Httpsocket... admin pass ??

[syskall]

Hello,

I am trying to build a plugin for DirectAdmin.

In the plugin, I need to list all the users of the connected reseller. (using the httpsocket.php class)

It looks like:

$reseller = $_SERVER['USER'];
$sock = new HTTPSocket;
$sock->connect("domain.com",2222);
$sock->set_login("admin|".$reseller,"adminpass"); // PLAIN ADMIN PASSWORD !!!!!!
$sock->set_method('GET');
$sock->query('/CMD_API_SHOW_USERS');
$userlist = $sock->fetch_parsed_body();

Since the file must be readable by any user (rwxr-xr-x), I was wondering if it was really secure... Any user could just "less /usr/local/directadmin/plugins/plugname/user/index.html" and see the "adminpass".

Am I right ? If so, how can I make it secure ???

Thx a lot for your help !

 

[jmstacey]

Good question.

The way I've always done it is by just providing the username of the logged in user so that the same session is used. However, I can see how this can't be done if the plugin is needed to collect information from the admin level but executed by the user level.

I haven't looked into it, but can't you just make the file executable by all users instead of readable aswell?

 

[syskall]

I tried to make it unreadable by others and it didn't work. I'd like to be able to juste use the current's user password, but I just don't know how to get these informations without having him to login once in my plugin... All I could find was the way to get his username ($_SERVER['USER']), but I still don't know how to get informations about his account w/o getting his password by an input...

by example, if i wanna get the domains of the connected user

$sock = new HTTPSocket;
$sock->connect("domain.com",2222);
$sock->set_login($SERVER['USER'],'pass'); // HOW DO I GET THE PASS
$sock->query('/CMD_API_SHOW_USERS');
$domains = $sock->fetch_parsed_body();

Help wanted!

 

[l0rdphi1]

From inside a DirectAdmin plugin you can leave the password string blank, i.e.:

$Socket = new HTTPSocket();
$Socket->connect("127.0.0.1",2222);
$Socket->set_login($_SERVER['REMOTE_USER']);
$Socket->query('/CMD_API_SHOW_USERS');

etc.

Cheers, Phil.

 

[genexis]

hey i tried using $_SERVER[USERNAME] but it doesn't seem to work. They still prompt me for login.


require 'httpsocket.php';

$sock = new HTTPSocket;
$sock->connect($_SERVER[SERVER_ADDR],$_SERVER[SERVER_PORT]);

$sock->set_login($_SERVER[USERNAME]);
$sock->set_method('POST');

$sock->query('/CMD_SUBDOMAIN',
array(
'action' => 'create',
'domain' => $domain,
'subdomain' => $subdomain
));
$result = $sock->fetch_body();


can anybody help pls ?

 

[l0rdphi1]

genexis,

Is that code inside a DirectAdmin plugin? Skipping the password will only work inside a plugin.

Good luck, Phil.

 

[genexis]

yep, it is alreayd inside the plugin and loaded + installed.

 

[l0rdphi1]

Maybe try connecting to 127.0.0.1 instead of %SERVER_ADDR.

$sock->connect("127.0.0.1",2222);

Good luck, Phil.

 

[genexis]

Hey thanks! It works now!

 

[l0rdphi1]

Good to hear.

Cheers!

 

[psycho]

From inside plugin, I do need admin password when I'm NOT logged as admin?

Let's say I got a reseller called xyz, when he's logged and access a page contain:
$sock = new HTTPSocket;

$sock->connect(localhost,2222);
$sock->set_login('admin');

$sock->query('/CMD_API_SHOW_ALL_USERS');
$result = $sock->fetch_parsed_body();


He can't use ADMINS API's ?
Even though you said you don't need to use admin pass when using at INSIDE PLUGIN.

Can you explain?