admin mode > security

**Michaelttkk** · 01-25-2007 07:29 PM

hi! I have this script. do you see any security flaw? is it safe enough?
auth.php

PHP Code:


<? 



    $id = "user"; 

    $pw = "password"; 



    function auth(){ 

       header("WWW-authenticate:basic realm=\"Admin Mode\""); 

       header("HTTP/1.0 401 unauthorized"); 

       echo " 

           <script> 

                alert('Just the Admin can access, sorry.'); 

                history.back(1); 

           </script> 

       "; 

       exit; 

    } 



   if(!$PHP_AUTH_USER or !$PHP_AUTH_PW){ 

       auth(); 

   }else{ 

      if($id != $PHP_AUTH_USER or $pw != $PHP_AUTH_PW) auth(); 

   } 



?>

and here's the file

PHP Code:


<? 

include "auth.php";



<form action="" method="post">

<input blah>

<input blah>

</form>



?>

**NightShift58** · 01-25-2007 08:00 PM

Why the javascript?

PHP Code:


<?php

$id = "user";

$pw = "password";

if ( !isset($_SERVER['PHP_AUTH_USER'] OR !isset($_SERVER['$PHP_AUTH_PW']

  OR $id <> $_SERVER['PHP_AUTH_USER'] OR $pw <> $PHP_AUTH_PW) {

   header('WWW-Authenticate: basic realm="Admin Mode"');

   header('HTTP/1.0 401 unauthorized');

   echo 'Just the Admin can access, sorry.<br>';

   echo '<a href="' . $_SERVER['HTTP_REFERER'] . '">Back</a>';

   exit;

}

?>

**Michaelttkk** · 01-25-2007 09:17 PM

I tried the code, I included it in another page but the page goes blank

**NightShift58** · 01-25-2007 09:33 PM

Sorry, missing a (.

PHP Code:


<?php

$id = "user";

$pw = "password";

if ( !isset($_SERVER['PHP_AUTH_USER']) OR !isset($_SERVER['$PHP_AUTH_PW'])

  OR $id <> $_SERVER['PHP_AUTH_USER']  OR $pw <> $PHP_AUTH_PW) {

   header('WWW-Authenticate: basic realm="Admin Mode"');

   header('HTTP/1.0 401 unauthorized');

   echo 'Just the Admin can access, sorry.<br>';

   echo '<a href="' . $_SERVER['HTTP_REFERER'] . '">Back</a>';

   exit;

}

?>

**Michaelttkk** · 01-25-2007 09:37 PM

it works, just that I have to retype 3 times user and password to reach to the

HTML Code:

Just the Admin can acess, sorry.<br>
<a href="">Back</a>

please check here
http://positive0.negative0.net/tests/shop.php

let's say, I'm making a shopping mall. I'm going to add my products through this Admin mode. From the link I'm going to add products so that just me can add and no one else

**NightShift58** · 01-25-2007 10:10 PM

PHP Code:


<?php

$id = "user";

$pw = "password";

if ( !isset($_SERVER['PHP_AUTH_USER']) OR !isset($_SERVER['$PHP_AUTH_PW'])

  OR $id <> $_SERVER['PHP_AUTH_USER']  OR $pw <> $PHP_AUTH_PW) {

   header('WWW-Authenticate: basic realm="Admin Mode"');

   header('HTTP/1.0 401 unauthorized');

   echo 'Just the Admin can access, sorry.<br>';

   header('Location: ' . $_SERVER['HTTP_REFERER']');

   exit;

}

?>

**Michaelttkk** · 01-25-2007 10:24 PM

the last one doesn't seem to work

but this works just that it doesn't show my index page instead it shows the auth.php's echo Just the Admin can access, sorry. [Back]

PHP Code:


<?php 

$id = "user"; 

$pw = "password"; 

if ( !isset($_SERVER['PHP_AUTH_USER']) OR !isset($_SERVER['$PHP_AUTH_PW']) 

  OR $id <> $_SERVER['PHP_AUTH_USER']  OR $pw <> $PHP_AUTH_PW) { 

   header('WWW-Authenticate: basic realm="Admin Mode"'); 

   header('HTTP/1.0 401 unauthorized'); 

   echo 'Just the Admin can access, sorry.<br>'; 

   echo '<a href="' . $_SERVER['HTTP_REFERER'] . '">Back</a>'; 

   exit; 

} 

?>

http://positive0.negative0.net/tests/index.php id=user pw=password

**NightShift58** · 01-25-2007 10:35 PM

PHP Code:


<?php

$id = "user";

$pw = "password";

if ( !isset($_SERVER['PHP_AUTH_USER']) OR !isset($_SERVER['$PHP_AUTH_PW'])

  OR $id <> $_SERVER['PHP_AUTH_USER']  OR $pw <> $PHP_AUTH_PW) {

   header('WWW-Authenticate: basic realm="Admin Mode"');

   header('HTTP/1.0 401 unauthorized');

   echo 'Just the Admin can access, sorry.<br>';

   echo '<a href="' . $_SERVER['HTTP_HOST'] . '">Back</a>';

   exit;

}

?>

**Michaelttkk** · 01-25-2007 10:40 PM

I'm going to do some changes with http://positive0.negative0.net/tests/index.php for a few seconds this result is without

PHP Code:


<?

    include ('auth.php');

?>

in index.php menu.php shopadd.php

**Michaelttkk** · 01-25-2007 10:45 PM

but when i put the auth.php in all three pages
when I run the index.php the Admin mode appears
after 3 times of putting the id and password in tha admin mode it bring back to the page
Just the admin can access, Sorry.
Back

**NightShift58** · 01-25-2007 10:57 PM

I think it's because of the frames.

**Michaelttkk** · 01-25-2007 11:00 PM

alright now I'm gonna put the auth in the index.php menu.php shopadd.php

PHP Code:


<?

    include ('auth.php');

?>

**NightShift58** · 01-25-2007 11:01 PM

I posted something that somehow didn't make it...

PHP Code:


<?php

$id = "user";

$pw = "password";

if ( !isset($_SERVER['PHP_AUTH_USER']) OR !isset($_SERVER['$PHP_AUTH_PW'])

  OR $id <> $_SERVER['PHP_AUTH_USER']  OR $pw <> $PHP_AUTH_PW) {

   header('WWW-Authenticate: basic realm="Admin Mode"');

   header('HTTP/1.0 401 unauthorized');

   echo 'Just the Admin can access, sorry.<br>';

   header('Location: ' . $_SERVER['HTTP_HOST']);

   exit;

}

?>

**Michaelttkk** · 01-25-2007 11:02 PM

I see this on the Admin mode

Admin Mode-1005

**Michaelttkk** · 01-25-2007 11:07 PM

now, all error 404 document appear

Thread: admin mode > security

Thread Tools

Display

admin mode > security

Thread Information

Users Browsing this Thread

Bookmarks

Bookmarks

Posting Permissions