vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.0 Full Releases (https://vborg.vbsupport.ru/forumdisplay.php?f=33)
-   -   HTTP Authentication by User / pass / ip ranges (https://vborg.vbsupport.ru/showthread.php?t=63972)

miz 04-15-2004 10:00 PM
HTTP Authentication by User / pass / ip ranges
 
ok , this is the first hack i post around here so i hope im doing it ok
if not mods please fix me :P
ok, this hack is ment for closed comunity of vbulltien forums that want exstra security against unwelcome guests

this hack adds HTTP Authentication which change acording to username / password

to make the security bit higher i added ip ranges part - mean every users got ip range and if his ip is not wellcome then its not let him in
(can help abit against shared account).

ok so lets start

// run this db query
PHP Code:
ALTER TABLE user ADD ipmasks varchar(250NOT NULL default ''
// open the file admincp/user.php

find :
PHP Code:
print_input_row($vbphrase['email'], 'user[email]'$user['email'], 0); 
below it add :
PHP Code:
print_input_row('ip masks''user[ipmasks]'$user['ipmasks'], 0); 
save the file and upload it back to your server

ok, now u got 2 options :
option1 - put it only in root dir
option2 - put itin root and on admincp/modcp dir

ok
if option 1 then
// open root/global.php

find :
PHP Code:
require_once('./includes/init.php'); 
Below it add :
PHP Code:
//HTACCESS Hack + IP restriction
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Restricted area"');
    header("HTTP/1.0 401 Unauthorized");
    echo "Unauthorized login attempts are logged.\n";
    echo "bla";
    exit;
} else {
    //checking database
    $userinf=$DB_site->query_first("SELECT user.password,user.userid,user.salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'");
    $isvalidip=0;
    if($userinf['userid']){
        // if user exists check if ip is valid $REMOTE_ADDR
        $validip=$DB_site->query_first("SELECT ipmasks FROM user WHERE userid='$userinf[userid]'");
        $validip=explode(" ",$validip['ipmasks']);
        foreach($validip as $testip){
            if ($testip=='') { continue; }
            if (strstr($REMOTE_ADDR,$testip)==$REMOTE_ADDR || stristr(gethostbyaddr($REMOTE_ADDR),$testip)==$testip){
                $isvalidip=1;
                break;
            }
        }
    }
    //checking if the user login is ok & that he connects from a valid ip
    
        $salt $userinf['salt'];
        $pass $userinf['password'];
        $userp md5(md5($_SERVER['PHP_AUTH_PW']) . $salt);
        
    

        
    if ($pass != $userp) {
        //we have a looser:)
        header('WWW-Authenticate: Basic realm="Restricted area"'); 
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Unauthorized login attempts are logged.\n";
        exit;
    }elseif(!$isvalidip){
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Your Ip is not allowed here...Unauthorized login attempts are logged.\n";
        exit;
    }
}
//HTACCESS Hack + IP restriction (end) 
save the file and upload it back to your server

now if u want option 2 then :

open includes/init.php

find :
PHP Code:
    $DB_site->connect($servername$dbusername$dbpassword$usepconnect); 
Below it add :

PHP Code:
//HTACCESS Hack + IP restriction
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Restricted area"');
    header("HTTP/1.0 401 Unauthorized");
    echo "Unauthorized login attempts are logged.\n";
    echo "bla";
    exit;
} else {
    //checking database
    $userinf=$DB_site->query_first("SELECT user.password,user.userid,user.salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'");
    $isvalidip=0;
    if($userinf['userid']){
        // if user exists check if ip is valid $REMOTE_ADDR
        $validip=$DB_site->query_first("SELECT ipmasks FROM user WHERE userid='$userinf[userid]'");
        $validip=explode(" ",$validip['ipmasks']);
        foreach($validip as $testip){
            if ($testip=='') { continue; }
            if (strstr($REMOTE_ADDR,$testip)==$REMOTE_ADDR || stristr(gethostbyaddr($REMOTE_ADDR),$testip)==$testip){
                $isvalidip=1;
                break;
            }
        }
    }
    //checking if the user login is ok & that he connects from a valid ip
    
        $salt $userinf['salt'];
        $pass $userinf['password'];
        $userp md5(md5($_SERVER['PHP_AUTH_PW']) . $salt);
        
    

        
    if ($pass != $userp) {
        //we have a looser:)
        header('WWW-Authenticate: Basic realm="Restricted area"'); 
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Unauthorized login attempts are logged.\n";
        exit;
    }elseif(!$isvalidip){
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Your Ip is not allowed here...Unauthorized login attempts are logged.\n";
        exit;
    }
}
//HTACCESS Hack + IP restriction (end) 
thats all

*WARNING - IN ANY WAY DONT USE BOTH OPTIONS
its will cuse to the page ask for several time the user/pass
and its will be very buggy.

note :
if user got dynamic ips for exsample :

143.229.64.58
143.229.78.99
145.88.45.68

just add it like that
143.229 145.88
with 1 space between each ip range
dont user * as wildcard.

thats all :P
if u got some qustions or anything , then im here to suport u guys.

Sorry for my very bad english.

lasto 04-16-2004 10:23 PM
cant believe mist this - will give it a test if it stops people sharing ips :)

cheers

Edit - if i add this how will members know the httaccess - will it auto be their username and password from the forums ?

miz 04-16-2004 11:12 PM
for exsample your usename is test and password is mytest
so htaxx user is test and htaxx password is mytest

btw its auto login u to forums so u wont be needed to login again in vbb script

BarBeQue 04-18-2004 10:43 AM
Euhm, this only works when someone actually enters the forums right?

Cause atm i have a .htaccess in the root of my forums dir to protect the root and all subdirs.
It only uses 1 fixed login user/pass.
I would like to have that one use the database user:pass info for each member. Any way to make that file check the user:pass info by using the database instead of the htaxx .passwd file?

miz 04-18-2004 12:35 PM
this is the hack i made
htaxx by user/pass
to make it work
remove your .htacces file

Liquid1ce 04-19-2004 07:16 AM
so if i dont include all the
Code:
ALTER TABLE user ADD ipmasks varchar(250) NOT NULL default '';
+all to do with the ip masks it should just work against the account name/pass>?
if so this is alot simpler than the one in beta forums :D


:P works sweet thnx

miz 04-19-2004 10:44 AM
yes
if u do remove it then its can work with out the ips
i can write this for u if u wish..

Armin 05-02-2004 02:42 PM
@miz

you can a hack post only with user/pass what works without ip

PHP Code:
if (!isset($_SERVER['PHP_AUTH_USER'])) { 
    header('WWW-Authenticate: Basic realm="Restricted area"'); 
    header("HTTP/1.0 401 Unauthorized"); 
    echo "Unauthorized login attempts are logged.\n"
    echo "bla"
    exit; 
} else { 
    //checking database 
    $userinf=$DB_site->query_first("SELECT user.password,user.userid,user.salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'"); 
}
//checking if the user login is ok 
     
        $salt $userinf['salt']; 
        $pass $userinf['password']; 
        $userp md5(md5($_SERVER['PHP_AUTH_PW']) . $salt); 
                    
    if ($pass != $userp) { 
        //we have a looser:) 
        header('WWW-Authenticate: Basic realm="Restricted area"'); 
        header('HTTP/1.0 401 Unauthorized'); 
        echo "Unauthorized login attempts are logged.\n"
        exit; 

    } 
so I think once, however, doesn't work on gold:rolleyes:


what's wrong :devious:

IceCUbe 05-18-2004 09:56 PM
Is there an option to disable IP restriction for certain members ? Shall I try not putting anything in the IP Masks textbox ?

shadow187 06-06-2004 01:48 PM
Don't get this to work.....

It pops up the httpacces box were you fill in you're user/pass

but it comes back, don't think it will check the database for user and pass...

CAn anyone help me on this please...

S.

Sir_Yaro 06-30-2004 06:32 PM
Is it possible to apply this hack for some (specyfied by me) users ?
(only mods & admin for example)

InnerSelf 07-05-2004 03:52 PM
how can i make this hack possible but then without the ipcheck?

and if not, where can i put the valid ips in who can enter? do i have to put for every member the ip in? cant figure it really out.

InnerSelf 07-08-2004 06:39 PM
can someone explain if there is no other way to avoid the ip check how to handle this ip check? how do i control this? you have to put all the ip's in there of all members? i just cant understand this.

Davez 07-08-2004 08:57 PM
[QUOTE=InnerSelf]how can i make this hack possible but then without the ipcheck?QUOTE]

Yeah, I am looking for a working version without ip check!
Can someone help us please ?
Many thanks

InnerSelf 07-14-2004 03:55 PM
Quote:
Originally Posted by miz
yes
if u do remove it then its can work with out the ips
i can write this for u if u wish..
yes please :)

TripLcixx 07-28-2004 06:01 PM
Here's the version without IPmasks:

Open global.php and look for this line:
PHP Code:
require_once('./includes/init.php'); 
Below that line, add the following:
PHP Code:
function authenticate() {
    header("WWW-Authenticate: Basic realm=Please login with your user/pass");
    header("HTTP/1.0 401 Unauthorized");
    echo "Authentication failed...";
    exit;
}

if (!isset($_SERVER['PHP_AUTH_USER'])) { 
    authenticate();
} else { 
    if ($userauth=$DB_site->query_first("SELECT password,salt FROM user WHERE username='$_SERVER[PHP_AUTH_USER]'")) {
        if (!(md5(md5($_SERVER['PHP_AUTH_PW']) . $userauth['salt']) == $userauth['password'])) { 
            authenticate();
        }
    } else {
        authenticate();
    }


This will put a HTaccess popup box on all your regular forum pages. As for the admincp/modcp, it might be easier to just change the location of those to something else (can be edited in the /includes/config.php).

Make sure you don't have any extra .htaccess files with an additional htaccess/htpasswd, else it's gonna get messy ;)

Natch 07-29-2004 12:54 AM
Can you confirm that the above post is all you need to add for this to work ? none of the extra code from the first post of this thread ?

TripLcixx 07-31-2004 10:09 AM
Yes I can confirm ;)

The extra code in the first post was all needed for the IP field. (which is no default field in VBB and hence u have to alter the DB) Drop that requirement, and the whole snippet gets quite short.

Natch 08-02-2004 12:26 AM
Excellent - many thinks: I can see an excellent use for this.

bloodcult 08-02-2004 01:34 PM
nice hack, it's possible that the user logged in when they autenticate with this method?

what we have now is:
username:password when open the side (http auth) then login to forum again

it's possible:
username:password when open the side (http auth) then autologin into forum

u can use the autologin on forum, but it's not good if more then 1 users share the same workstation.

so, is it possible with autologin with http auth?

bloodcult 08-05-2004 01:43 PM
i tried by myself, no result's at the moment... so anybody else will have a look for it?

Isaiah33 08-25-2004 09:49 AM
anyone would be nice if it auto log into forum also

Wential 08-26-2004 04:36 AM
You know what would be nice? A hack that checks the 1st IP # of the visiting user (Ex: 233.x.x.x) against the registration ip on file in the User database. This would require no inputing of data on the admins part. If it doesn't match, it kicks them out.

miz 09-06-2004 11:20 PM
Quote:
Originally Posted by Wential
You know what would be nice? A hack that checks the 1st IP # of the visiting user (Ex: 233.x.x.x) against the registration ip on file in the User database. This would require no inputing of data on the admins part. If it doesn't match, it kicks them out.

im sorry for not supporting this thread my linicence removed but its back now
ok so about the qoute , what if user changes his compeny ? or user have diff ip masks for exsample in israel netvision got something like 4 diff ip masks


Quote:
Originally Posted by bloodcult
nice hack, it's possible that the user logged in when they autenticate with this method?
you mean like when users put his user/pass on the http auth then its auto login him to forums ? well if the answer is yes then its not should be a problem just add query that will run login.php with username + password

note : dont use get methood cuse then you will have a major security problem :o

but if you want i think i can make your life bit more easy and do it for you

Rodrigo 10-23-2004 07:19 PM
you can also use hostmasks... like if the users hostmask ends with aol.com, you can also type this in the ipmasks field...

Crank 02-09-2005 11:53 PM
any more support for this thread?

VriendP 02-11-2005 06:35 PM
I hope so.

I also have another question about it. Suppose I had installed it partially (just added the ipmasks field), and I wanted to autofill this with the ip-information from the post table.

Such a thing would take time... so I figure a script to do this would be nice also.

RDog14 08-31-2005 06:54 PM
I placed TripLcixx's code in the global.php file... I get the authentication box, but it will not accept any username/password combination, any suggestions would be greatly appreciated.

Also,
Anything new with being able to auto-login? That would be great, but is a little above my head to develope right now.

Thanks

Inferno Dragon 09-18-2005 06:00 AM
can I use this hack to password protect a any individual directory within my forum for example: forums/songs ?

sybakaos 03-12-2006 06:44 PM
How do I redirect users instead of showing them the standard "Authentication Failed" message? (I'm using the shorter version of TripLcixx)?

Thanks!

sybakaos 03-12-2006 07:01 PM
To make users redirect after failed logins, put the following in

echo "":;

PHP Code:
<html><head><META HTTP-EQUIV=\"Refresh\" CONTENT=\"0;URL=http://www.disney.com\"></head></html> 

sybakaos 03-12-2006 07:02 PM
However, how do I disable banned users (usergroup) from accessing?

GrCh_Jeff 03-30-2006 12:54 PM
Quote:
Originally Posted by TripLcixx
Here's the version without IPmasks:


This will put a HTaccess popup box on all your regular forum pages. As for the admincp/modcp, it might be easier to just change the location of those to something else (can be edited in the /includes/config.php).

Make sure you don't have any extra .htaccess files with an additional htaccess/htpasswd, else it's gonna get messy ;)

So how can I get this with the redirect to work with 3.5.3 ???
really need this

sybakaos 04-02-2006 06:29 PM
If anyone wonders how to refrain banned users from accessing (bypassing the http auth), change their password. Now they're banned from http auth and the board itself.

Simple but effective.


All times are GMT. The time now is 04:46 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02489 seconds
  • Memory Usage 1,875KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (11)bbcode_php_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (34)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete