Autore Topic: Re: ATTENZIONE: sicurezza  (Letto 1525 volte)

Offline JoomLena

  • Esploratore
  • **
  • Post: 98
  • Sesso: Maschio
    • Mostra profilo
    • JoomLena & VinPe
Re: ATTENZIONE: sicurezza
« il: 12 Set 2008, 19:19:28 »
Considerando che mi hanno bruciato un sito la prima cosa che sto facendo è il Back-up immediato del sito.

In questo blog ho trovato uno script per dar del filo da torce ad eventuali hacker.

Volevo sapere se effettivamente questo scrip da unaq cerca sicurezza.

L'ho provato in questo sito http://www.vinpe.net/administrator/.

Ecco lo script:


<?php
###############################################################
# Page Password Protect 2.13
###############################################################
# Visit http://www.zubrag.com/scripts/ for updates
###############################################################
#
# Usage:
# Set usernames / passwords below between SETTINGS START and SETTINGS END.
# Open it in browser with "help" parameter to get the code
# to add to all files being protected.
#    Example: password_protect.php?help
# Include protection string which it gave you into every file that needs to be protected
#
# Add following HTML code to your page where you want to have logout link
# Logout
#
###############################################################

/*
-------------------------------------------------------------------
SAMPLE if you only want to request login and password on login form.
Each row represents different user.

$LOGIN_INFORMATION = array(
  'zubrag' => 'root',
  'test' => 'testpass',
  'admin' => 'passwd'
);

--------------------------------------------------------------------
SAMPLE if you only want to request only password on login form.
Note: only passwords are listed

$LOGIN_INFORMATION = array(
  'root',
  'testpass',
  'passwd'
);

--------------------------------------------------------------------
*/

##################################################################
#  SETTINGS START
##################################################################

// Add login/password pairs below, like described above
// NOTE: all rows except last must have comma "," at the end of line
$LOGIN_INFORMATION = array(
  'admin' => 'inserire qua una password',
 # 'admin' => 'adminpass' se si vuole inserire pi˘ utenti
);

// request login? true - show login and password boxes, false - password box only
define('USE_USERNAME', true);

// User will be redirected to this page after logout
define('LOGOUT_URL', 'http://www.tuosi.to/');

// time out after NN minutes of inactivity. Set to 0 to not timeout
define('TIMEOUT_MINUTES', 10);

// This parameter is only useful when TIMEOUT_MINUTES is not zero
// true - timeout time from last activity, false - timeout time from login
define('TIMEOUT_CHECK_ACTIVITY', true);

##################################################################
#  SETTINGS END
##################################################################


///////////////////////////////////////////////////////
// do not change code below
///////////////////////////////////////////////////////

// show usage example
if(isset($_GET['help'])) {
  die('Include following code into every page you would like to protect, at the very beginning (first line):
&lt;?php include("' . str_replace('\\','\\\\',__FILE__) . '"); ?&gt;');
}

// timeout in seconds
$timeout = (TIMEOUT_MINUTES == 0 ? 0 : time() + TIMEOUT_MINUTES * 60);

// logout?
if(isset($_GET['logout'])) {
  setcookie("verify", '', $timeout, '/'); // clear password;
  header('Location: ' . LOGOUT_URL);
  exit();
}

if(!function_exists('showLoginPasswordProtect')) {

// show login form
function showLoginPasswordProtect($error_msg) {
?>
<html>
<head>
  <title>Accesso al Pannello Amministrazione</title>
  <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
  <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
</head>
<body>
  <style>
    input { border: 1px solid black; }
  </style>
  <div style="width:500px; margin-left:auto; margin-right:auto; text-align:center">
  <form method="post">
    <h3><img src="images/joomlena.png" width="138" height="164"></h3>
    <h3>Identificati per accedere al pannello di amministrazione</h3>
    <font color="red"><?php echo $error_msg; ?></font>

<?php if (USE_USERNAME) echo 'Login:
<input type="input" name="access_login" />
Password:
'; ?>
    <input type="password" name="access_password" /><p></p><input type="submit" name="Submit" value="Invia" />
  </form>
 

  <a style="font-size:9px; color: #B0B0B0; font-family: Verdana, Arial;" href="http://joomlena.altervista.org" title="Protezione Sito Suck Hacker !">Powered by JoomLena[/url]
  </div>
</body>
</html>

<?php
  // stop at this point
  die();
}
}

// user provided password
if (isset($_POST['access_password'])) {

  $login = isset($_POST['access_login']) ? $_POST['access_login'] : '';
  $pass = $_POST['access_password'];
  if (!USE_USERNAME && !in_array($pass, $LOGIN_INFORMATION)
  || (USE_USERNAME && ( !array_key_exists($login, $LOGIN_INFORMATION) || $LOGIN_INFORMATION[$login] != $pass ) )
  ) {
    showLoginPasswordProtect("Incorrect password.");
  }
  else {
    // set cookie if password was validated
    setcookie("verify", md5($login.'%'.$pass), $timeout, '/');
   
    // Some programs (like Form1 Bilder) check $_POST array to see if parameters passed
    // So need to clear password protector variables
    unset($_POST['access_login']);
    unset($_POST['access_password']);
    unset($_POST['Submit']);
  }

}

else {

  // check if password cookie is set
  if (!isset($_COOKIE['verify'])) {
    showLoginPasswordProtect("");
  }

  // check if cookie is good
  $found = false;
  foreach($LOGIN_INFORMATION as $key=>$val) {
    $lp = (USE_USERNAME ? $key : '') .'%'.$val;
    if ($_COOKIE['verify'] == md5($lp)) {
      $found = true;
      // prolong timeout
      if (TIMEOUT_CHECK_ACTIVITY) {
        setcookie("verify", md5($lp), $timeout, '/');
      }
      break;
    }
  }
  if (!$found) {
    showLoginPasswordProtect("");
  }

}
#############################################################################
#  COPIARE DA QUA IN SU E INCOLLARE IN UN ALTRO FILE index.php Suck Hackers !
#############################################################################


bugSearch.Net

  • Visitatore
Re: ATTENZIONE: sicurezza
« Risposta #1 il: 12 Set 2008, 19:29:20 »
a mio avviso ti da la stessa sicurezza di avere un htpasswd che blocca via password l'amministrazione ... se ti bucano il frontend e riescono a sostituirti le pagine non vedo a cosa possa servirti l'amministrazione piuttosto tieni aggiornato joomla e i suoi componenti

 

Torna su