steefking Posted November 2, 2011 Share Posted November 2, 2011 I use the module Secure Admin Login-Logout. I would like to use the following code in the header of my admin, so that other users handle orders only and can't go to tools or other places they don't belong. if ( ($PHP_AUTH_USER=='admin1') || ($PHP_AUTH_USER=='admin2') || ($_SERVER[REMOTE_USER]==admin1) || ($_SERVER[REMOTE_USER]==admin2) ) {; } else { if ( ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN . "orders.php") && ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN . "invoice.php") && ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN . "index.php") && ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN . "login.php") && ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN . "packing_slip.php") && ($_SERVER['SCRIPT_NAME'] != DIR_WS_ADMIN . "customers.php") ) { die("<br><br><center>You are not authorized to view this page.\n\n</center>"); } } But it doesn't work for Secure Admin Login-Logout, because it looks to something else for users. So does someone know what i have to change in Secure Admin Login-Logout so it will work. Because it works, but blocks now all users for all other options like tools. Steven Link to comment Share on other sites More sharing options...
Taipo Posted November 5, 2011 Share Posted November 5, 2011 Try this Steven and let me know if it works: $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); if ( defined( 'DIR_WS_ADMIN' ) ) { $allowedpages = preg_match('/(?:orders|invoice|index|login|packing_slip|customers).php/i', $PHP_SELF ); if ( ( $admin['username'] == 'admin1' ) || ( $admin['username'] == 'admin2' ) ) $allowedpages = true; if ( false === ( bool )$allowedpages ) die( "<br><br><center><font face=verdana size=1>You are not authorized to view this page.<br />\n[<a href=./index.php>Click here</a>] to return to admin</font><br />\n</center>" ); } Assumes that the username is determined via $admin['username']. To make sure $PHP_SELF is reporting correctly I included the $PHP_SELF code from 2.3.1 Also added a link back to the admin page if the error is called. A better method would be to restrict the options in the left column to specific users. This way above is a bit clunky but it might work. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted November 5, 2011 Share Posted November 5, 2011 In the addon 'Secure Admin Login-Logout' it seems they are using $psName as the admin username. But it seems that $psName can be set by merely making the form post operation and the authenticated username is set via a cookie session so it may not be safe to just add in $psName into the legitimate username list if ( ( $psName == 'admin1' ) || ( $psName == 'admin2' ) ) $allowedpages = true; That would be rather unsafe I would think. In my first example, $admin['username'] is taken from the 2.2rc2 Administration Tool So might need to think about this a bit more I think. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
steefking Posted December 11, 2011 Author Share Posted December 11, 2011 In the addon 'Secure Admin Login-Logout' it seems they are using $psName as the admin username. But it seems that $psName can be set by merely making the form post operation and the authenticated username is set via a cookie session so it may not be safe to just add in $psName into the legitimate username list if ( ( $psName == 'admin1' ) || ( $psName == 'admin2' ) ) $allowedpages = true; That would be rather unsafe I would think. In my first example, $admin['username'] is taken from the 2.2rc2 Administration Tool So might need to think about this a bit more I think. First of all many thanks. Little bit late with my reaction. Unfortunally it didn't work yet. Maybe it doesn't know what $psName means in the header? Is it maybe a solution the i use 2 portals for securing the admin. So this one and the htaccess security? Greets, Steven Link to comment Share on other sites More sharing options...
Taipo Posted December 12, 2011 Share Posted December 12, 2011 It would probably be better use of time to develop an actual addon that has an admin section that allows for the main admin to assign accessible sections to other admins. The allowed pages list might be better set from an added table in the database. That sort of thing. Yes certainly use htpasswd basic authentication protection to protect the admin section, but that above would be my suggestion for you. Perhaps there is a developer here that might want to look at this sort of thing (assuming someone hasn't already done one - to be honest I haven't really looked around). - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.