| Author |
Message |
jiralhanae
New Member
Joined: Sep 02, 2007
Posts: 5
|
 Posted:
Sun Sep 02, 2007 6:48 pm |
 
|
Hello!
I have recently installed NukeSentinel 2.5.11 on phpnuke 7.6(patched 3.3) and it works without any complications. 
I'm using adminCGIauth having this inside my .htaccess file(which is in the root dir):
| Code: | <Files .ftaccess>
deny from all
</Files>
<Files .staccess>
deny from all
</Files>
<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /my/path/to/.staccess
</Files> |
And it works like it should, so far. But it seems that it also protects files named admin.php that are outside of the root dir. I'm using Vwar, a module for adding clanmatches, organizing members and so on.(for online gaming clans)
This module's admin section uses %rootdir%/modules/vWar/admin/admin.php for adding new matches, for example. But it seems that it's protected by the .htaccess file from the root dir. I would like to allow regular users to administrate vWar, so I'm looking for a good solution to only protect %rootdir%/admin.php with adminCGIauth.
Any ideas for a good solution? Is it possible to rename/move the admin.php maybe?
Thanks in advance for your help, I appreciate it very much. |
|
|
|
|
fkelly
Moderator
Joined: Aug 30, 2005
Posts: 2194
Location: near Albany NY
|
| Posted:
Sun Sep 02, 2007 7:32 pm |
|
You can rename the admin file in standard RN. Instructions for this are in the config.php file in your nuke root directory. I would think that you would then have to change the htaccess file in your root directory to protect "whatever_youve_renamed_it_to.php" instead of admin.php. But I haven't tried this and can't guarantee it would work. I can pretty much guarantee that the basic renaming that's detailed in config.php will work unless you have some third party module that refers to a hard-coded admin.php file.
There might be a simpler way. How do you know that cgiauth is extending to that file in the /vwar directory? It doesn't look right to me but I don't have an easy way to test it here. Maybe one of the htaccess gurus here can help with this before you start renaming the admin files. |
|
|
|
|
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2401
Location: Iowa, USA
|
| Posted:
Sun Sep 02, 2007 8:19 pm |
|
I am really surprised that it is protecting that other admin.php. .htaccess works on a per-directory basis from what I understand. Are you sure you don't have another .htaccess in the vwar subdirectory? |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7481
Location: Arizona
|
| Posted:
Sun Sep 02, 2007 9:09 pm |
|
Actually, Apache inherits the .htaccess on down the directory structure. You would have to do something like this in the other directory with the admin.php:
Add a .htaccess file in that directory with this in it:
<FilesMatch "admin.php">
allow from all
</FilesMatch>
This may not be the exact syntax, but should give you some ideas... |
|
|
|
|
|
fkelly
Moderator
Joined: Aug 30, 2005
Posts: 2194
Location: near Albany NY
|
| Posted:
Mon Sep 03, 2007 7:27 am |
|
Thanks M. I learned something new this morning. |
|
|
|
|
|
jiralhanae
New Member
Joined: Sep 02, 2007
Posts: 5
|
| Posted:
Mon Sep 03, 2007 9:19 am |
|
| Quote: | | You can rename the admin file in standard RN. Instructions for this.. |
Yea, I tried this already some time ago, but it didn't work out well, because nearly all modules weren't accessable via [othernamethan'admin'].php, even the basic ones like "Preferences".
| Quote: | | I am really surprised that it is protecting that other admin.php. .htaccess works on a per-directory basis from what I understand. Are you sure you don't have another .htaccess in the vwar subdirectory? |
Yes, I double-checked. No .htaccess file in the entire vWar directory. I'm pretty sure that the root .htaccess file is the "problem", because the vwar administration wasn't protected anymore when I removed it.
| Quote: | | Actually, Apache inherits the .htaccess on down the directory structure. You would have to do something like this in the other directory with the admin.php: |
Ah, thanks a lot. I will try it out. |
|
|
|
|
|
jiralhanae
New Member
Joined: Sep 02, 2007
Posts: 5
|
| Posted:
Mon Sep 03, 2007 9:41 am |
|
I tried some different kind of entries for vWar/admin/.htaccess:
| Code: | <Files admin.php>
allow from all
</Files> |
| Code: | <FilesMatch "admin.php">
allow from all
</FilesMatch> |
But nothing worked. But I noticed something else. Not only vWar/admin/admin.php is protected. vWar/admin/index.php is as well.
But at the same time, all other pages in that directory, e.g. vWar/admin/server.php or vWar/admin/cash.php are not protected.
And, if I remove the .htaccess file from the root dir, vWar/admin/admin.php,index.php are not protected anymore. |
Last edited by jiralhanae on Mon Sep 03, 2007 9:55 am; edited 1 time in total |
|
|
|
|
fkelly
Moderator
Joined: Aug 30, 2005
Posts: 2194
Location: near Albany NY
|
| Posted:
Mon Sep 03, 2007 9:42 am |
|
I am pretty sure that renaming works reliably in the latest RN. There were lots of corrections needed to get rid of the hard coded admin.php in previous versions. But as I said in my previous posts add on modules could still have problems.
That's neither here nor there for your present problem. Montego's suggestion is by far the best way to go. We don't really recommend renaming admin.php here, the added protection (if any) is not worth the potential problems. If someone is determined to hack your system and they can get to admin.php then they can most likely figure out what you've renamed that to and get to that also. |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7481
Location: Arizona
|
| Posted:
Tue Sep 04, 2007 6:48 am |
|
jiralhanae, this is definitely odd. I wonder now if you have some settings in your host control panel that is stopping these, because I just don't understand why "vWar/admin/index.php" would be "caught" by the root .htaccess file.
Also, are you certain that it is the exact same error and it is popping up the same pop-up login window? |
|
|
|
|
|
jiralhanae
New Member
Joined: Sep 02, 2007
Posts: 5
|
| Posted:
Tue Sep 04, 2007 7:19 pm |
|
| Quote: | | Also, are you certain that it is the exact same error and it is popping up the same pop-up login window? |
Yea, it's definetely 100% the same.
I did some more testing and it seems that index.php is only protected when you're logged in to vWar(normal vWar account/vWar admin is combined), so that issue might be caused by the index.php accessing the admin.php or vice versa..at least that's my guess, not sure if that's possible/makes sense.
As for the .htacces entries I tried, my guess would be that they do not overwrite whats written in the root .htaccess file. What I mean:
| Code: | <Files admin.php>
allow from all
</Files> |
Does not overwrite
| Code: | <Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /path/to/.staccess
</Files> |
But again, just my guess. But I'm not sure how a working("overwriting") entry would look like. |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7481
Location: Arizona
|
| Posted:
Wed Sep 05, 2007 5:39 am |
|
Ok, I was hoping to find an easier override, but try this:
| Code: |
<Files admin.php>
<LimitExcept GET POST PUT>
require valid-user
</LimitExcept>
AuthName "Restricted"
AuthType Basic
AuthUserFile /path/to/.staccess
</Files>
|
Use this in your sub-directory... |
|
|
|
|
|
jiralhanae
New Member
Joined: Sep 02, 2007
Posts: 5
|
| Posted:
Thu Sep 06, 2007 11:31 am |
|
 It works. 
Very nice. Thank you very much! |
|
|
|
|
|
montego
Site Admin
Joined: Aug 29, 2004
Posts: 7481
Location: Arizona
|
| Posted:
Fri Sep 07, 2007 6:35 am |
|
Excellent! You are most welcome.
 |
|
|
|
|
|
|
|
|
|
![[Valid RSS]](http://ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
:: 
::
