HTTP Basic Authentication against vB-Accounts

Seeing all those "user integration" requests over and over again I made a small "hack" (not really as no tables, templates or files are modified ) that might be useful if you want to give access to non-forum content based on forum accounts:

HTTP Basic Authentication against vB user table
------------------------------------------------

This "hack" allows you to use HTTP Basic authentication
(password protected directories) based upon vB accounts.

Update Version 0.2
------------------
I've added a configuration option to the .htaccess so
you can specify which usergroup (only one for the moment)
you want to grant access.
If you don't need this feature just leave the line commented out.

Requirements
------------
- vBulletin 3 (at least the user table)
- Apache/mod_perl compiled with support for PerlAuthenHandler
- Basic Authentication feature enabled to be used in .htaccess

Installation
------------
1) Edit vBAuth.pm, fill in the configuration settings (database, etc.)
2) Put vBAuth.pm in your Perl Apache-Moduls directoy
3) (Optional) Edit .htaccess to meet your requirements
4) Put .htaccess in the directory you want to protect

[Bison]

Quote:

Originally Posted by AN-net

wow great hack!!! wish i had root access

There is a hack like this that doesn't require root access and written in php. I think I have it somewhere on my PC.

[EDDIE!]

I really need help ASAP. I uploaded this to my server and when I go to my site, I got the following error:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>

<head>
<style>
a:link {font:8pt/11pt verdana; color:red}
a:visited {font:8pt/11pt verdana; color:#4e4e4e}
</style>
<meta HTTP-EQUIV="Content-Type" Content="text-html; charset=Windows-1252">
<title>HTTP 500 Internal server error</title>
</head>
<script>

function Related(){
userURL=document.location.href;

//for the href, we need a valid URL to the domain. We search for the # symbol to find the begining
//of the true URL, and add 1 to skip it - this is the BeginURL value. We use serverIndex as the end marker.

BeginURL=userURL.indexOf("#",1) + 1;
CurrentURL=userURL.substring(BeginURL,DocURL.lengt h);

//Build the query
RelatedServiceURL="http://related.msn.com/related.asp?url=";

//Perform simple check for Intranet URLs
//this is where the http or https will be, as found by searching for :// but skip res:
protocolIndex=userURL.indexOf("://",4);
serverIndex=userURL.indexOf("/",protocolIndex + 3);
urlresult=userURL.substring(0,serverIndex);
if (protocolIndex - BeginURL > 7)
urlresult=""

//Check if Intranet URL - then open search bar

if (urlresult.indexOf(".",0) < 1) userURL="Intranet URL";
finalURL = RelatedServiceURL + encodeURIComponent(userURL);
window.open(finalURL, "_search");

}

function Homepage(){

// in real bits, urls get returned to our script like this:
// res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm

//For testing use DocURL = "res://shdocvw.dll/http_404.htm#https://www.microsoft.com/bar.htm"
DocURL=document.location.href;

//this is where the http or https will be, as found by searching for :// but skipping the res://
protocolIndex=DocURL.indexOf("://",4);

//this finds the ending slash for the domain server
serverIndex=DocURL.indexOf("/",protocolIndex + 3);

//for the href, we need a valid URL to the domain. We search for the # symbol to find the begining
//of the true URL, and add 1 to skip it - this is the BeginURL value. We use serverIndex as the end marker.
//urlresult=DocURL.substring(protocolIndex - 4,serverIndex);
BeginURL=DocURL.indexOf("#",1) + 1;
urlresult=DocURL.substring(BeginURL,serverIndex);

//for display, we need to skip after http://, and go to the next slash
displayresult=DocURL.substring(protocolIndex + 3 ,serverIndex);

// Security precaution: must filter out "urlResult" and "displayresult"
forbiddenChars = new RegExp("[<>\'\"]", "g"); // Global search/replace
urlresult = urlresult.replace(forbiddenChars, "");
displayresult = displayresult.replace(forbiddenChars, "");

document.write('<A target=_top HREF="' + urlresult + '">' + displayresult + "</a>");
}
function doSearch()
{
saOC.NavigateToDefaultSearch();
}

function initPage()
{
document.body.insertAdjacentHTML("afterBegin","<ob ject id=saOC CLASSID='clsid:B45FF030-4447-11D2-85DE-00C04FA35C89' HEIGHT=0 width=0></object>");
}

</script>


<body bgcolor="white" onload="initPage()">

<table width="400" cellpadding="3" cellspacing="5">
<tr>
<td id="tableProps" valign="top" align="left"><img id="pagerrorImg" SRC="pagerror.gif"
width="25" height="33"></td>
<td id="tableProps2" align="left" valign="middle" width="360"><h1 id="errortype"
style="COLOR: black; FONT: 13pt/15pt verdana"><span id="errorText">The page cannot be displayed</span></h1>
</td>
</tr>
<tr>
<td id="tablePropsWidth" width="400" colspan="2"><font
style="COLOR: black; FONT: 8pt/11pt verdana">There is a problem with the page you are
trying to reach and it cannot be displayed.</font></td>
</tr>
<tr>
<td id="tablePropsWidth" width="400" colspan="2"><font id="LID1"
style="COLOR: black; FONT: 8pt/11pt verdana"><hr color="#C0C0C0" noshade>
<p id="LID2">Please try the following:</p><ul>
<li id="instructionsText1">Open the <script> Homepage();</script> home page, and then look for links to
the information you want. </li>
<li id="instructionsText2">Click the
<a xhref="javascript:location.reload()" target="_self">
<img border=0 src="refresh.gif" width="13" height="16"
alt="refresh.gif (82 bytes)" align="middle"></a> <a xhref="javascript:location.reload()" target="_self">Refresh</a> button, or try again later.<br>
</li>
<li ID="instructionsText3">Click <a href="javascript:doSearch()"><img border=0 src="search.gif" width="16" height="16" alt="search.gif (114 bytes)" align="center"> Search</a> to look for information on the Internet. </li>
<li id="instructionsText4">You can also see <a onclick="Related();event.returnValue=false" href="">a list of related sites.</a>
</ul>
</p>

<p><br>
</p>
<h2 id="ietext" style="font:8pt/11pt verdana; color:black">HTTP 500 - Internal server
error <br>
Internet Explorer </h2>
</font></td>
</tr>
</table>
</body>
</html>

I tried editting the .PM file, but that doesn't work. If anyone can help me, please let me know ASAP.

[Andreas]

Quote:

Originally Posted by my username

HTTP basic auth. (http://www.ietf.org/rfc/rfc2617.txt) sends the password in clear text for every HTTP-request made to the server (when using cookies you're at least able transfer a hashed version of the password for each request)...this is why the W3C tell you NOT to use HTTP basic auth.

I know that.
But unfortunately, using digest authentication is not an option, because then we will get md5('Username:Real:Password').
But in the user table there is only md5(md5'Password') . $salt).

Quote:

Why not just include/require global.php in the scripts that are "off-forum"?

If you want to protect files there is no script.
The only way to do so would be to keep files out ot document root and use a script to read them.

What I am currently thinking of is a new Apache authentication module which checks the sessionhash (or bbuserid bbpassword) cookies, and if the are not valid redirects to login.php.

[Carnage]

Quote:

I know that.
But unfortunately, using digest authentication is not an option, because then we will get md5('Username:Real:Password').
But in the user table there is only md5(md5'Password') . $salt).

well... could you not store using another script MD5(username:realmassword) ?

If you had a link somewhere so that users can request access to secure areas and you asked them to put in their username and password into a form then used the MD5 javascript from vb3 to send:

username
MD5(password) //for checking its the same as their forum password and is the same user...
MD5(Username:realmassword)

[Crazy Serb]

any update on this? I don't have root access, and I'm looking for a way to protect directory full of non-html/php files, and make it accessible only to certain usergroups... damn, how hard can that be?

[sensimilla]

Im bumping this thread because I am in need of this hack.

Is there any chance to release it for vbulletin 3.6 ?

Thanks in advance.

[mhmd1983]

Quote:

Originally Posted by sensimilla

Im bumping this thread because I am in need of this hack.

Is there any chance to release it for vbulletin 3.6 ?

Thanks in advance.

Yes me too , let me say its a very important hack to all paid forum owners ..