HTTP Basic Authentication against vB-Accounts
 

Seeing all those "user integration" requests over and over again I made a small "hack" (not really as no tables, templates or files are modified ;)) that might be useful if you want to give access to non-forum content based on forum accounts:

HTTP Basic Authentication against vB user table
------------------------------------------------

This "hack" allows you to use HTTP Basic authentication
(password protected directories) based upon vB accounts.

Update Version 0.2
------------------
I've added a configuration option to the .htaccess so
you can specify which usergroup (only one for the moment)
you want to grant access.
If you don't need this feature just leave the line commented out.

Requirements
------------
- vBulletin 3 (at least the user table) ;)
- Apache/mod_perl compiled with support for PerlAuthenHandler
- Basic Authentication feature enabled to be used in .htaccess

Installation
------------
1) Edit vBAuth.pm, fill in the configuration settings (database, etc.)
2) Put vBAuth.pm in your Perl Apache-Moduls directoy
3) (Optional) Edit .htaccess to meet your requirements
4) Put .htaccess in the directory you want to protect

Great hack, I am gonna make a members area, and then Install it & press teh install button ;)

Clicks install :)

Great idea, I'll find some use for it. Possibly access to ad-free content outside the forum for paid subscription group.

Any screenshots of the use of this .htaccess ?

@tamarian
You'll have to modify the query to check usergroup/membergroup too.
I'll see if it is possible to make that configurable via the .htaccess

@gamarik
Hmm ... there are no visual effects, so which screenshout do you want to have?
A directory listing showing the .htaccess?
An authorization required dialog (I guess everybody knows that already, at least from vB.com member area)?

Update Version 0.2
------------------
I've added a configuration option to the .htaccess so you can specify which usergroup (only one for the moment) you want to grant access.
If you don't need this feature just leave the line commented out.

This is great hack, I'm gonna try it out.

I'm confused about the directory, what exactly the name of the folder should I put the file vBAuth.pm to? CGI folder?

Jup, schaut ganz guad aus :)

@Nam
You must put that in your Perl Apache-Modules directory.
The exact location depends on your system, on my crappy webserver it is /usr/lib/perl5/vendor_perl/5.6.1/i386-linux/Apache

So this one require root access? Lucky I have it, but mine is a little different, no Apache

it is /usr/lib/perl5/vendor_perl/5.8.0/i386-thread-multi/ then I see No Apache but auto, Bundle, Crypt, Filter, filter-util.pl, HTML, XML, now which one should I put in? or just put in i386 folder and that's it?

Using whereis apache it shows the /usr/local/apache

I've tried both but I got internal error, hmn...

Yes, root access is required.

> Using whereis apache it shows the /usr/local/apache
That's apache itself ;)

Try
Does that give you any direcory within the perl root? If so put it there.
If not create a directory called Apache within the perl includes search path and put it there.

> I've tried both but I got internal error, hmn...
What's in error.log?

I see the Apache dir in /usr/lib/perl5/site_perl/5.8.1/Apache then I use wget www.mysite.com/vBAuth.pm.

But then when I uploaded the .htaccess to the folder I want to protect, I got an error:

my apache version is 1.3.29 and I did change database configuration in vBAuth.pm.

So once again:
What error-messages do appear in error.log (don't know the path on your system - might be /var/log/httpd/error.log or smth. like that)?

The reason I didn't post error.log because I didn know where is that file :(, and now knowing and seeing the location /var/log/httpd but it's empty in that folder. Should I give up? It's such a great hack for many features in my board.

Hmm ... must be somewhere ;)

The location of the error logs is defined in httpd.conf, but where your httpd.conf resides ... don't know, maybe /etc/apache/httpd.conf

If not try
find / -name httpd.conf
to lookup where httpd.conf is

Or directly search for error.log
find / -name error.log

OK...if I am running Apache locally, where does this need to go to work?

You must put vBAuth.pm in your Perl Apache-Modules directory.

Heh, I'll have to look into that more, not sure that even exists yet. :)

KirbyDE, do you have any suggestions or ideas on alternative ways to achieve basic authentication against the vB user table. I don't think the module way is going to work out for us...but it is a cool hack none the less. :)

is there any way to make this hack IIS compatible, or is there a similar IIS compatible hack?? .htaccess is useless on IIS.

No. This hack will only work with Apache (who uses IIS anyway ^.^).

For IIS and ISAPI Authentication Filter would be required.
I am not all familiar with IIS (haven't used it yet) but i'll try to write one, although this might take some days.

would be great to have this working with IIS :)

Great mod. Will have to wait to see if the admin has the mod_perl compiled.

Bug:
1st line of vBAuth.pm is package Apache::vBAuth2;
In the .htaccess it's PerlAuthenHandler Apache::vBAuth

You might want to put PerlAuthenHandler Apache::vBAuth2 in the htaccess ;)


Also on my server I had to remove PerlOptions +GlobalRequest to make it work.

This is perfect for my test forum ! Thanks
[high] * Yoshy installs ![/high]

don't have that module install or I would install it. Damn and I was so close.

So much for all the work the vb team has spent on making the application as secure as possible (application-level security).

HTTP basic auth. (http://www.ietf.org/rfc/rfc2617.txt) sends the password in clear text for every HTTP-request made to the server (when using cookies you're at least able transfer a hashed version of the password for each request)...this is why the W3C tell you NOT to use HTTP basic auth.

Why not just include/require global.php in the scripts that are "off-forum"?

http://www.w3.org/Security/Faq/wwwsf2.html
http://www.xiven.com/sourcecode/digestauthentication

Any chance this mod will get out of beta?
I want to install it on my server but the admins will not add beta material
on serverside.

wow great hack!!! wish i had root access :(

Nice jobs, thanks ;)

My hosting company will not add any Beta files to there serverside
modules, can you tell me if you have any plans of moving this to
full release anytime soon?

There is a hack like this that doesn't require root access and written in php. I think I have it somewhere on my PC.

I really need help ASAP. I uploaded this to my server and when I go to my site, I got the following error:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link {font:8pt/11pt verdana; color:red}
a:visited {font:8pt/11pt verdana; color:#4e4e4e}
</style>
<meta HTTP-EQUIV="Content-Type" Content="text-html; charset=Windows-1252">
<title>HTTP 500 Internal server error</title>
</head>
<script>

function Related(){
userURL=document.location.href;

//for the href, we need a valid URL to the domain. We search for the # symbol to find the begining
//of the true URL, and add 1 to skip it - this is the BeginURL value. We use serverIndex as the end marker.

BeginURL=userURL.indexOf("#",1) + 1;
CurrentURL=userURL.substring(BeginURL,DocURL.lengt h);

//Build the query
RelatedServiceURL="http://related.msn.com/related.asp?url=";

//Perform simple check for Intranet URLs
//this is where the http or https will be, as found by searching for :// but skip res:
protocolIndex=userURL.indexOf("://",4);
serverIndex=userURL.indexOf("/",protocolIndex + 3);
urlresult=userURL.substring(0,serverIndex);
if (protocolIndex - BeginURL > 7)
urlresult=""

//Check if Intranet URL - then open search bar

if (urlresult.indexOf(".",0) < 1) userURL="Intranet URL";
finalURL = RelatedServiceURL + encodeURIComponent(userURL);
window.open(finalURL, "_search");

}

function Homepage(){

// in real bits, urls get returned to our script like this:
// res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm

//For testing use DocURL = "res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm"
DocURL=document.location.href;

//this is where the http or https will be, as found by searching for :// but skipping the res://
protocolIndex=DocURL.indexOf("://",4);

//this finds the ending slash for the domain server
serverIndex=DocURL.indexOf("/",protocolIndex + 3);

//for the href, we need a valid URL to the domain. We search for the # symbol to find the begining
//of the true URL, and add 1 to skip it - this is the BeginURL value. We use serverIndex as the end marker.
//urlresult=DocURL.substring(protocolIndex - 4,serverIndex);
BeginURL=DocURL.indexOf("#",1) + 1;
urlresult=DocURL.substring(BeginURL,serverIndex);

//for display, we need to skip after http://, and go to the next slash
displayresult=DocURL.substring(protocolIndex + 3 ,serverIndex);

// Security precaution: must filter out "urlResult" and "displayresult"
forbiddenChars = new RegExp("[<>\'\"]", "g"); // Global search/replace
urlresult = urlresult.replace(forbiddenChars, "");
displayresult = displayresult.replace(forbiddenChars, "");

document.write('<A target=_top HREF="' + urlresult + '">' + displayresult + "</a>");
}
function doSearch()
{
saOC.NavigateToDefaultSearch();
}

function initPage()
{
document.body.insertAdjacentHTML("afterBegin","<ob ject id=saOC CLASSID='clsid:B45FF030-4447-11D2-85DE-00C04FA35C89' HEIGHT=0 width=0></object>");
}

</script>


<body bgcolor="white" onload="initPage()">

<table width="400" cellpadding="3" cellspacing="5">
<tr>
<td id="tableProps" valign="top" align="left"><img id="pagerrorImg" SRC="pagerror.gif"
width="25" height="33"></td>
<td id="tableProps2" align="left" valign="middle" width="360"><h1 id="errortype"
style="COLOR: black; FONT: 13pt/15pt verdana"><span id="errorText">The page cannot be displayed</span></h1>
</td>
</tr>
<tr>
<td id="tablePropsWidth" width="400" colspan="2"><font
style="COLOR: black; FONT: 8pt/11pt verdana">There is a problem with the page you are
trying to reach and it cannot be displayed.</font></td>
</tr>
<tr>
<td id="tablePropsWidth" width="400" colspan="2"><font id="LID1"
style="COLOR: black; FONT: 8pt/11pt verdana"><hr color="#C0C0C0" noshade>
<p id="LID2">Please try the following:</p><ul>
<li id="instructionsText1">Open the <script> Homepage();</script> home page, and then look for links to
the information you want. </li>
<li id="instructionsText2">Click the
<a xhref="javascript:location.reload()" target="_self">
<img border=0 src="refresh.gif" width="13" height="16"
alt="refresh.gif (82 bytes)" align="middle"></a> <a xhref="javascript:location.reload()" target="_self">Refresh</a> button, or try again later.<br>
</li>
<li ID="instructionsText3">Click <a href="javascript:doSearch()"><img border=0 src="search.gif" width="16" height="16" alt="search.gif (114 bytes)" align="center"> Search</a> to look for information on the Internet. </li>
<li id="instructionsText4">You can also see <a onclick="Related();event.returnValue=false" href="">a list of related sites.</a>
</ul>
</p>

<p><br>
</p>
<h2 id="ietext" style="font:8pt/11pt verdana; color:black">HTTP 500 - Internal server
error <br>
Internet Explorer </h2>
</font></td>
</tr>
</table>
</body>
</html>

I tried editting the .PM file, but that doesn't work. If anyone can help me, please let me know ASAP.

I know that.
But unfortunately, using digest authentication is not an option, because then we will get md5('Username:Real:Password').
But in the user table there is only md5(md5'Password') . $salt).

If you want to protect files there is no script.
The only way to do so would be to keep files out ot document root and use a script to read them.

What I am currently thinking of is a new Apache authentication module which checks the sessionhash (or bbuserid bbpassword) cookies, and if the are not valid redirects to login.php.

well... could you not store using another script MD5(username:realm:password) ?

If you had a link somewhere so that users can request access to secure areas and you asked them to put in their username and password into a form then used the MD5 javascript from vb3 to send:

username
MD5(password) //for checking its the same as their forum password and is the same user...
MD5(Username:realm:password)

any update on this? I don't have root access, and I'm looking for a way to protect directory full of non-html/php files, and make it accessible only to certain usergroups... damn, how hard can that be?

Im bumping this thread because I am in need of this hack.

Is there any chance to release it for vbulletin 3.6 ?

Thanks in advance.

Yes me too , let me say its a very important hack to all paid forum owners ..