Zubrag.com
November 13, 2019, 09:58:18 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: Security concern  (Read 5933 times)
hbarbosa
Newbie
*
Posts: 2


« on: January 14, 2009, 04:25:48 PM »

Dear Zubrag,

I just downloaded your script and put it to work on my personal
website at the university. Its working great. I'am using it to protect
a webpage where my students upload their homeworks.

However, I've a security question.

My webpage is located in my home directory, which is automatically
mounted via NFS on all machines in my institution, under
a folder called public_html. Of course, this directory and all files therein
must have reading permissions to all users in order to the website to work.

Therefore, anyone with access to a machine where my account is
mounted will also have access to the file password_protect.php and
hence to the passwords of all users!

Is there anyway to avoid this?

Thanks,
Henrique

Logged
David
Newbie
*
Posts: 29


« Reply #1 on: January 15, 2009, 01:21:51 PM »

I have once looked into protecting folders on Windows - try Googling password protect folder.

Hope you find a solution - let us know.

David
Logged
hbarbosa
Newbie
*
Posts: 2


« Reply #2 on: January 16, 2009, 06:45:00 AM »

Hi David,

Server is running Linux, not Windows.

Just to clarify what the problem is: In my case I'm a
regular user, not root... and hence my webpage is located
inside my home directory:

/home/username/public_html

I'am not an expert but I understood as following.

If I change the permissions of the files inside my public_html
folder so that Apache has access to them, then
anyone will also have access. I mean, anyone with access to my
machine via ssh, telnet or local use, or to any machine
in my institute, since all of them mount the users
homedirs using NFS.

So, If a clever student of mine look at the link to the login
webpage, they will know that the file is called "~username/login.php".
Hence, they can take a look in the file content and find out
that its first line:

<?php require($DOCUMENT_ROOT . "password_protect.php"); ?>

points to another file... and by looking inside "password_protect.php" they
will find out everyone's passwords!!

In a single user environment this script is very secure, but
in a multi-user one...

Henrique



Logged
rhd
Newbie
*
Posts: 1


« Reply #3 on: January 16, 2009, 04:34:37 PM »

I assume you make, then give the password to each student, then add that pasword to "password_protect.php".

NEVER save a password as 'clear' text - make a password OR BETTER use a program to make one
then get a "MD5" sum of that password, give the student the password and put the "MD5" sum
in "password_protect.php" as the password.

Add a line of code in "password_protect.php" to make a "MD5" sum of what the student
inputted as his password, test this sum with the sum you entered.
Logged
siliconengineering
Newbie
*
Posts: 1


WWW
« Reply #4 on: October 18, 2019, 01:13:09 AM »

Most of them have already answered your question Smiley
Logged
bestrefrigeratorss
Newbie
*
Posts: 1


WWW
« Reply #5 on: October 23, 2019, 09:58:32 AM »

Please can anybody resolve this?? i have the same issue..
Logged
1Mirek
Newbie
*
Posts: 1


« Reply #6 on: October 25, 2019, 12:59:55 AM »

Look to protect with password some .php script just copy this code below and enter your MD5 pass hash it and it will require login to that script every time,try....

<?php
$auth_pass = "MD5 password hash goes here!!!";
function wsoLogin() {
   die("<pre align=center><form method=post>Password: <input type=password name=pass><input type=submit value='>>'></form></pre>");
}

function WSOsetcookie($k, $v) {
    $_COOKIE[$k] = $v;
    setcookie($k, $v);
}

if(!empty($auth_pass)) {
    if(isset($_POST['pass']) && (md5($_POST['pass']) == $auth_pass))
        WSOsetcookie(md5($_SERVER['HTTP_HOST']), $auth_pass);

    if (!isset($_COOKIE[md5($_SERVER['HTTP_HOST'])]) || ($_COOKIE[md5($_SERVER['HTTP_HOST'])] != $auth_pass))
        wsoLogin();


or this will do the same thing pretty much...

<?php

}
$hrver = "Whatever PHP script which needs password protection";
$self = $_SERVER['PHP_SELF'];
$admin_pass = '1mirek';


session_start();
$is_admin = false;


if ((@$_SESSION['adminpass'] === md5($admin_pass)) or (@$_POST['password'] == $admin_pass)) {
        $is_admin = true;
        $_SESSION['adminpass'] = md5($admin_pass);
}
if (isset($_POST['logout'])) {
    alert("Wrong!!!");
    $is_admin = false;
    unset ($_SESSION['adminpass']);
   
}
if ($is_admin !== true) {

    if (isset($_POST['password'])) {
        alert("Wrong again get lost!");
        die('<br /><br /><br /><big><strong><center><blink>Wrong Password!!!</blink></center></strong></big>');
}


If somebody have some problems with adding password logins to PHP scripts feel free to ask for help!
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC