PDA

View Full Version : htaccess Protection for admincp & any dir


Omranic
13 Jan 2006, 00:41
this is a very simple hack
its only main function is to add htaccess protection for any dir by adding some small lines in the begining of Dir's index

our application will be on admincp's index (index.php)

Description: This hack will add htaccess protection to any folder by adding small lines in its index.php file & the user name & password for this protection is determined by two varables in the same file & if the data entered was wrong, the page will give a black background with a title (Unauthorized) & a content says (Enter Here Only) when clicking it, it will direct to forum's root (index.php by default), this means douple security (likes Look THIS (http://vbulletin.com/forum/admincp).

Please Note: The Default User Name & Paaaword for entering through this Protection Is (User: 123 / Pass: 321) See the last two line to know how to change this values

installation:
open the file index.php present in the dir admincp & search for the following code:
|| # ---------------- VBULLETIN IS NOT FREE SOFTWARE ---------------- # ||
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html # ||
|| #################################################################### ||
\*======================================================================*/

& put under it the following code:
$index['public'] = $index['public'];
$phpkd['username'] = "123"; // Here Is the User Name
$phpkd['password'] = "321"; // Here Is The htaccess Password

if(!$index['public']){
if($_SERVER['PHP_AUTH_USER'] != $phpkd['username'] || $_SERVER['PHP_AUTH_PW'] != $phpkd['password']){
Header("WWW-Authenticate: Basic realm=\"Highly Secured\"");
Header("HTTP/1.0 401 Unauthorized");echo "<head><title>Unauthorized</title></head><body bgcolor='#000000'><center><br>
<a href=\"../index.php\" style=\"text-decoration: none\" target=\"_blank\">
<font face=\"MS Sans Serif\" color=\"#FFFFFF\" size=\"8\"><b><br>Enter Here Only<br></b></a></body></html>";exit;}}


Note 1: change the values of the two variables $phpkd['username'] / $phpkd['password'] to the username & password needed & note not to change this $index['public'] = $index['public'];

Note 2: This Protection Gives the authority for entering to onnly the username & passord defined in the file (above modification) & after passing through this htaccess protection you will find the Normal vbulletin admincp login screen & then you can go with the normal admin data recorded in the forum itself.

Hope I have explained enough for beginners.

JsnakeJ
13 Jan 2006, 06:27
Nice work, isn't the admincp already protected enough though?

Hornstar
13 Jan 2006, 09:03
You can never protect your forum enough. Very nice work and this will be getting used by me. Thanks

Logikos
13 Jan 2006, 09:04
Nice work, isn't the admincp already protected enough though?

Apperentally vBulletin Developers don't think so :p

http://www.vbulletin.com/forum/admincp

FleaBag
13 Jan 2006, 09:14
Looks like they do now!

evenmonkeys
13 Jan 2006, 09:26
I used to as well. I don't anymore because it's annoying. =P

Blackbeard
13 Jan 2006, 09:46
this is great m8 well done, could this be changed to add to say a forum on our site, where different usergroup needs access to a forum

IrPr
13 Jan 2006, 12:59
i don't no why, but doesnt work for me on 3.5.3 :(

Sooner95
13 Jan 2006, 13:34
you can do this via your Cpanel's too..

And, yes can never have enuff.

Omranic
13 Jan 2006, 14:05
This is for extra protection

Blackbeard ===> Till now I can't find any way to get data from database
but i'm searching & trying for that

Moosa ===> It must work fine coz it doesn't depend on the vbulletin code, its Related to PHP Language as general, so u must follow my steps carefully & u will get it right.

Mastar
13 Jan 2006, 16:44
It Doesn't Work On My VB3.53

coffeefix
13 Jan 2006, 16:59
I added this to my 3.5.3 and when I entered my username and password it was not being recognized. The box just kept popping back up and then I got taken to the "enter here" screen. uninstalled.

Mastar
13 Jan 2006, 17:08
Uninstalled also. You Probably need to give better or more detailed instructions.

Omranic
14 Jan 2006, 18:33
Topis has been Rewritten
Read It carefully

coffeefix
14 Jan 2006, 18:37
so basically, this only gives 1 person access to the ACP? That would be the person, whose username and password you put in the index.php

Omranic
14 Jan 2006, 18:40
yes
its exactly as you said

IrPr
14 Jan 2006, 20:54
any way to read from database ?

Omranic
15 Jan 2006, 12:19
any way to read from database ?

Till now I have no Idea but i'm searching for that

PixelFx
16 Jan 2006, 12:19
Till now I have no Idea but i'm searching for that

this is great how hard would it be to add an on / off switch in your admin cp for this? aka, lets say you could turn it off when your working on your site, but then afterwards turn this feature on in the admin, for when your not doing regular work on the fourm? as an example :D

XFSImperial
17 Jan 2006, 02:19
Thanks for the mod, works fine.

*install*

Omranic
21 Jan 2006, 06:31
this is great how hard would it be to add an on / off switch in your admin cp for this? aka, lets say you could turn it off when your working on your site, but then afterwards turn this feature on in the admin, for when your not doing regular work on the fourm? as an example :D

yes its hard till now (at least for me) may be some one else have a better solution & can improve this.

Zia
26 Jan 2006, 19:05
sounds its nice & help to make acp more secure

kliked install.

jj
26 Jan 2006, 20:48
Till now I can't find any way to get data from database but i'm searching & trying for that

To use this with .htaccess is only possible if the apache server has been compiled with mod_auth_mysql or has it as loadable module.

Find out more about .htaccess and mod_auth_mysql here:
http://www.widexl.com/scripts/documentation/htaccess.html#auth_mysql

Omranic
26 Jan 2006, 21:41
To use this with .htaccess is only possible if the apache server has been compiled with mod_auth_mysql or has it as loadable module.

Find out more about .htaccess and mod_auth_mysql here:
http://www.widexl.com/scripts/documentation/htaccess.html#auth_mysql

Thats Great
But what about Servers That Hasn't mod_auth_mysql Module Istalled & have not SSH Access & not having intense to install any modules ? Is there Any Way ?

Mudvayne
27 Jan 2006, 05:34
is it possible to do it as same as vb.com? plzzzzzzzzzzzzzzzzzzzzzzzzz.. I meant it 'll load a error page named authentication faild.. Like...

You hav failed to authenticate ur identity.. U r now autometically redirect to forum index..

/me clicks install

P.S: I'm using vB 3.5.3.. It seems not working :ermm:

Aligator21
27 Jan 2006, 07:01
nice!!!
installed! :)

jj
27 Jan 2006, 11:36
Thats Great
But what about Servers That Hasn't mod_auth_mysql Module Istalled & have not SSH Access & not having intense to install any modules ? Is there Any Way ?

No, if the module ist not available the apache server cannot connect to a mysql database.

is it possible to do it as same as vb.com? plzzzzzzzzzzzzzzzzzzzzzzzzz.. I meant it 'll load a error page named authentication faild.. Like...

If your provider allows it, you can do that by adding this line ErrorDocument 401 /401.html into your existing .htaccess file in the document_root of your apache server. If no .htaccess file exists, just create one. Afterwards you have to place a self-made 401.html oder 401.php or whatever file in your document_root, to get it work.

If you choose to create a directory for your custom apache errorpages like errorpages in your document_root the line has to look like this
ErrorDocument 401 /errorpages/401.html or
ErrorDocument 401 /errorpages/401.php depending on what filetype you want to use.

You can create custom errorpages for every http-errorcode like 404 (not found), 500 (script error) and so on...

Mudvayne
27 Jan 2006, 15:22
Dear j.jacobsen..
Thnx for the solution.. As I use Custom HTML Error Page hack I allready hav the error page.. So I just need to change the code..

$index['public'] = $index['public'];
$phpkd['username'] = "123"; // Here Is the User Name
$phpkd['password'] = "321"; // Here Is The htaccess Password

if(!$index['public']){
if($_SERVER['PHP_AUTH_USER'] != $phpkd['username'] || $_SERVER['PHP_AUTH_PW'] != $phpkd['password']){
Header("WWW-Authenticate: Basic realm=\"Highly Secured\"");
Header("HTTP/1.0 401 Unauthorized");echo "<head><title>Unauthorized</title></head><body bgcolor='#000000'><center><br>
<a href=\"../index.php\" style=\"text-decoration: none\" target=\"_blank\">
<font face=\"MS Sans Serif\" color=\"#FFFFFF\" size=\"8\"><b><br>Enter Here Only<br></b></a></body></html>";exit;}}

Question is whr to change the code to call the 500 error page?

Hav anybody try it successfully in vB 3.5.3? Coz mine isn't working :(..

Omranic
28 Jan 2006, 07:08
Dear j.jacobsen..
Thnx for the solution.. As I use Custom HTML Error Page hack I allready hav the error page.. So I just need to change the code..

$index['public'] = $index['public'];
$phpkd['username'] = "123"; // Here Is the User Name
$phpkd['password'] = "321"; // Here Is The htaccess Password

if(!$index['public']){
if($_SERVER['PHP_AUTH_USER'] != $phpkd['username'] || $_SERVER['PHP_AUTH_PW'] != $phpkd['password']){
Header("WWW-Authenticate: Basic realm=\"Highly Secured\"");
Header("HTTP/1.0 401 Unauthorized");echo "<head><title>Unauthorized</title></head><body bgcolor='#000000'><center><br>
<a href=\"../index.php\" style=\"text-decoration: none\" target=\"_blank\">
<font face=\"MS Sans Serif\" color=\"#FFFFFF\" size=\"8\"><b><br>Enter Here Only<br></b></a></body></html>";exit;}}

Question is whr to change the code to call the 500 error page?

Hav anybody try it successfully in vB 3.5.3? Coz mine isn't working :(..

Dear Shuvo This Hack isn't Depending On Your vBulletin version or bulletin tybe at all

its a server side work depends on your apache

You Must observe that the Default value (User: 123 / Pass: 321) & Not as recorded in the database & this has been mentioned in the thread's first post

regarding to changing the error page to error 500 you must change the following line
HTTP/1.0 401 Unauthorized
& it will do that for you


any questions I'm here For answers
best wishes

Mudvayne
28 Jan 2006, 17:42
Okiz SolidSnake@GTI I hav a question.. I'm a really dumb abt this coding thing.. So I'll b glad if u help me out.. If I wanna use..
User: Shuvo
Pass: golpo

& call 500/501 error page.. Thn what 'll the xact code? Would u plz write it for me here? Plz..

Note: Sorry my english :confused:

Omranic
28 Jan 2006, 23:12
hey
I tried the code with error pages & Only the 401 error success & other not

So you may use it as 401 error & regarding to the User: Shuvo Pass: golpo
Take the following code:

$index['public'] = $index['public'];
$phpkd['username'] = "Shuvo"; // Here Is the User Name
$phpkd['password'] = "golpo"; // Here Is The htaccess Password

if(!$index['public']){
if($_SERVER['PHP_AUTH_USER'] != $phpkd['username'] || $_SERVER['PHP_AUTH_PW'] != $phpkd['password']){
Header("WWW-Authenticate: Basic realm=\"Highly Secured\"");
Header("HTTP/1.0 401 Unauthorized");echo "<head><title>Unauthorized</title></head><body bgcolor='#000000'><center><br>
<a href=\"../index.php\" style=\"text-decoration: none\" target=\"_blank\">
<font face=\"MS Sans Serif\" color=\"#FFFFFF\" size=\"8\"><b><br>Enter Here Only<br></b></a></body></html>";exit;}}

Mudvayne
30 Jan 2006, 10:09
dont know the reason but its not working.. Asking for pass randomly.. :(

RFViet
30 Jan 2006, 14:51
yes
its exactly as you said

If I have 2 admins then It doesn't work !!! :disappointed:

Mudvayne
31 Jan 2006, 11:16
Yaiiiiiiiiiiiiii.. i did it.. But with .httaccess..

try http://www.golpo.net/forum/admincp/index.php :D:D:D

Omranic
14 Feb 2006, 07:29
Yaiiiiiiiiiiiiii.. i did it.. But with .httaccess..

try http://www.golpo.net/forum/admincp/index.php :D:D:D

thats possible also

you can post it here, I think it will be usefull for some

JJH35
17 Feb 2006, 00:30
or you could have just used this for each folder
order allow,deny
allow from all
deny from ip1 , ip2, ip3, etc

Mudvayne
17 Feb 2006, 04:59
you can post it here, I think it will be usefull for some
Sorry brother.. I'm bit late.. Its easy.. Hope someone might get help..

I did it with a online .htaccess password generator tools.. Well go to .htaccess pass generator site (http://tools.dynamicdrive.com/password/) read the instruction.. Its too easy.. U just need to know ur admincp path.. & plz after process upload the .htaccess & .httpass file in admincp folder.. Dont upload it in root folder.. Otherwise entire forum 'll b password protected..

Hornstar
18 Feb 2006, 07:37
Is there a code to only allow certain IP's?

Mathiau
12 Mar 2006, 06:02
Sorry brother.. I'm bit late.. Its easy.. Hope someone might get help..

I did it with a online .htaccess password generator tools.. Well go to .htaccess pass generator site (http://tools.dynamicdrive.com/password/) read the instruction.. Its too easy.. U just need to know ur admincp path.. & plz after process upload the .htaccess & .httpass file in admincp folder.. Dont upload it in root folder.. Otherwise entire forum 'll b password protected..

I tried those tools. generated the info, uploaded the files in ASCII and i know the info was right i was typing in, it was in the right directory, but it justkept popping up as if i was putting in the wrong login info - but i know i wasnt...


For this hack - i put the code into my index.php (main root index.php) and it works - Is this as secure as using a seperate .htaccess file? if so then it works great and i would like to use it.

I tested it and put in the wrong info to get the enter here onl page, once i hit that the login window that comes up has this info in it


Htaccess login system for **********! If you have a problem with the htaccess or you never recieved a email about the change in the htaccess pass, email me @ ******@wwwsupersite.com and I will help where I can. Thanks!


Where can i edit that? that certainly is not the host of our servers info so wondering where that is coded.... (i asked the host and he has no idea where that info would be pulled from...)

Mudvayne
12 Mar 2006, 06:29
I tried those tools. generated the info, uploaded the files in ASCII and i know the info was right i was typing in, it was in the right directory, but it justkept popping up as if i was putting in the wrong login info - but i know i wasnt...
But bro.. Mine works fine.. here is some info..

http://www.vbulletin.com/forum/admincp
http://www.golpo.net/forum/admincp

http://www.vbulletin.com/forum/modcp
http://www.golpo.net/forum/modcp

http://www.vbulletin.com/forum/includes
http://www.golpo.net/forum/includes

http://www.vbulletin.com/forum/install
http://www.golpo.net/forum/install

:).. So I prefer .htaccess.. Newayz did u upload the .htaccess & .htpasswd in the right directory? If so thn it should work.. Did u use the encoded pass in .htpasswd ?

Nathan2006
14 Mar 2006, 14:43
Thnk you its a lot better :)

Install

Just 1 question I added the code as you said, but do you only get 1 login screen or 2?

Meaning should the old login screen appear after the new login box?

Thanks :)


Edit: Its ok its fully working now

Thank you :)

mike12345
05 May 2006, 07:25
cool thanks! i will use this

IncredibleHawk
05 May 2006, 07:49
Very Very Nice and thanks your a life saver!:banana:

ShadowOne
19 Oct 2006, 08:34
So You All Are Sayin You Cant Give The Password Out To The Other Admins? I Like It Just For More Security Against Anyone...Why Block From Other Admins?

da420
19 Oct 2006, 09:04
Ive always .htaccess my admin cp via my host cPanel... :)

vietkieu_cz
23 Oct 2006, 22:27
very userfull, thank you very much

manutdvn
29 Nov 2006, 09:46
Thank you. Do you have any update for this mod?

Hornstar
10 Jan 2007, 13:06
didnt work for me in 3.6.4 it game me an error, but its cool, im using cpanel now, it does the job fine.