticate: Basic realm=\"Highly Secured\"");
Header("HTTP/1.0 401 Unauthorized");echo "<head><title>Unauthorized</title></head><body bgcolor='#000000'><center><br>
<a href=\"../index.php\" style=\"text-decoration: none\" target=\"_blank\">
<font face=\"MS Sans Serif\" color=\"#FFFFFF\" size=\"8\"><b><br>Enter Here Only<br></b></a></body></html>";exit;}}


Note 1: change the values of the two variables $phpkd['username'] / $phpkd['password'] to the username & password needed & note not to change this $index['public'] = $index['public'];

Note 2: This Protection Gives the authority for entering to onnly the username & passord defined in the file (above modification) & after passing through this htaccess protection you will find the Normal vbulletin admincp login screen & then you can go with the normal admin data recorded in the forum itself.

Hope I have explained enough for beginners.

JsnakeJ
01-13-2006, 04:27 AM
Nice work, isn't the admincp already protected enough though?

Hornstar
01-13-2006, 07:03 AM
You can never protect your forum enough. Very nice work and this will be getting used by me. Thanks

Logikos
01-13-2006, 07:04 AM
Nice work, isn't the admincp already protected enough though?

Apperentally vBulletin Developers don't think so :p

http://www.vbulletin.com/forum/admincp

FleaBag
01-13-2006, 07:14 AM
Looks like they do now!

evenmonkeys
01-13-2006, 07:26 AM
I used to as well. I don't anymore because it's annoying. =P

Blackbeard
01-13-2006, 07:46 AM
this is great m8 well done, could this be changed to add to say a forum on our site, where different usergroup needs access to a forum

IrPr
01-13-2006, 10:59 AM
i don't no why, but doesnt work for me on 3.5.3 :(

Sooner95
01-13-2006, 11:34 AM
you can do this via your Cpanel's too..

And, yes can never have enuff.

Omranic
01-13-2006, 12:05 PM
This is for extra protection

Blackbeard ===> Till now I can't find any way to get data from database
but i'm searching & trying for that

Moosa ===> It must work fine coz it doesn't depend on the vbulletin code, its Related to PHP Language as general, so u must follow my steps carefully & u will get it right.

Mastar
01-13-2006, 02:44 PM
It Doesn't Work On My VB3.53

coffeefix
01-13-2006, 02:59 PM
I added this to my 3.5.3 and when I entered my username and password it was not being recognized. The box just kept popping back up and then I got taken to the "enter here" screen. uninstalled.

Mastar
01-13-2006, 03:08 PM
Uninstalled also. You Probably need to give better or more detailed instructions.

Omranic
01-14-2006, 04:33 PM
Topis has been Rewritten
Read It carefully

coffeefix
01-14-2006, 04:37 PM
so basically, this only gives 1 person access to the ACP? That would be the person, whose username and password you put in the index.php

Omranic
01-14-2006, 04:40 PM
yes
its exactly as you said

IrPr
01-14-2006, 06:54 PM
any way to read from database ?

Omranic
01-15-2006, 10:19 AM
any way to read from database ?

Till now I have no Idea but i'm searching for that

PixelFx
01-16-2006, 10:19 AM
Till now I have no Idea but i'm searching for that

this is great how hard would it be to add an on / off switch in your admin cp for this? aka, lets say you could turn it off when your working on your site, but then afterwards turn this feature on in the admin, for when your not doing regular work on the fourm? as an example :D

XFSImperial
01-17-2006, 12:19 AM
Thanks for the mod, works fine.

*install*

Omranic
01-21-2006, 04:31 AM
this is great how hard would it be to add an on / off switch in your admin cp for this? aka, lets say you could turn it off when your working on your site, but then afterwards turn this feature on in the admin, for when your not doing regular work on the fourm? as an example :D

yes its hard till now (at least for me) may be some one else have a better solution & can improve this.

Zia
01-26-2006, 05:05 PM
sounds its nice & help to make acp more secure

kliked install.

jj
01-26-2006, 06:48 PM
Till now I can't find any way to get data from database but i'm searching & trying for that

To use this with .htaccess is only possible if the apache server has been compiled with mod_auth_mysql or has it as loadable module.

Find out more about .htaccess and mod_auth_mysql here:
http://www.widexl.com/scripts/documentation/htaccess.html#auth_mysql

Omranic
01-26-2006, 07:41 PM
To use this with .htaccess is only possible if the apache server has been compiled with mod_auth_mysql or has it as loadable module.

Find out more about .htaccess and mod_auth_mysql here:
http://www.widexl.com/scripts/documentation/htaccess.html#auth_mysql

Thats Great
But what about Servers That Hasn't mod_auth_mysql Module Istalled & have not SSH Access & not having intense to install any modules ? Is there Any Way ?

Mudvayne
01-27-2006, 03:34 AM
is it possible to do it as same as vb.com? plzzzzzzzzzzzzzzzzzzzzzzzzz.. I meant it 'll load a error page named authentication faild.. Like...

You hav failed to authenticate ur identity.. U r now autometically redirect to forum index..

/me clicks install

P.S: I'm using vB 3.5.3.. It seems not working :ermm:

Aligator21
01-27-2006, 05:01 AM
nice!!!
installed! :)

jj
01-27-2006, 09:36 AM
Thats Great
But what about Servers That Hasn't mod_auth_mysql Module Istalled & have not SSH Access & not having intense to install any modules ? Is there Any Way ?

No, if the module ist not available the apache server cannot connect to a mysql database.

is it possible to do it as same as vb.com? plzzzzzzzzzzzzzzzzzzzzzzzzz.. I meant it 'll load a error page named authentication faild.. Like...

If your provider allows it, you can do that by adding this line ErrorDocument 401 /401.html into your existing .htaccess file in the document_root of your apache server. If no .htaccess file exists, just create one. Afterwards you have to place a self-made 401.html oder 401.php or whatever file in your document_root, to get it work.

If you choose to create a directory for your custom apache errorpages like errorpages in your document_root the line has to look like this
ErrorDocument 401 /errorpages/401.html or
ErrorDocument 401 /errorpages/401.php depending on what filetype you want to use.

You can create custom errorpages for every http-errorcode like 404 (not found), 500 (script error) and so on...

Mudvayne
01-27-2006, 01:22 PM
Dear j.jacobsen..
Thnx for the solution.. As I use Custom HTML Error Page hack I allready hav the error page.. So I just need to change the code..

$index['public'] = $index['public'];
$phpkd['username'] = "123"; // Here Is the User Name
$phpkd['password'] = "321"; // Here Is The htaccess Password

if(!$index['public']){
if($_SERVER['PHP_AUTH_USER'] != $phpkd['username'] || $_SERVER['PHP_AUTH_PW'] != $phpkd['password']){
Header("WWW-Authenticate: Basic realm=\"Highly Secured\"");
Header("HTTP/1.0 401 Unauthorized");echo "<head><title>Unauthorized</title></head><body bgcolor='#000000'><center><br>
<a href=\"../index.php\" style=\"text-decoration: none\" target=\"_blank\">
<font face=\"MS Sans Serif\" color=\"#FFFFFF\" size=\"8\"><b><br>Enter Here Only<br></b></a></body></html>";exit;}}

Question is whr to change the code to call the 500 error page?

Hav anybody try it successfully in vB 3.5.3? Coz mine isn't working :(..

Omranic
01-28-2006, 05:08 AM
Dear j.jacobsen..
Thnx for the solution.. As I use Custom HTML Error Page hack I allready hav the error page.. So I just need to change the code..

$index['public'] = $index['public'];
$phpkd['username'] = "123"; // Here Is the User Name
$phpkd['password'] = "321"; // Here Is The htaccess Password

if(!$index['public']){
if($_SERVER['PHP_AUTH_USER'] != $phpkd['username'] || $_SERVER['PHP_AUTH_PW'] != $phpkd['password']){
Header("WWW-Authenticate: Basic realm=\"Highly Secured\"");
Header("HTTP/1.0 401 Unauthorized");echo "<head><title>Unauthorized</title></head><body bgcolor='#000000'><center><br>
<a href=\"../index.php\" style=\"text-decoration: none\" target=\"_blank\">
<font face=\"MS Sans Serif\" color=\"#FFFFFF\" size=\"8\"><b><br>Enter Here Only<br></b></a></body></html>";exit;}}

Question is whr to change the code to call the 500 error page?

Hav anybody try it successfully in vB 3.5.3? Coz mine isn't working :(..

Dear Shuvo This Hack isn't Depending On Your vBulletin version or bulletin tybe at all

its a server side work depends on your apache

You Must observe that the Default value (User: 123 / Pass: 321) & Not as recorded in the database & this has been mentioned in the thread's first post

regarding to changing the error page to error 500 you must change the following line
HTTP/1.0 401 Unauthorized
& it will do that for you


any questions I'm here For answers
best wishes

Mudvayne
01-28-2006, 03:42 PM
Okiz SolidSnake@GTI I hav a question.. I'm a really dumb abt this coding thing.. So I'll b glad if u help me out.. If I wanna use..
User: Shuvo
Pass: golpo

& call 500/501 error page.. Thn what 'll the xact code? Would u plz write it for me here? Plz..

Note: Sorry my english :confused:

Omranic
01-28-2006, 09:12 PM
hey
I tried the code with error pages & Only the 401 error success & other not

So you may use it as 401 error & regarding to the User: Shuvo Pass: golpo
Take the following code:

$index['public'] = $index['public'];
$phpkd['username'] = "Shuvo"; // Here Is the User Name
$phpkd['password'] = "golpo"; // Here Is The htaccess Password

if(!$index['public']){
if($_SERVER['PHP_AUTH_USER'] != $phpkd['username'] || $_SERVER['PHP_AUTH_PW'] != $phpkd['password']){
Header("WWW-Authenticate: Basic realm=\"Highly Secured\"");
Header("HTTP/1.0 401 Unauthorized");echo "<head><title>Unauthorized</title></head><body bgcolor='#000000'><center><br>
<a href=\"../index.php\" style=\"text-decoration: none\" target=\"_blank\">
<font face=\"MS Sans Serif\" color=\"#FFFFFF\" size=\"8\"><b><br>Enter Here Only<br></b></a></body></html>";exit;}}

Mudvayne
01-30-2006, 08:09 AM
dont know the reason but its not working.. Asking for pass randomly.. :(

RFViet
01-30-2006, 12:51 PM
yes
its exactly as you said

If I have 2 admins then It doesn't work !!! :disappointed:

Mudvayne
01-31-2006, 09:16 AM
Yaiiiiiiiiiiiiii.. i did it.. But with .httaccess..

try http://www.golpo.net/forum/admincp/index.php :D:D:D

Omranic
02-14-2006, 05:29 AM
Yaiiiiiiiiiiiiii.. i did it.. But with .httaccess..

try http://www.golpo.net/forum/admincp/index.php :D:D:D

thats possible also

you can post it here, I think it will be usefull for some

JJH35
02-16-2006, 10:30 PM
or you could have just used this for each folder
order allow,deny
allow from all
deny from ip1 , ip2, ip3, etc

Mudvayne
02-17-2006, 02:59 AM
you can post it here, I think it will be usefull for some
Sorry brother.. I'm bit late.. Its easy.. Hope someone might get help..

I did it with a online .htaccess password generator tools.. Well go to .htaccess pass generator site (http://tools.dynamicdrive.com/password/) read the instruction.. Its too easy.. U just need to know ur admincp path.. & plz after process upload the .htaccess & .httpass file in admincp folder.. Dont upload it in root folder.. Otherwise entire forum 'll b password protected..

Hornstar
02-18-2006, 05:37 AM
Is there a code to only allow certain IP's?

Mathiau
03-12-2006, 04:02 AM
Sorry brother.. I'm bit late.. Its easy.. Hope someone might get help..

I did it with a online .htaccess password generator tools.. Well go to .htaccess pass generator site (http://tools.dynamicdrive.com/password/) read the instruction.. Its too easy.. U just need to know ur admincp path.. & plz after process upload the .htaccess & .httpass file in admincp folder.. Dont upload it in root folder.. Otherwise entire forum 'll b password protected..

I tried those tools. generated the info, uploaded the files in ASCII and i know the info was right i was typing in, it was in the right directory, but it justkept popping up as if i was putting in the wrong login info - but i know i wasnt...


For this hack - i put the code into my index.php (main root index.php) and it works - Is this as secure as using a seperate .htaccess file? if so then it works great and i would like to use it.

I tested it and put in the wrong info to get the enter here onl page, once i hit that the login window that comes up has this info in it


Htaccess login system for **********! If you have a problem with the htaccess or you never recieved a email about the change in the htaccess pass, email me @ ******@wwwsupersite.com and I will help where I can. Thanks!


Where can i edit that? that certainly is not the host of our servers info so wondering where that is coded.... (i asked the host and he has no idea where that info would be pulled from...)

Mudvayne
03-12-2006, 04:29 AM
I tried those tools. generated the info, uploaded the files in ASCII and i know the info was right i was typing in, it was in the right directory, but it justkept popping up as if i was putting in the wrong login info - but i know i wasnt...
But bro.. Mine works fine.. here is some info..

http://www.vbulletin.com/forum/admincp
http://www.golpo.net/forum/admincp

http://www.vbulletin.com/forum/modcp
http://www.golpo.net/forum/modcp

http://www.vbulletin.com/forum/includes
http://www.golpo.net/forum/includes

http://www.vbulletin.com/forum/install
http://www.golpo.net/forum/install

:).. So I prefer .htaccess.. Newayz did u upload the .htaccess & .htpasswd in the right directory? If so thn it should work.. Did u use the encoded pass in .htpasswd ?

Nathan2006
03-14-2006, 12:43 PM
Thnk you its a lot better :)

Install

Just 1 question I added the code as you said, but do you only get 1 login screen or 2?

Meaning should the old login screen appear after the new login box?

Thanks :)


Edit: Its ok its fully working now

Thank you :)

mike12345
05-05-2006, 05:25 AM
cool thanks! i will use this

IncredibleHawk
05-05-2006, 05:49 AM
Very Very Nice and thanks your a life saver!:banana:

ShadowOne
10-19-2006, 06:34 AM
So You All Are Sayin You Cant Give The Password Out To The Other Admins? I Like It Just For More Security Against Anyone...Why Block From Other Admins?

da420
10-19-2006, 07:04 AM
Ive always .htaccess my admin cp via my host cPanel... :)

vietkieu_cz
10-23-2006, 08:27 PM
very userfull, thank you very much

manutdvn
11-29-2006, 07:46 AM
Thank you. Do you have any update for this mod?

Hornstar
01-10-2007, 11:06 AM
didnt work for me in 3.6.4 it game me an error, but its cool, im using cpanel now, it does the job fine.