View Single Post
  #1  
Old 30 Jul 2016, 12:39
kerrghann's Avatar
kerrghann kerrghann is offline
 
Join Date: Jul 2012
Real name: Markis
Post Better AdminCP/ModCP Security Scripts

So, to start, I'm not exactly sure where to put this. It's something I've worked out for me and my assistant. I'm obsessed with security, to a degree, and I utilize .htaccess and .htpasswd to a high degree on my site.

Generally speaking, I use it to lock down the admincp and modcp (things that an attacker, who managed to high-jack an account, could do serious damage with).

So, this set of PHP files is essentially a dual/redundant password system. I've requested from my staff that they use a password that is DIFFERENT from their forum password to access the admin and moderator control panels.

So basically here we create a custom vbulletin page. I used Lynne's guide that I found here

transcendence.php (forum root)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

You'll then want to create your own template for it. I'm including mine as I've done quite a bit of work with it (to include the form that you submit with and allowing only certain usergroups to access it). Dave answered a question I had in regards to vbulletin syntax and linked me to this great list that I also feel like sharing!

The easiest way to edit all your templates is to go into debug mode (I have a password set for mine in my vbulletin config file). This allows you to edit the master style and add it to all of your styles at the same time. I'm sure there is an easier way as well and I also must warn you to not mess around with it too much. I accidentally deleted my postbit_legacy and have yet to find a way to get it back...haha... Good thing I don't use legacy...

Anyways, now the template!

transcendence (template)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I made it so only my staff could actually see and use the form on this page by adding in this piece of code:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Just an added precaution.

The form has an action="hash.php"

This is the script I made to hash the password submitted by this form to the APR1 md5 format. It then appends this hashed password automagically to your .htpasswd file (which should be outside of your public_html folder, I do mine one up from it (../.htpasswd))

This sounds dangerous right? If someone managed to get an admin/mod account...they could find this page and then simply give themselves a new admincp login, correct? That's why this form ALSO adds a # in front of the line, making it a comment meaning it can't be used until a server administrator opens up the .htpasswd file and removes the comment at the beginning!

This sounds like a bit of work, however, I promise you it's a lot less work then requesting that a staff member hash their password, give you the hashed password, you go into your .htaccess file and add it, and do this for all your staff members. It's easier to give them a link to the transcendence.php page and uncomment it once they finish.

The hash.php file goes a step further and also sends you an email whenever someone submits the form. It includes their username, their password, their email, and their IP address.

Now here is the hash.php script, it should be in your forum root with transcendence.php

hash.php (forum root)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Rather then set all the variables in the hash.php file, I've made it so that it parses and config.ini.php file. You can edit most of the variables through it.

Here is the config.ini.php file, it should be in your includes folder. Make sure you call it config.ini.php, the php at the end is important as .ini files can be opened and read as plaintext.

config.ini.php (./forumRoot/includes)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Now any directory you want to password protect with .htaccess will require this in the directory:

.htaccess (per directory you want to protect)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

You'll also want to decide where you wish to store your .htpasswd file, as stated, I keep mine 1 directory up from my forum. However, my forum is located at www.mywebsitehere.com, if your forum is located at something along the lines of www.mywebsitehere.com/forum/ you'll want to place your .htpasswd file at least 2 directories up (../../.htpasswd). It's important to keep it outside of your public_html/www folders.

That's pretty much it.


Things I'd like to do in the future


Form Verification
I'd like to add form validation in the template, however my javascript seems like it doesn't want to execute. I had this in the head section of my transcendence template:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Check against current vBulletin password Hash
I'd like to write a script that compares the password they requested to their current vbulletin hash. This would, essentially, require me to hash the password they submit twice. First it would hash it in the format of that vBulletin 4 uses, then compare it to the one in the database. If it matches, it throws an error and refuses to let them use that password. If it doesn't match, it continues and rehashes their submitted password in the APR1 format. If anyone would like to help me with this, I'd really appreciate it!
Completed!

Well, I do hope this helped someone and I also really hope I put this in the correct place. I felt like contributing something that I found useful and helpful for managing my forum. Please let me know if I committed any sins against grammar/punctuation or if anything in my code is seriously flawed or dangerous.

Much appreciated!
__________________
A Place to create; a place to innovate~

Last edited by kerrghann; 01 Aug 2016 at 09:07.
Reply With Quote