Protecting the Forum/admin folder

Raven · Posted: Mon Jun 05, 2006 11:18 pm

The phpbb exploits that were used this past weekend utilized an old exploit in phpbb and 2 very sophisticated remote scripts. NukeSentinel(tm) v2.4.2 pl8 should now block those attacks, but here is another way (or an additional way) if you use Apache. Use a CGIAuth challenge in the modules/Forums/admin folder. This is how to set it up:

In modules/Forums/admin use/add the .htaccess file and the password file .staccess

.htaccess

<Files .staccess>
deny from all
</Files>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/CPANEL_USER_NAME/public_html/modules/Forums/admin/.staccess

.staccess
username:password

Where username can be any name you want and password is encrypted using crypt(). For more information on CGIAUTH and how to use crypt, please see

Only registered users can see links on this board!
Get registered or login to the forums!

kguske · Site Admin Joined: Jun 04, 2004 Posts: 4852

Thanks!

Guardian2003 · Site Admin Joined: Aug 28, 2003 Posts: 4816

Another thank you!

Nomad · Client Joined: Jan 21, 2006 Posts: 87 Location: Arizona

Does anybody else get a 500 error when they try this?

error log:
[Wed Jun 21 10:40:25 2006] [alert] /home/CPANEL_USER_NAME/public_html/modules/Forums/admin/.htaccess: Missing </Files> directive at end-of-file

I did the htaccess files/staccess files as listed above, didnt change anything except CPANEL_USER_NAME and the password

Raven · Posted: Wed Jun 21, 2006 9:16 am

You have to wrap that ina <Files> </Files> container.

Nomad · Client Joined: Jan 21, 2006 Posts: 87 Location: Arizona

Here is my htaccess file

Code:

<Files .staccess>
deny from all
</Files>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/cpanelname/public_html/modules/Forums/admin/.staccess

I've tried

Code:

<Files .staccess>
deny from all
</Files>

<Files index.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/cpanelname/public_html/modules/Forums/admin/.staccess
</Files>

Code:

<Files>
<Files .staccess>
deny from all
</Files>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/cpanelname/public_html/modules/Forums/admin/.staccess
</Files>

Code:

<Files index.php>
<Files .staccess>
deny from all
</Files>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/cpanelname/public_html/modules/Forums/admin/.staccess
</Files>

and a few other combos. Now I have ran out of wrap Bang Head

Raven · Posted: Wed Jun 21, 2006 1:47 pm

My first post is the correct post. That is all you need.

Tao_Man · Involved Joined: Jul 15, 2004 Posts: 252 Location: OKC, OK

I can't see whay it would cause that error and the only thing I can see diffrent froms yours and mine is you do have a trailing bit of whitspace after the last line

AuthUserFile /home/cpanelname/public_html/modules/Forums/admin/.staccess

would test it out myself but I am in the process of changing hosting servers and kinda MOS right now

blith · Posted: Thu Jun 22, 2006 11:25 am

I did this and had no problem, I am only posting that cause you asked if anyone has had a problem...

montego · Posted: Fri Jun 23, 2006 8:18 pm

I have also just checked, and I believe all the files under that directory should be included from somewhere else, right? Could we not use a simple "deny from all" statement in an .htaccess file under that directory?

Just asking because I really hate having to type in user id's and passwords... Laughing

Raven · Posted: Fri Jun 23, 2006 10:32 pm

Possibly, but you could possibly form an exploit that creates a URL that executes an include('http://somewhere.com/blahblah/include(admin_file)');

I am not saying it would work, but from what I have seen with this exploit, I don't know that I would trust just a deny. It is a good thought worth exploring. If it works, functionally, then I will use both!

montego · Posted: Sat Jun 24, 2006 1:53 pm

Oooooohhhh.... never thought of that. As always worship

bugsTHoR · Worker Joined: Apr 05, 2006 Posts: 172

what should i have in the .staccess file , at present i have 3 god acount with the md5
passwords

anything else??

also i remember something about having the .htaccess in all folders i want it to protect is that true ?

montego · Posted: Fri Aug 18, 2006 7:24 am

Raven's original post says it all...

Well, almost. Laughing

Regarding this:

Quote:

also i remember something about having the .htaccess in all folders i want it to protect is that true ?

The answer is you would need the .htaccess/.staccess pair in each directory that you want to protect in this manner.

bugsTHoR · Worker Joined: Apr 05, 2006 Posts: 172

yeah i got Raven post, just checking Very Happy

noob alert
[EDITED]

I got this in my .htaccess file now

Quote:

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files >
deny from all
</Files>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/CPANEL_USER_NAME/public_html/modules/Forums/admin/.staccess

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile
</Files>

now this bit

Quote:

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted Forum Area"
AuthType Basic
AuthUserFile /home/CPANEL_USER_NAME/public_html/modules/Forums/admin/.staccess

would it stop my normal (not God) Admin`s getting in or Our Forum Members Loging in ???

3 have said they cannot 1 admin (CAN)from his home but not from elsewhere 1 from America and 1 uk ? seems they the only ones but i cant see why it would just affect them.

i have put it in
modules/forum/admin
/root
/abuse
/admin
/forum
and most other folders taking no chances
is this correct ??

oprime2001 · Posted: Tue Aug 29, 2006 7:52 am

Would the addition of a CGIAuth challenge in the modules/Forums/admin folder affect simple forum moderators?

Thanks.

Raven · Posted: Tue Aug 29, 2006 9:26 am

Only if they are trying to do admin activities.

Bluezzz · Involved Joined: Feb 08, 2005 Posts: 290 Location: USA

I tried the above suggestion but I don't think it's working. For instance, when I go to mydomain.com/public_html/mynuke/Forums/admin or even worse yet I can access the edit smilies page just by sending it to my desktop ... how can I have that so that it cannot be accessed unless via the normal path through admin console? This is a major security problem I'd think!? I'm using RN76 2.02.02 and the included Sentinel. The Forums/admin folder should not be this exposed, nor should any file within!

Guardian2003 · Site Admin Joined: Aug 28, 2003 Posts: 4816

Do you have a htaccess file and an emty index.html file in the admin folder?

Bluezzz · Involved Joined: Feb 08, 2005 Posts: 290 Location: USA

Ummmm no, it didn't say to do that in instructions, it just said to set up the forums before installing sentinel. Nothing about securing the forums. I only figured that it wasn't secure because I sent Edit Smilies to the desktop and then a day or so later (after I'd closed all browsers, etc) I was able to double click that icon and go right to edit smilies ... that's not good is it LOL ruuuuuuuuuh rooooooooooh! So what exactly should I do to secure the forums pages so they don't get hacked? I also didn't do any other security measures for the main site aside from what was mentioned in the installation files.

Guardian2003 · Site Admin Joined: Aug 28, 2003 Posts: 4816

That happened only because you were still logged in as an admin and the session cookie had not expired.
Raven gave extensive instructions for securing the admin area in the first post of this thread.

Bluezzz · Involved Joined: Feb 08, 2005 Posts: 290 Location: USA

Yes I tried that but it's not prompting me for a login/pw still ... still it allows me to go directly to that page (Edit Smilies and/or admin folder). I didn't see anything above on having a blank index page either. All it said above was to make an .htaccess and an .staccess page, I'm not sure if I'm suppose to make these as shown above or copy the two main ones from the site ... I did as shown above but am not being prompted for login/pw.

Guardian2003 · Site Admin Joined: Aug 28, 2003 Posts: 4816

Does your hosting provider give you a control panel like cPanel?
If so it might be easier for you to use that.
Let me know and I'll post the instructions.

Bluezzz · Involved Joined: Feb 08, 2005 Posts: 290 Location: USA

Yes, as a matter of a fact I'm a reseller host myself, but I really don't know much about being a reseller ... I have cPanel and I see that I can protect directories but I'm not sure how to do that. Please advize : o} Thanks!

Guardian2003 · Site Admin Joined: Aug 28, 2003 Posts: 4816

Go to your cPanel and find the 'Password protect directories' link - click it.
You should now see a list of folders (directories).
Click - the folder icon next to 'modules'
Click - the folder icon next to 'Forums'
Click - the WORD admin (not the folder icon).

You will now be given some options.
Check the box where it says

Quote:

Directory requires a password to access via the web (you must check this to activate password protection).

In the box thats asks for a 'Mask' Type something so you know what it is, like 'Forum Admin'.
The rest is pretty self explanatory Smile