1.5.4 exploits the url/admin, how can we put a .htpasswd and .htaccess to /admin folder

Question

Hello,

Since there is an exploit that gets the /admin account by using form method post, how can we put a secondary password to /admin ? Can we make a folder called admin and put a .htpasswd and .htaccess?

 

I'm really concerned because I want to make it very secure, but I won't upgrade to 1.6 because I changed the source code over 40%

The exploit it's explained here:

http://seclists.org/fulldisclosure/2013/Mar/6

for admin account

http://seclists.org/fulldisclosure/2013/Mar/92

Answer 1

Interesting, thanks for letting the q2a-community know.

If I understood the issue right, you could protect the admin account by disabling "forgot password" for admins in qa-page-forgot.php. Not by checking the email but by checking against the unique userid (which cannot be changed).

E.g. something like this after line 70:

  if($inuserid==1) { return; }

I am no sec.expert at all, but this would be my first clue :)

Comments

my idea is to protect admin folder via htaccees and htpasswd how can i do this?

---

I managed to add  if($inuserid==1) { die('<meta http-equiv="refresh" content="10;URL=\'http://domain.tld/\'">NO!'); }   and it works ok.
I recommend to all users to add this line !