View Full Version : HTTP Basic Authentication against vB-Accounts
Andreas
02-12-2004, 10:00 PM
Seeing all those "user integration" requests over and over again I made a small "hack" (not really as no tables, templates or files are modified ;)) that might be useful if you want to give access to non-forum content based on forum accounts:
HTTP Basic Authentication against vB user table
------------------------------------------------
This "hack" allows you to use HTTP Basic authentication
(password protected directories) based upon vB accounts.
Update Version 0.2
------------------
I've added a configuration option to the .htaccess so
you can specify which usergroup (only one for the moment)
you want to grant access.
If you don't need this feature just leave the line commented out.
Requirements
------------
- vBulletin 3 (at least the user table) ;)
- Apache/mod_perl compiled with support for PerlAuthenHandler
- Basic Authentication feature enabled to be used in .htaccess
Installation
------------
1) Edit vBAuth.pm, fill in the configuration settings (database, etc.)
2) Put vBAuth.pm in your Perl Apache-Moduls directoy
3) (Optional) Edit .htaccess to meet your requirements
4) Put .htaccess in the directory you want to protect
genmud
02-13-2004, 12:47 PM
Great hack, I am gonna make a members area, and then Install it & press teh install button ;)
tamarian
02-13-2004, 03:10 PM
Clicks install :)
Great idea, I'll find some use for it. Possibly access to ad-free content outside the forum for paid subscription group.
gmarik
02-13-2004, 03:37 PM
Any screenshots of the use of this .htaccess ?
Andreas
02-13-2004, 06:27 PM
@tamarian
You'll have to modify the query to check usergroup/membergroup too.
I'll see if it is possible to make that configurable via the .htaccess
@gamarik
Hmm ... there are no visual effects, so which screenshout do you want to have?
A directory listing showing the .htaccess?
An authorization required dialog (I guess everybody knows that already, at least from vB.com member area)?
Andreas
02-13-2004, 10:08 PM
Update Version 0.2
------------------
I've added a configuration option to the .htaccess so you can specify which usergroup (only one for the moment) you want to grant access.
If you don't need this feature just leave the line commented out.
This is great hack, I'm gonna try it out.
I'm confused about the directory, what exactly the name of the folder should I put the file vBAuth.pm to? CGI folder?
Xenon
02-13-2004, 11:44 PM
Jup, schaut ganz guad aus :)
Andreas
02-14-2004, 12:20 AM
@Nam
You must put that in your Perl Apache-Modules directory.
The exact location depends on your system, on my crappy webserver it is /usr/lib/perl5/vendor_perl/5.6.1/i386-linux/Apache
So this one require root access? Lucky I have it, but mine is a little different, no Apache
it is /usr/lib/perl5/vendor_perl/5.8.0/i386-thread-multi/ then I see No Apache but auto, Bundle, Crypt, Filter, filter-util.pl, HTML, XML, now which one should I put in? or just put in i386 folder and that's it?
Using whereis apache it shows the /usr/local/apache
I've tried both but I got internal error, hmn...
Andreas
02-14-2004, 12:47 PM
Yes, root access is required.
> Using whereis apache it shows the /usr/local/apache
That's apache itself ;)
Try
find / -name Apache
Does that give you any direcory within the perl root? If so put it there.
If not create a directory called Apache within the perl includes search path and put it there.
> I've tried both but I got internal error, hmn...
What's in error.log?
I see the Apache dir in /usr/lib/perl5/site_perl/5.8.1/Apache then I use wget www.mysite.com/vBAuth.pm.
But then when I uploaded the .htaccess to the folder I want to protect, I got an error:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@mysite.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
my apache version is 1.3.29 and I did change database configuration in vBAuth.pm.
Andreas
02-14-2004, 07:52 PM
So once again:
What error-messages do appear in error.log (don't know the path on your system - might be /var/log/httpd/error.log or smth. like that)?
The reason I didn't post error.log because I didn know where is that file :(, and now knowing and seeing the location /var/log/httpd but it's empty in that folder. Should I give up? It's such a great hack for many features in my board.
Andreas
02-14-2004, 08:46 PM
Hmm ... must be somewhere ;)
The location of the error logs is defined in httpd.conf, but where your httpd.conf resides ... don't know, maybe /etc/apache/httpd.conf
If not try
find / -name httpd.conf
to lookup where httpd.conf is
Or directly search for error.log
find / -name error.log
dontpanic
02-17-2004, 12:53 AM
OK...if I am running Apache locally, where does this need to go to work?
Andreas
02-17-2004, 01:23 AM
You must put vBAuth.pm in your Perl Apache-Modules directory.
dontpanic
02-17-2004, 10:44 AM
Heh, I'll have to look into that more, not sure that even exists yet. :)
dontpanic
02-19-2004, 02:25 AM
KirbyDE, do you have any suggestions or ideas on alternative ways to achieve basic authentication against the vB user table. I don't think the module way is going to work out for us...but it is a cool hack none the less. :)
Chrissicom
03-06-2004, 03:31 PM
is there any way to make this hack IIS compatible, or is there a similar IIS compatible hack?? .htaccess is useless on IIS.
Andreas
03-06-2004, 03:50 PM
No. This hack will only work with Apache (who uses IIS anyway ^.^).
For IIS and ISAPI Authentication Filter would be required.
I am not all familiar with IIS (haven't used it yet) but i'll try to write one, although this might take some days.
Chrissicom
03-06-2004, 04:24 PM
would be great to have this working with IIS :)
Rampag33
03-11-2004, 04:37 AM
Great mod. Will have to wait to see if the admin has the mod_perl compiled.
Yoshy
03-11-2004, 01:02 PM
Bug:
1st line of vBAuth.pm is package Apache::vBAuth2;
In the .htaccess it's PerlAuthenHandler Apache::vBAuth
You might want to put PerlAuthenHandler Apache::vBAuth2 in the htaccess ;)
Also on my server I had to remove PerlOptions +GlobalRequest to make it work.
This is perfect for my test forum ! Thanks
* Yoshy installs !
Rampag33
03-11-2004, 04:41 PM
don't have that module install or I would install it. Damn and I was so close.
my username
04-15-2004, 07:45 PM
So much for all the work the vb team has spent on making the application as secure as possible (application-level security).
HTTP basic auth. (http://www.ietf.org/rfc/rfc2617.txt) sends the password in clear text for every HTTP-request made to the server (when using cookies you're at least able transfer a hashed version of the password for each request)...this is why the W3C tell you NOT to use HTTP basic auth.
Why not just include/require global.php in the scripts that are "off-forum"?
http://www.w3.org/Security/Faq/wwwsf2.html
http://www.xiven.com/sourcecode/digestauthentication
JohnBee
11-15-2004, 02:49 AM
Any chance this mod will get out of beta?
I want to install it on my server but the admins will not add beta material
on serverside.
AN-net
11-15-2004, 03:06 AM
wow great hack!!! wish i had root access :(
HiDeo
11-15-2004, 03:36 AM
Nice jobs, thanks ;)
JohnBee
11-16-2004, 10:16 AM
My hosting company will not add any Beta files to there serverside
modules, can you tell me if you have any plans of moving this to
full release anytime soon?
Bison
11-23-2004, 03:47 AM
wow great hack!!! wish i had root access :(
There is a hack like this that doesn't require root access and written in php. I think I have it somewhere on my PC.
EDDIE!
11-29-2004, 03:19 AM
I really need help ASAP. I uploaded this to my server and when I go to my site, I got the following error:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
<head>
<style>
a:link {font:8pt/11pt verdana; color:red}
a:visited {font:8pt/11pt verdana; color:#4e4e4e}
</style>
<meta HTTP-EQUIV="Content-Type" Content="text-html; charset=Windows-1252">
<title>HTTP 500 Internal server error</title>
</head>
<script>
function Related(){
userURL=document.location.href;
//for the href, we need a valid URL to the domain. We search for the # symbol to find the begining
//of the true URL, and add 1 to skip it - this is the BeginURL value. We use serverIndex as the end marker.
BeginURL=userURL.indexOf("#",1) + 1;
CurrentURL=userURL.substring(BeginURL,DocURL.lengt h);
//Build the query
RelatedServiceURL="http://related.msn.com/related.asp?url=";
//Perform simple check for Intranet URLs
//this is where the http or https will be, as found by searching for :// but skip res:
protocolIndex=userURL.indexOf("://",4);
serverIndex=userURL.indexOf("/",protocolIndex + 3);
urlresult=userURL.substring(0,serverIndex);
if (protocolIndex - BeginURL > 7)
urlresult=""
//Check if Intranet URL - then open search bar
if (urlresult.indexOf(".",0) < 1) userURL="Intranet URL";
finalURL = RelatedServiceURL + encodeURIComponent(userURL);
window.open(finalURL, "_search");
}
function Homepage(){
// in real bits, urls get returned to our script like this:
// res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm
//For testing use DocURL = "res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm"
DocURL=document.location.href;
//this is where the http or https will be, as found by searching for :// but skipping the res://
protocolIndex=DocURL.indexOf("://",4);
//this finds the ending slash for the domain server
serverIndex=DocURL.indexOf("/",protocolIndex + 3);
//for the href, we need a valid URL to the domain. We search for the # symbol to find the begining
//of the true URL, and add 1 to skip it - this is the BeginURL value. We use serverIndex as the end marker.
//urlresult=DocURL.substring(protocolIndex - 4,serverIndex);
BeginURL=DocURL.indexOf("#",1) + 1;
urlresult=DocURL.substring(BeginURL,serverIndex);
//for display, we need to skip after http://, and go to the next slash
displayresult=DocURL.substring(protocolIndex + 3 ,serverIndex);
// Security precaution: must filter out "urlResult" and "displayresult"
forbiddenChars = new RegExp("[<>\'\"]", "g"); // Global search/replace
urlresult = urlresult.replace(forbiddenChars, "");
displayresult = displayresult.replace(forbiddenChars, "");
document.write('<A target=_top HREF="' + urlresult + '">' + displayresult + "</a>");
}
function doSearch()
{
saOC.NavigateToDefaultSearch();
}
function initPage()
{
document.body.insertAdjacentHTML("afterBegin","<object id=saOC CLASSID='clsid:B45FF030-4447-11D2-85DE-00C04FA35C89' HEIGHT=0 width=0></object>");
}
</script>
<body bgcolor="white" onload="initPage()">
<table width="400" cellpadding="3" cellspacing="5">
<tr>
<td id="tableProps" valign="top" align="left"><img id="pagerrorImg" SRC="pagerror.gif"
width="25" height="33"></td>
<td id="tableProps2" align="left" valign="middle" width="360"><h1 id="errortype"
style="COLOR: black; FONT: 13pt/15pt verdana"><span id="errorText">The page cannot be displayed</span></h1>
</td>
</tr>
<tr>
<td id="tablePropsWidth" width="400" colspan="2"><font
style="COLOR: black; FONT: 8pt/11pt verdana">There is a problem with the page you are
trying to reach and it cannot be displayed.</font></td>
</tr>
<tr>
<td id="tablePropsWidth" width="400" colspan="2"><font id="LID1"
style="COLOR: black; FONT: 8pt/11pt verdana"><hr color="#C0C0C0" noshade>
<p id="LID2">Please try the following:</p><ul>
<li id="instructionsText1">Open the <script> Homepage();</script> home page, and then look for links to
the information you want. </li>
<li id="instructionsText2">Click the
<a xhref="javascript:location.reload()" target="_self">
<img border=0 src="refresh.gif" width="13" height="16"
alt="refresh.gif (82 bytes)" align="middle"></a> <a xhref="javascript:location.reload()" target="_self">Refresh</a> button, or try again later.<br>
</li>
<li ID="instructionsText3">Click <a href="javascript:doSearch()"><img border=0 src="search.gif" width="16" height="16" alt="search.gif (114 bytes)" align="center"> Search</a> to look for information on the Internet. </li>
<li id="instructionsText4">You can also see <a onclick="Related();event.returnValue=false" href="">a list of related sites.</a>
</ul>
</p>
<p><br>
</p>
<h2 id="ietext" style="font:8pt/11pt verdana; color:black">HTTP 500 - Internal server
error <br>
Internet Explorer </h2>
</font></td>
</tr>
</table>
</body>
</html>
I tried editting the .PM file, but that doesn't work. If anyone can help me, please let me know ASAP.
Andreas
01-24-2005, 12:28 AM
HTTP basic auth. (http://www.ietf.org/rfc/rfc2617.txt) sends the password in clear text for every HTTP-request made to the server (when using cookies you're at least able transfer a hashed version of the password for each request)...this is why the W3C tell you NOT to use HTTP basic auth.
I know that.
But unfortunately, using digest authentication is not an option, because then we will get md5('Username:Real:Password').
But in the user table there is only md5(md5'Password') . $salt).
Why not just include/require global.php in the scripts that are "off-forum"?
If you want to protect files there is no script.
The only way to do so would be to keep files out ot document root and use a script to read them.
What I am currently thinking of is a new Apache authentication module which checks the sessionhash (or bbuserid bbpassword) cookies, and if the are not valid redirects to login.php.
Carnage
01-26-2005, 10:38 AM
I know that.
But unfortunately, using digest authentication is not an option, because then we will get md5('Username:Real:Password').
But in the user table there is only md5(md5'Password') . $salt).
well... could you not store using another script MD5(username:realm:password) ?
If you had a link somewhere so that users can request access to secure areas and you asked them to put in their username and password into a form then used the MD5 javascript from vb3 to send:
username
MD5(password) //for checking its the same as their forum password and is the same user...
MD5(Username:realm:password)
Crazy Serb
05-24-2005, 04:24 AM
any update on this? I don't have root access, and I'm looking for a way to protect directory full of non-html/php files, and make it accessible only to certain usergroups... damn, how hard can that be?
sensimilla
03-29-2007, 02:24 PM
Im bumping this thread because I am in need of this hack.
Is there any chance to release it for vbulletin 3.6 ?
Thanks in advance.
mhmd1983
04-13-2007, 07:39 AM
Im bumping this thread because I am in need of this hack.
Is there any chance to release it for vbulletin 3.6 ?
Thanks in advance.
Yes me too , let me say its a very important hack to all paid forum owners ..
vBulletin® v3.8.12 by vBS, Copyright ©2000-2024, vBulletin Solutions Inc.