PDA

View Full Version : Securing a PEAR Install with .htaccess


Ricky55
11-09-2010, 09:55 PM
Hi

I have just been following a tutorial that required PEAR to be installed on my server. I installed PEAR fine using the go-pear.php script and I now have the web front end working and I've got the packages installed that I needed.

I am however getting a message across the interface saying "Warning: This package management website is not protected with a password, this is a MAJOR security risk."

It provides a read me file with some instructions on how to secure using an htaccess file but I've tried this and I can then no longer access the front end once its on the server.

I have installed PEAR to a folder called pearInstall, I have attached the code for the htaccess, I have tried uploading this file to both the site root and the pearInstall folder.

What am I doing wrong?

Thanks


$ echo "
AuthUserFile $(pwd)/.htpasswd
AuthType Basic
AuthName \"Web-based PEAR Frontend\"
Require valid-user" > .htaccess && htpasswd -c .htpasswd admin

edbr
11-10-2010, 02:09 AM
heres a basic htaccess , it needs to be uploaded to the directoty you want protected

htaccess
AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/mysite/.htpasswd
AuthGroupFile /dev/null
require valid-user
htpasswd based on user ricky55 and ps dreamweaver
ricky55:NUgQQ6fEiTPJA

Ricky55
11-10-2010, 10:15 AM
Thanks mate I'll try that

Ricky55
11-10-2010, 11:56 AM
I can't get this working Ed. It asks me for a password but when I enter the details user: ricky55 pass: NUgQQ6fEiTPJA it won't let me in.

I think its the path to the .htpasswd that I'm getting wrong. Where do you normally save this file? Just in the site root? or outside of the root?

edbr
11-11-2010, 01:39 AM
try a plain text password ,
it is advised to save it outside the root. to be honest its been a while since i did this. Also if you have a cpanel there is often a directory protection available and it automatically creates the htaccess and htpasswd files 9 usually the password goes into a folder specifically for this outside the root.
ill try this later and let you know

Ricky55
11-11-2010, 09:12 PM
Not using PEAR now mate found an alternative solution so no rush but I would still like to get this working for future use.

edbr
11-12-2010, 01:19 AM
ok and i was going to start bombarding you with PEAR questions :) i ran out of time yesterday but i will re check i used it a lot for test sites and it was a simple way of doing it

edbr
11-13-2010, 02:20 AM
here Rickky , i set up a protected folder using cpanel, to be sure as well as lazy:)
the .htaccess reads servername being the user name for my server
AuthType Basic
AuthName "downloads"
AuthUserFile "/home/[servername]/.htpasswds/public_html/downloads/passwd"
require valid-user

using a folder above root public_html so as path above shows 3 folders deep .htpasswds/public_html/downloads/passwd"

using ricky55 and dreamweaver again the passwd file reads
ricky55:$apr1$uwKhnKgH$VkjP2xd7jQRwhSP8xI2lY0

Ricky55
11-13-2010, 02:59 AM
Thanks Ed. It was the path that I was getting wrong. Unfortunately my hosting doesn't have support for htaccess via a control panel.

I just need to establish the correct path then I;ll contact them for more info as the path I was using wasn't correct.

Thanks again mate.

Ricky55
11-13-2010, 03:12 AM
Got this working now Ed cheers. It was just the path on my server its just
"/home/sites/domain.co.uk/.htpasswd"

Thanks again

edbr
11-13-2010, 04:31 AM
you are welcome. another quick fix i use for some files is a 1 file restrict, i didnt write it , i picked it up ages ago but cant remember where now. saved as access.php
<?php session_start();?>
<div align="center" >

<span style="background-color:#999">

<?php

$ADMIN_USER = "admin";
$ADMIN_PASSWORD = "admin";

if(!$_SESSION['authenticated'])

if($_POST['loginbutton']) {
$inputuser = $_POST['input_user'];
$inputpassword = $_POST['input_password'];

if(!strcmp($inputuser ,$ADMIN_USER) && !strcmp($inputpassword,$ADMIN_PASSWORD)) {
$_SESSION['authenticated'] = 1;
header("Location:".$_SERVER[PHP_SELF]);
}
else
displayform(1);
}
else
displayform(0);


function displayform($error) {
echo "<html><head><title>Please login</title></head><body><style>
table{ margin-top:100px;}
td{ font-family: verdana; font-size: 8pt; background-color:#999; input background-color:#fff; }</style>";
if($error) echo "<p><b>Wrong credentials.</b></p>";
echo "<form action=\"\" method=\"post\"><table width='300' border=0 ><tr><td width='100'>username:</td>";
echo "<td><input type='text' name='input_user'></td></tr><tr><td>password:</td><td><input type='password' name='input_password'></td></tr>";
echo "<tr><td colspan='2'><input type='Submit' value='Login&raquo;' name='loginbutton'></td></tr></table></form></body></html>";
exit;
}
?>

</div>

and top of any php page you want to protect
<?php include "access.php";

if(!strcmp($inputuser ,$ADMIN_USER) && !strcmp($inputpassword,$ADMIN_PASSWORD)) {
$_SESSION['authenticated'] = 1;
header("Location:".$_SERVER[PHP_SELF]);
}?>

davidj
11-17-2010, 02:27 PM
You shouldn't really echo from within a function. You should create an abstraction layer between your logic and your output. It wont take long before this becomes unwieldy and a mare to maintain.

You could have a functions / php include which holds your logic . Functions will return output from a call making your HTML quite streamlined.

I am thinking about making life easier

edbr
11-18-2010, 01:29 AM
OOPS's! thanks david im always happy when you correct the best procedures, i can be sloppy. Its on of the reasons i have and will recommened your tutorials and courses.
i actuall found this when i was trying to teach my self about logins, its not very useful and as you see not encrypted , i keep it in my snippet bag for temporary files i want to restrict as a quick and dirty solution but in reality i dont remember when i actually used it . Just thought id pass it on incase it was of use to anyone