Well, it took some time but I figured it out. The issue that was causing me the most pain is that when logging on you're no longer viewing the website through the Apache driven PHP engine but are in fact using Apache to vie the result of you yourself running PHP as a CGI. In short: I forgot to add two lines to the involved Apache conf file
So here's something of a cook book for people wanting to expose the admin page as something different that is not in the default search list of hackers hitting on your website and trying to gain access. The power of obscurity if you wish...
First off some changes need to be made to the PHP code of the admin page. We want to change all the hardcoded references to "/admin" to reflect the URI we're calling. For this we'll split off the first element of the path shown in REQUEST_URI like so:
Code: Select all
preg_replace("|^(/[^/]*/).*$|","\\1",$_SERVER["REQUEST_URI"])
Note that this will return "/admin" when you access the page as "/admin/something", so this is a non-destructive change. There are three file instances that need to be changed this way:
- /usr/share/web-admin/admin/index.php
str_replace(SELF, '', __FILE__) => preg_replace("|^(/[^/]*/).*$|","\\1",$_SERVER["REQUEST_URI"])
- /usr/share/web-admin/admin/config/config.php
"/admin" => preg_replace("|^(/[^/]*/).*$|","\\1",$_SERVER["REQUEST_URI"])
- /usr/share/web-admin/admin/legacy/defines.php
"/admin" => preg_replace("|^(/[^/]*/).*$|","\\1",$_SERVER["REQUEST_URI"])
The next code block will perform these changes:
Code: Select all
sed -i "s/str_replace(SELF, '', __FILE__)/\"\/usr\/share\/web-admin\"\.preg_replace\(\"\|\^\(\/\[\^\/\]\*\/\)\.\*\$\|\",\"\\\\\\\\1\",\$_SERVER\[\"REQUEST_URI\"\])/" \
/usr/share/web-admin/admin/index.php
sed -i "s/\"\/admin\/\"/preg_replace\(\"\|\^\(\/\[\^\/\]\*\/\)\.\*\$\|\",\"\\\\\\\\1\",\$_SERVER\[\"REQUEST_URI\"\])/" \
/usr/share/web-admin/admin/config/config.php
sed -i "s/\"FORMPREFIX\",\"\/admin\"/\"FORMPREFIX\",preg_replace\(\"\|\^\(\/\[\^\/\]\*\/\)\.\*\$\|\",\"\\\\\\\\1\",\$_SERVER\[\"REQUEST_URI\"\])/" \
/usr/share/web-admin/admin/legacy/defines.php
The changes made so far will allow the webserver to fill in the blanks in the view files correctly, but not all view files are actually processed by PHP and I found that in those that are one of them didn't follow the convention of having a variable in stead of the literal "/admin". So let's fix that and replace "/admin" by it's variable "<?=FORMPREFIX?>":
Code: Select all
sed -i "s/href=\"\/admin\/filemanager\/cd/href=\"<\?=FORMPREFIX\?>\/filemanager\/cd/" \
/usr/share/web-admin/admin/views/default/album/album_album_view.php
At this point everything still points at "/admin" if you access it through this web path, but any change to the other view files might (will) break some of the functionality. Last step therefore is to prepare the code to use an alternate view when using a different path.
Code: Select all
sed -ni '1!N; s/\/\/ Default\n\s*define(\"THEME\",\"default\")\;/if (is_dir(APPPATH.\"views\".FORMPREFIX)) {\n\t\tdefine(\"THEME\",str_replace(\"\/\",\"\",FORMPREFIX))\;\n\t} else {\n\t\t\/\/ Default theme\n\t\tdefine(\"THEME\",\"default\")\;\n\t}/; p' \
/usr/share/web-admin/admin/legacy/defines.php
Would be nice if Excito would apply these changes in their next release of bubba-frontend.