This is a trick to "hide" PHP-Nuke admin.php file and preventing unauthorized access to PHP-Nuke administration panel. The scenario is, even someone got your admin username and MD5 password, they'll have no idea to find admin.php file. This trick requires PHP-Nuke running under Apache web server and configured to allow .htaccess overrides (AllowOverride settings in main Apache .conf file). In addition, mod-rewrite module must be enable in Apache configuration.
Before you go, backup original admin.php file on your PHP-Nuke root directory. For example, rename admin.php into admin_backup.php or whatever. If exists, also backup/rename existing .htaccess file stored in PHP-Nuke root directory.
Ok, now let's begin.
First, you need to modify admin.php file. Append these lines at the beginning of your admin.php. Because admin.php may vary among PHP-Nuke version, usually you may append the code below either after PHP start tag (<?php), before$checkurl = $_SERVER['REQUEST_URI']; line, or beforerequire_once("mainfile.php"); line. Here the "template" code:
Third, you need to change all default values/signals in this trick. This is necessary otherwise your admin.php access no longer secure since everyone else also read this article. These are default values/signals on both files above:
ADMIN_PT
This is a signal for access validity and stored as server variable. In common situations, you no need to change this string but if this is the case then you should change it on both admin.php and .htaccess files. As noticed in admin.php insertion code, there are two ADMIN_PT variable checkings, one is ADMIN_PT itself and another is the clone, REDIRECT_ADMIN_PT. You can safely change ADMIN_PT string but do not alter "REDIRECT_" string since it is a default behavior in Apache server. Consider to use search/replace function on your text editor to change this string from both code above.
admin_pass
This is a string that will be stored as cookie name (key pair). If you in doubt to change this string, be sure to use only native letters (A-Z, a-z) and underscores. The .htaccess instertion code above treat this string as case insensitive. Consider to use search/replace function on your text editor to change this string from both code above.
whatever
This is a string that will be stored as cookie value (value pair). If you in doubt to change this string, be sure to use only native letters (A-Z, a-z), numbers (0-9), and underscores. The .htaccess instertion code above treat this string as case insensitive. Consider to use search/replace function on your text editor to change this string from both code above.
newadmin.php
This string only appear once in .htaccess insertion code. This will be used as "virtual" admin.php call replacement and doesn't have to be exists in your actual PHP-Nuke root directory. If you in doubt to change this string, be sure to use only native letters (A-Z, a-z), numbers (0-9), and underscores, followed by file extension. The extension doesn't have to be restricted only to .php, but you may experimenting with another extensions.
Cookie expiration time
By default, cookie will be expire within 24 hours after first login. The expiration value is defined in admin.php insertion code above as 86400 seconds (60 seconds x 60 minutes x 24 hours = 86400 seconds, does this ringing the bells on you?). You may modify this value for your own needs. Consider to set this value as small as possible, depend on how long you usually taken to administering your own site.
Ok, at this point you've done with the setups. Now you need to know how this thing works and proper procedures on how to login to your PHP-Nuke administration menu. On every first login, you'll need to call "virtual" admin script from the browser (default is newadmin.php as noted above). During the call, it will setup server variable to trigger cookie storing code. If cookie already stored, any call to admin.php will be considered valid, until the cookie itself expires.
An alternative
This is an alternative trick without altering actual admin.php file. The difference is, storing the cookie are handled from .htaccess file as well and no need additional code to be inserted into admin.php file. However, this trick may not work with most common Apache version and configuration. If you get Internal Server error, stop from using it. The only thing to do is by putting this code into .htaccess file in PHP-Nuke root directory:
Change {DOMAIN} string above with your actual domain, e.g. example.com (without www prefix). If you running under subdomain, put them instead e.g. home.example.com (without any prefix). If you get 500 Internal Server Error message, indicate that your Apache/mod-rewrite does not support cookie set through RewriteRule flag.
Does this trick always works?
It may not work on specific Apache configuration, especially if your site is hosted using host management software (Plesk, cPanel, Ensim, etc). I has few problems working with .htaccess under Ensim management panel, but in contrast I never had any problems under Plesk. I'm not so sure with cPanel since I never use it. It also may or may not work with Apache configured as virtual host mapping, you need to do some experiments with it. This trick always work on my local server, either with Apache version 1.x or version 2.x with all requirements accomplished (allowoverride, mod-rewrite).
Why Cookie?
You can use PHP session to replace cookie, but you'll need longer code. You can also combining them both for additional security. Additionally, some tricks using Javascript can also be used for client-side security scripting consideration. Javascript is very powerfull againts bots (non-human controlled) hack engine.
Is this trick work if Admin Secure installed?
Yes or no. If you enable Auth Login (HTTP Authentification) in Admin Secure configuration panel, it may (or may not) conflict with the trick describes here. If you want to apply this trick in the companion of Admin Secure installation, do it with your own risk.
What is .htaccess file?
This is an Apache special file to control common HTTP requests, usually resides in www directories. This file work per directory basis and can override Apache default settings. This file also provides mechanisms to communicate with Apache modules to perform specific tasks. Consult to your Apache manual or visit Apache Website for more information.
_________________ I'm
Hajduk Corporal
Joined: Apr 03, 2003
Posts: 50
Posted:
Wed Aug 04, 2004 11:52 pm
Ok, you hide your admin file and I will find it within 5 mins. Rename it, htaccess it, move it, chmod it.
And even still, hacking Nuke can be done throughout the whole system not just the admin file.
madman Support Mod
Joined: Feb 15, 2004
Posts: 806
Posted:
Thu Aug 05, 2004 1:50 pm
This trick doesn't rename/move admin.php elsewhere.
Someone need glasses here.
Last edited by marius26 on Sun Jun 17, 2007 1:48 pm; edited 1 time in total
ishadami Nuke Cadet
Joined: Aug 01, 2005
Posts: 1
Posted:
Mon Aug 01, 2005 4:17 am
hi i am new at both php nuke and this site
i like phpnkue so much but it has lots of security problems
i want to add code here which bloks to access admin.php except the real admin
* i add this code here for two reasons
1. i wonder is it really works as i thought
2. if work everybody can use it
open admin.php
after <?php
add this:
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
