| Author |
Message |
bavarian
Hangin' Around
Joined: Nov 11, 2004
Posts: 25
|
 Posted:
Wed Feb 16, 2005 5:53 am |
|
I have no real problem to solve, since everything works fine. At least seems to work fine. I tried to attack my site with http://www.mysite.com/modules.php?name=Downloads&d_op=viewdownloads&sid=-1/*%20*/UNION/*%20*/. Sentilnell blocked my IP and also wrote my IP into the .htaccess file and not only into the database table.
BUT what is confusing me and makes me wonder if I did anything wrong is the fact, that I don't have have any combo of USERID/cryptedPASSWORD in the secret .staccess file. And still everything works fine.
In the Administative Settings for Sentiniel i have following
Admin Aufth: Admin HTTPAuth
htaaccess path: correct path added here
left empty the stacess path for CGIAuth Setup
i can log into my admin-section without any problem. first the password check with the password that i initally had set in the Admin Auth List for my God account .... then the regular phpnuke login procedure. i suppose this is the way it is supposed to work.
alllthough .htaccess file points with a correct path to .staccess file and should demand a password in there ....but it obviously does not. what did i do wrong?
where is the password stored then? in the database? everthing works fine then ... what is the advantage of having the password in the .staccess file then?
ALSO (a small problem): i could not get this CRYPT.php script to work .... just copied the text and loaded it as http://www.mysite.com/crypt.php .... but it does not generate any code .... what did i do wrong here?
THANKS IN ADVANCE FOR HINTS |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Wed Feb 16, 2005 6:57 am |
|
Admin Auth: Admin HTTPAuth
is not the same as CGIAuth logic wise, but is operationally. CGIAuth requires the use of .staccess but HTTPAuth uses the id/pass that is stored in the database. Thete is no need to use both, although you could, but it would then require 3 logins instead of 2. See if this helps http://www.ravenphpscripts.com/postt2950.html |
| |
|
|
|
|
bavarian
|
| Posted:
Wed Feb 16, 2005 7:09 am |
|
thanks raven!
yes, i understand that there is no need to use both methods.
if i understood you correctly, i don't need the .staccess file if i use HTTPAuth ?
the link to post2950 did confuse me, so i keep my eyes off it for a while. i guess i will remove the .staccess file then and just stay with HTTPAuth which obviously seems to work fine here on my end.
does HTTPAuth need the .htaccess file then?
and if so .... what is it supposed to contain then?
i guess this part can be remoed if there is no need for the secret file when using HTTPAuth
<Files .mysecretfile>
deny from all
</Files>
SO I JUST KEEP THAT PART
but remove the line marked with the arrow --------
<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
------> AuthUserFile /home/USERNAME/public_html/.mysecretfile <<<<<<<---------
</Files> |
| |
|
|
|
|
Raven
|
| Posted:
Wed Feb 16, 2005 7:14 am |
|
.htaccess is needed for NS to write banned IP's to, Bad Bots, Santy Worm protection, GT rewrites, etc. It is NOT needed for HTTPAuth as that is a function of the HTTP protocol and the browser invokes it. You can remove
<Files .mysecretfile>
deny from all
</Files>
<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.mysecretfile
</Files> |
| |
|
|
|
|
bavarian
|
| Posted:
Wed Feb 16, 2005 7:43 am |
|
ok ... thanks for all that useful help !
so .htaccess can in my case be completely empty to start with
THANKS AGAIN ! |
| |
|
|
|
|
Raven
|
| Posted:
Wed Feb 16, 2005 8:08 am |
|
|
|
|
|
luri
New Member
Joined: Mar 11, 2005
Posts: 2
|
| Posted:
Fri Mar 11, 2005 2:04 pm |
|
well, first of all, forgive my 'newbeness' and, probably, my english . The problem is that i can't get sentinel to effectively ban an IP. I have tried a UNION attack on my own site and i get the sentinel page informing that the ip has been blocked, i get an e-mail telling me the ip has been blocked, and i can see the ip in the blocked list BUT i can acces from that ip normally to my site. Am I doing something wrong or missing anything? I'm running nS 2.2.0, on a IIS 5.1 server. Thanks in advance. |
| |
|
|
|
|
luri
|
| Posted:
Fri Mar 11, 2005 2:38 pm |
|
Ok, I'll answer myself, in case it's useful for anyone:
I had this in nukesentinel.php:
Code:// Check if ip is blocked
$blocked_row = abget_blocked($nsnst_const['$remote_ip']);
if($blocked_row) { blocked($blocked_row); }
|
More or less obviously, this should have read:
Code:// Check if ip is blocked
$blocked_row = abget_blocked($nsnst_const['remote_ip']);
if($blocked_row) { blocked($blocked_row); }
|
Note there's no $ before remote_ip
Why i had this file wrong, i don't know. |
| |
|
|
|
|
BobMarion
Former Admin in Good Standing
Joined: Oct 30, 2002
Posts: 1037
Location: RedNeck Land (known as Kentucky)
|
| Posted:
Fri Mar 11, 2005 5:06 pm |
|
I'll patch the downloads for this. I test and test but I don't catch everything  |
_________________
Bob Marion
Codito Ergo Sum
Only registered users can see links on this board! Get registered or login! |
|
 
|
|
manunkind
Client
Joined: Apr 26, 2004
Posts: 368
Location: Albuquerque, NM
|
| Posted:
Fri Mar 11, 2005 6:13 pm |
|
So if we already downloaded this, should we all replace this code, Bob or Raven? This is a guaranteed bug and should be fixed? |
| |
|
|
|
|
BobMarion
|
| Posted:
Fri Mar 11, 2005 10:28 pm |
|
Check for it first, if you don't have the $ then your fine if you do remove the $ from that part  |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
