Gossamer Forum
(Advanced Search)
for
Home : Products : Gossamer Links : Version 1.x :

Admin.cgi -> Small Mod -> Links SQL v1.11

Aug 19, 2000, 12:35 PM
Stealth
Veteran (17240 posts)
Stealth's avatar
Aug 19, 2000, 12:35 PM
Post #1 of 7
Views: 3610
Shortcut
Quote Reply
Admin.cgi -> Small Mod -> Links SQL v1.11
Using widgetz's cool modify.cgi codes I have adapted them to work in the admin.cgi script. This may help people who do not have .htaccess or do not know how to configure NT to password protect directories:

Simply do the following:

1) Add the following codes in the load modules section in the admin.cgi script:

Code:

use Links::HTML_Templates;
use vars qw/%in $USER/;
&main();


2) Then replace all the codes after the module section and before the sub add_record routine with the following codes:

Code:

sub main {
#---------------------------------------------------
# Create our CGI, and DB objects.

my $in = new CGI;
my $dynamic = $in->param('d') ? $in : undef;
%in = %{&cgi_to_hash ($in)};
my $db = new Links::DBSQL $LINKS{admin_root_path} . "/defs/" . ($in->param('db') || "Links") . ".def";

&admin_html_init($in, $db);

# Get user information.
my $s = $in->param('s') || $in->cookie('s');
$USER = &authenticate ($s);
if (! defined $USER) {
my $encurl = "$ENV{'SCRIPT_NAME'}";
print $in->redirect("$LINKS{build_user_url}?to=$encurl") and return;
}
print $in->header() unless ($in->param('do') eq 'show_attach');
if ($USER->{Status} eq 'Administrator') {
if (defined $in->param('do')) {
my $sub = \&{$in->param('do')};
&{$sub} ($in, $db);
}
else {
&html_home ($in, $db);
}
}
else {
&site_html_error ({error => "You do not have permission to access this script."}, $in, $dynamic);
return;
}
}


3) Before installing the above codes, you will need to create a user in the Users table that has Administrator permissions. You will need to use this user account to access your admin.cgi in the future.

Hope this helps.

Regards,

Eliot Lee

Aug 19, 2000, 1:09 PM
pugdog
Veteran / Moderator (6956 posts)
Aug 19, 2000, 1:09 PM
Post #2 of 7
Views: 3533
Shortcut
Quote Reply
Re: Admin.cgi -> Small Mod -> Links SQL v1.11 In reply to
I don't know this mod, but just off the cuff:

That protects the admin.cgi, but without .htaccess, the other files such as nph-build.cgi and nph-index.cgi are still accessible. While they won't "damage" the database, access to those files could bring a server to it's knees.

You'd want to rename those files something obsure, or pass them the admin authorization before they'd run. Doesn't have to be elegant, but if you are talking security, you need to think about those holes as well.

http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Aug 19, 2000, 1:55 PM
Stealth
Veteran (17240 posts)
Stealth's avatar
Aug 19, 2000, 1:55 PM
Post #3 of 7
Views: 3532
Shortcut
Quote Reply
Re: Admin.cgi -> Small Mod -> Links SQL v1.11 In reply to
Well, the same codes could be applied in the nph files.

Regards,

Eliot Lee

Aug 19, 2000, 2:37 PM
pugdog
Veteran / Moderator (6956 posts)
Aug 19, 2000, 2:37 PM
Post #4 of 7
Views: 3524
Shortcut
Quote Reply
Re: Admin.cgi -> Small Mod -> Links SQL v1.11 In reply to
Hi,

_I_ know they could, but I wanted to make sure our millions of readers knew that;)

Security is a big nit pick with me, and sadly, too many people here and on the web in general don't think about it enough.. In college I was the one with all the keys :) I ran a couple of buildings, and learned the idea of "physical" security. Then, I spent waaaay too many hours in the various computer room dungeons, and learned about computer security...

So, I just thought I'd pipe in.

.htaccess is still the best lock for this sort of thing, since the whole directory structure would be protected.

Barring that, each "executable" script has to be protected in some way.



http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Aug 19, 2000, 8:45 PM
Stealth
Veteran (17240 posts)
Stealth's avatar
Aug 19, 2000, 8:45 PM
Post #5 of 7
Views: 3521
Shortcut
Quote Reply
Re: Admin.cgi -> Small Mod -> Links SQL v1.11 In reply to
Good points...I was able to adapt the codes in my nph files and also in the editor.cgi file. AND I have adapted the login for MySQLMan to work with the authenticate codes in Links SQL.

I do have .htaccess protected directories in my site, but to add extra level of securities, the codes that widgetz wrote and the small hacks I've applied to them are really nice.

Regards,

Eliot Lee

Aug 19, 2000, 11:41 PM
pugdog
Veteran / Moderator (6956 posts)
Aug 19, 2000, 11:41 PM
Post #6 of 7
Views: 3517
Shortcut
Quote Reply
Re: Admin.cgi -> Small Mod -> Links SQL v1.11 In reply to
MORE security is never a bad thing - and the passwords on the .htaccess are different from the Admin passwords :) <G> You'd be surprised how many are not.

You'd be surprised how many systems I can gain root access on when given the "user" password for the main user <sigh>....

And people wonder how credit card numbers are stolen! It's not during "secure" transmission over the net, it's from poor email, database and system security, when the data is just sitting on the disk. All these "secure servers" are mostly "hype." A server is only as secure as it's passwords :)

http://www.postcards.com
FAQ: http://www.postcards.com/FAQ/LinkSQL/

Aug 20, 2000, 8:36 AM
Stealth
Veteran (17240 posts)
Stealth's avatar
Aug 20, 2000, 8:36 AM
Post #7 of 7
Views: 3507
Shortcut
Quote Reply
Re: Admin.cgi -> Small Mod -> Links SQL v1.11 In reply to
My .htaccess passwords are different, however, it would be quite easy to copy the passwords and usernames into the .htaccess file from the cgi scripts in Links SQL. But I like having different passwords/usernames for enhanced security.

Regards,

Eliot Lee