a crazy idea...

[thoroughfare]

Hi,

I want DA to be highly integrated into my web hosting business site, and also accessible to those using a proxy when their 2222 port is blocked.

I was wondering if there would be any security issues if I used PHP's fopen() to retrieve DA control panel pages, process them, change links from http://domain.com:2222/CMD_XXXXX to http://mydomain.com/panelhq/display.php?action=CMD_XXXXXX etc?

I can't think of any issues... can you?

Cheers,
Matt

 

[DirectAdmin Support]

Hello,

The one thing that jumps out at me is the fact that all connections will be from "localhost" which opens up the sessions a bit... the ip is stored in a sessions to double check the connection with the session id.. if they are all using localhost, it's one less check a hacker might need. I would be *very* hesitant to implement what you are suggesting.

BUT if you were to use the "Authorization: Basic ..." login feature.. it would probably be a bit better.

Interesting idea

John

 

[thoroughfare]

I was planning to implement my own sessions (which tracks users using a session id, useragent and IP (no cookies), although I guess I'd need to create some kind of session between my PHP script and DA? Is that what would be unsecure?

Cheers,
Matt

 

[thoroughfare]

What is the 'Authorisation: Basic' login method? Is it a 'HTTP POST authentication' alternative method of logging in (like that used in CPanel) instead of using sessions and cookies?

I'm also writing a Windows GUI that automates DA backups so I've studied the headers quite extensively

Matt

 

[l0rdphi1]

I use 'Authorization: Basic' in http://www.directadmin.com/forum/showthread.php?s=&threadid=258:

fputs($this->fp,"GET $request HTTP/1.1\r\nHost: $this->server:$this->port\r\nAuthorization: Basic ".base64_encode($this->upass)."\r\n\r\n");

 

[thoroughfare]

Ah ok thanks

I didn't realise you could use DA in that way

Cheers,
Matt