admin page

[belag]

Hello,

This works nice, thank you! I was just wondering why is there no captcha on the admin page? I added it to the code, but still doesn't appear?

Bela

[trinib]

@belag In login.tpl file in your /admin_(what_ever_you_havenamed)/template folder, add above the line {elseif $step eq "reset"} , this code :

<br>
<div class="row">
    <div class="col-xs-12 text-center" style="display:flex;justify-content:center;">
        <div class="cf-turnstile" data-sitekey="YOURKEY" data-callback="javascriptCallback" data-theme="dark" data-size="normal"></div>
    </div>
</div>
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<script>
document.addEventListener('DOMContentLoaded',function(){
    document.querySelector('form').addEventListener('submit',function(event){
        var captchaResponse=document.querySelector('input[name="cf-turnstile-response"]').value;
        if(!captchaResponse){
            event.preventDefault();
            alert('Please complete the CAPTCHA.');
        }
    });
});
</script>

Remember to add your Site Key

I tried all how with different AI chats to make hook and it just would not show the captcha box on admin page. this approach using login.tpl file worked for me🎉

[KevinGraham-com]

Won't this only stop the form submission using JavaScript, so it's not really actually that effective, because someone can just bypass it?

[trinib]

Won't this only stop the form submission using JavaScript, so it's not really actually that effective, because someone can just bypass it?

Yea your right . just disabling javascript on borwser bypass it . i see if i can get ai to find another way

[trinib]

@KevinGraham-com found a way to make page inaccessible when javascript is off. Same concept in client login area, I see spinner and page not functionable when js off. So i explain to AI to make it like that . Darn AI would not come up with the idea no matter what I tell it at first. 😡 I gotta hold its hands and carry it down that path with this concept.😂

add above the line {elseif $step eq "reset"} in login.tpl file as same like before:

<br>
<div class="row">
    <div class="col-xs-12 text-center" style="display:flex;justify-content:center;">
        <div class="cf-turnstile" data-sitekey="YOURKEY" data-callback="javascriptCallback" data-theme="dark" data-size="normal"></div>
    </div>
</div>
<script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
<script>
document.addEventListener('DOMContentLoaded', function() {
    document.querySelector('form').addEventListener('submit', function(event) {
        var captchaResponse = document.querySelector('input[name="cf-turnstile-response"]').value;
        if (!captchaResponse) {
            event.preventDefault();
            alert('Please complete the CAPTCHA.');
        }
    });
});
</script>
<style>
.spinner {
    position: fixed;
    top: 50%;
    left: 50%;
    transform: translate(-50%, -50%);
    border: 8px solid rgba(0,0,0,0.1);
    border-radius: 50%;
    border-top: 8px solid #3498db;
    width: 60px;
    height: 60px;
    animation: spin 1s linear infinite;
    z-index: 9999;
}
@keyframes spin {
    0% { transform: rotate(0deg); }
    100% { transform: rotate(360deg); }
}
.overlay {
    position: fixed;
    top: 0;
    left: 0;
    width: 100%;
    height: 100%;
    background: rgba(0, 0, 0, 0.8);
    z-index: 9998;
    display: flex;
    align-items: center;
    justify-content: center;
}
.no-js .overlay {
    display: flex;
}
.no-js .content {
    display: none;
}
</style>
<div id="overlay" class="overlay">
    <div id="spinner" class="spinner"></div>
</div>
<div class="content">
    <form method="post" action="login.php">
        <!-- Your existing form fields here -->
    </form>
</div>
<script>
document.addEventListener('DOMContentLoaded', function() {
    document.getElementById('overlay').style.display = 'none';
});
</script>
<noscript>
<style>
.content { display: none; }
</style>
</noscript>

[KevinGraham-com]

This is still browser based, and someone can use Inspect Element to find the hidden login form and unhide it.

Plus anyone trying to brute force the WHMCS login will not be impacted because they are doing a form submit without loading the page.

[trinib]

This is still browser based, and someone can use Inspect Element to find the hidden login form and unhide it.

Plus anyone trying to brute force the WHMCS login will not be impacted because they are doing a form submit without loading the page.

I think you need to know this is for brute force attacks . any one can remove turnstile captcha thats using js script method. And even on "client area" login side of whmcs thats using hook method to show captcha , I can remove elements and able to login after removing overlay and spinner, and this is with whmcs original coding , and same goes for all other sites that implement turnstile using js method.

[trinib]

@KevinGraham-com The idea your thinking that some1 can just remove it on browsers and hack site is kinda not possible for regular or seasoned hackers. Maybe for legendary hackers and none of this security shit matters 😂😂😂

[KevinGraham-com]

I thought the client area hook was using server side validation of the Turnstile captcha?

[trinib]

I thought the client area hook was using server side validation of the Turnstile captcha?

nope . this repo whmcs hooks still uses js script to show capcha

in hook file 
<script>
        var turnstileDiv = document.createElement("div");
        turnstileDiv.innerHTML = \'<div class="cf-turnstile" data-sitekey="'.hybulaTurnstileSite.'" data-callback="javascriptCallback" data-theme="'.hybulaTurnstileTheme.'"></div>'.(hybulaTurnstileCredits ? '<a href="https://github.com/hybula/whmcs-turnstile" target="_blank"><small class="text-muted text-uppercase">Captcha integration by Hybula</small></a>' : '<!-- Captcha integration by Hybula (https://github.com/hybula/whmcs-turnstile) -->').'<br><br>\';
        if (document.querySelector(\'input[type=submit],#login,div.text-center > button[type=submit],#openTicketSubmit\')) {
            var form = document.querySelector(\'input[type=submit],#login,div.text-center > button[type=submit],#openTicketSubmit\').parentNode;
            form.insertBefore(turnstileDiv, document.querySelector(\'input[type=submit],#login,div.text-center > button[type=submit],#openTicketSubmit\'));
        }
        </script>

[trinib]

@KevinGraham-com inna way it uses server side installation backend , but to actually show it on site its using js script

[KevinGraham-com]

That’s the bit that adds the code, but there’s the separate section in the hook code that looks for the extra POST field from the Turnstile captcha and verifies the token with Cloudflare, right?

That’s the bit that’s missing from the admin login, which needs server side validation on the login page to be a deterrent for brute force.

[trinib]

That’s the bit that adds the code, but there’s the separate section in the hook code that looks for the extra POST field from the Turnstile captcha and verifies the token with Cloudflare, right?

That’s the bit that’s missing from the admin login, which needs server side validation on the login page to be a deterrent for brute force.

Your absolutely right . I cannot log in on client area side using hook server integration. BUT this can be fixed with hook !! cause I remeber first time AI made a hook for me server side for admin area and only issue the captcha box was not showing and i could not have loggend only saying verification failed meaning it was working in server backend which i remember very clearly . I will get hook code again for its save in ai chat , just need to go look back

[trinib]

I think ai did give me a hook server side when it made script for login.tpl file . and I just ignored it . my bad

[dqos]

This makes no sense at all, the /admin page should be renamed in the first place and then protected by an ACL using your web server. So this is not only out of scope, but a terrible idea as well, so I'm closing this.

[trinib]

yes i agree