Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+5 votes
1.6k views
in Q2A Core by
Hello,

Since there is an exploit that gets the /admin account by using form method post, how can we put a secondary password to /admin ? Can we make a folder called admin and put a .htpasswd and .htaccess?

 

I'm really concerned because I want to make it very secure, but I won't upgrade to 1.6 because I changed the source code over 40%

The exploit it's explained here:

http://seclists.org/fulldisclosure/2013/Mar/6

for admin account

http://seclists.org/fulldisclosure/2013/Mar/92
Q2A version: 1.5.4

1 Answer

+3 votes
by
edited by

Interesting, thanks for letting the q2a-community know.

If I understood the issue right, you could protect the admin account by disabling "forgot password" for admins in qa-page-forgot.php. Not by checking the email but by checking against the unique userid (which cannot be changed).

E.g. something like this after line 70:

  if($inuserid==1) { return; }

I am no sec.expert at all, but this would be my first clue :)

by
my idea is to protect admin folder via htaccees and htpasswd how can i do this?
by
I managed to add  if($inuserid==1) { die('<meta http-equiv="refresh" content="10;URL=\'http://domain.tld/\'">NO!'); }   and it works ok.
I recommend to all users to add this line !
...