Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Administration Access Level Accounts 2.0 need help


vivaxone

Recommended Posts

That's what I thought as well. I increased the timeout for the sessions from the default 1440 to 2880. This is found in admin/includes/functions/sessions.php and is the variable $SESS_LIFE = 1440;

 

I also flushed the sessions table in the database.

 

These have not worked. This problem is not a time-out problem. You can be working in the system for say, 5 minutes and the next link you click on kicks you back to the login page. It also happens with the first or second link you click on after logging in.

 

I have around 15 admins using the system, with maybe 5 to 8 logged in and using the system at any given time. I use a customized version of Step by Step orders 1.7 to facilitate manual order entry for phone orders.

 

I do not experience the kicking out issue as much as the employees using the system. This could be becuase:

 

A. I do not use the system as much as they do, although I have been using it heavily on days when they have experienced getting kicked out. I have been kicked out on a few occasions, however.

 

B. I am not in the same physical location. At one time I thought that Mcafee Virus Scan may have something to do with it- blocking a cookie or something? I do not use Mcafee, but all the employees have a corporate version installed on their machine.

 

Does any of this provoke any more thoughts from the group?

 

the admin contrib is not using the normal osc sessions. there should be a different sessions database or it is storing to file in /tmp. there should be something somewhere or it may be due to a stupid cookie.

Link to comment
Share on other sites

  • Replies 156
  • Created
  • Last Reply

Top Posters In This Topic

the admin contrib is not using the normal osc sessions. there should be a different sessions database or it is storing to file in /tmp. there should be something somewhere or it may be due to a stupid cookie.

 

admin_access levels uses session functions found in admin/includes/functions/sessions.php, and increasing $SESS_LIFE = 1440; does increase the timeout time when the system does not kick you out. Also, flushing the session table immediately kicks you out. If I flush the sessions table and then login, there appears only one new entry in the sessions table. That seems to tell me that the sessions table in the database is also being used by admin_access.

 

So that's why i've focused on the code that checks to see if the session is registered. I am going to try to insert some information to see if I can pinpoint the exact location in the code where I am getting kicked out to see if that provides any mroe information as to why.

 

Thanks for the input/feedback... it helps my brain work.

Link to comment
Share on other sites

I've got a little prob with the following:

 

Installed admin access 2.2 first of all, after that I also added Extention KategorienAdmin3 and last but not least the admin3 contribute.

If I wanna edit a user and I get this error seen in the pic: osc.jpg

 

but I can't find a mistake in the file.

See the rows 98 to 116 here:

function tep_db_fetch_array($db_query) {
return mysql_fetch_array($db_query, MYSQL_ASSOC);
 }

 function tep_db_result($result, $row, $field = '') {
return mysql_result($result, $row, $field);
 }

 function tep_db_num_rows($db_query) {
return mysql_num_rows($db_query);
 }

 function tep_db_data_seek($db_query, $row_number) {
return mysql_data_seek($db_query, $row_number);
 }

 function tep_db_insert_id() {
return mysql_insert_id();
 }

 

Can anyone help me? Please!

Link to comment
Share on other sites

I've got a little prob with the following:

 

Installed admin access 2.2 first of all, after that I also added Extention KategorienAdmin3 and last but not least the admin3 contribute.

If I wanna edit a user and I get this error seen in the pic: osc.jpg

 

Can anyone help me? Please!

 

same error here.

 

I've solved it changing a bracket position, in admin_members.php, near line 600.

 

Take a look a the code below, look for my 2 comments //changed by bill, near the end:

 

		while ($n < tep_db_num_rows($top_categories_query)) {
	  $top_categories = tep_db_fetch_array($top_categories_query);
	  $top_categories_name_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where language_id=2 and categories_id=" . $top_categories['categories_id']);
	  $top_categories_name = tep_db_fetch_array($top_categories_name_query);
	  if (in_array($top_categories['categories_id'],$str_cat_no_array)) {
		$is_selected = true;
	  } else {
		$is_selected = false;
	  }
	  $all_categories .= tep_draw_checkbox_field('admin_cat_access_' . $n, $top_categories['categories_id'],$is_selected) . " " . $top_categories_name['categories_name'] . " (ID" . $top_categories['categories_id'] . ")<br> ";
	  $n = $n + 1;
	}
//	  } //changed by bill

  $contents[] = array('text' => '<br> <b>' . TEXT_INFO_CATEGORIEACCESS . '</b><br> ' . $all_categories);
  $contents[] = array('text' => tep_draw_hidden_field('admin_cat_access_fields', tep_db_num_rows($top_categories_query)));
  } //changed by bill

// Thomas Schittli: End Bugfixes

 

Cya,

Billsoft.

Link to comment
Share on other sites

My current problem is that in the Admin Member column on the right hand side where you can see the Category Access - the category names are not showing - only the ID.

 

Eg.

 

(1)

(2)

(3)

 

instead of something like

 

Bath (1)

Face (2)

Body (3)

Can anyone tell me why the Category Names may not be showing?

 

in admin_members.php, look for this line (near line 599):

 

$top_categories_name_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where language_id=2 and categories_id=" . $top_categories['categories_id']);

and replace it with:

 

$top_categories_name_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where language_id=" . $languages_id ." and categories_id=" . $top_categories['categories_id']);

 

Now, it should work.

 

Cya,

Billsoft.

Link to comment
Share on other sites

I am also getting the same problem trying to change password on my account..

 

When i click edit it asks me for password. which is existing password an then when i click confirm i dont have the ability to change anything..

 

MySQL version 4.1.19-standard

PHP version 5.1.4

 

Cant seem to find the problem.. Could this be anything to do with register globals being turned off at all.. As i have patched the files using register_globals_v1.4a

 

any news on this would be wicked..

 

Hey there DJMatrix,

 

I'm dinging around with register globals as well and yes it is an issue with globals off. Spent a couple hours messing with it but wasn't able to resolve the issue so if anyone else has this working with register globals off I'd also love to hear the solution.

 

Thanks,

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

same error here.

 

I've solved it changing a bracket position, in admin_members.php, near line 600.

 

Take a look a the code below, look for my 2 comments //changed by bill, near the end:

 

Cya,

Billsoft.

 

Thanx Billsoft,

that was it! :thumbsup:

Link to comment
Share on other sites

it is most likely something to do with sessions

 

Cheers. Strangely enough, I've just installed a test version besides the one I'm developing (same server, in the same root directory etc) and don't seem to be being kicked out! I can leave it on all evening without doing anything and go straight to the section I want. :huh: It's only got one other mod on it though and the proper one is quite modded up, which I expect is what's causing it.

 

 

 

 

Incidently, does this mod make osC secure enough to not have to do things like passwording the admin directory etc? (Or is this the type of thing it's actualy doing under the surface?) How secure is it in terms of keeping people out, or is it merely an admin tool?

Link to comment
Share on other sites

NO ... Do NOT! ever leave your admin directories unsecured.

 

The Admin Access Mod is only an interface. You still need to have either HTACCESS or a custom login routine to securely keep out unwanted people.

 

If you attempted to use it without alternatively securing your admin area ... intruders will potentially have loopholes and access to most of your admin tools .. which will mean disaster.

 

Hope that answers your question.

Link to comment
Share on other sites

NO ... Do NOT! ever leave your admin directories unsecured.

 

The Admin Access Mod is only an interface. You still need to have either HTACCESS or a custom login routine to securely keep out unwanted people.

 

If you attempted to use it without alternatively securing your admin area ... intruders will potentially have loopholes and access to most of your admin tools .. which will mean disaster.

 

Hope that answers your question.

 

Hi there Insomniac,

 

Can you document some of loopholes and such or how they might be exploited? I'm having a difficult time finding a way a potential intruder would be able to bypass the login on AAL 2.2a.

 

Thanks,

Iggy

Edited by Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Hi there Insomniac,

 

Can you document some of loopholes and such or how they might be exploited? I'm having a difficult time finding a way a potential intruder would be able to bypass the login on AAL 2.2a.

 

Thanks,

Iggy

 

Hrrrm, all dirs under admin that don't have an index.php in them don't fall under the login cookie. You might just have something there Insomniac. Configure is safe as are the rest of the files in /includes since you can't download it without it being parsed and returning a blank file but still...

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

NO ... Do NOT! ever leave your admin directories unsecured.

 

The Admin Access Mod is only an interface. You still need to have either HTACCESS or a custom login routine to securely keep out unwanted people.

 

If you attempted to use it without alternatively securing your admin area ... intruders will potentially have loopholes and access to most of your admin tools .. which will mean disaster.

 

Hope that answers your question.

 

Double hrrrm,

Well even WITH being able to see the files in images and such I'm not sure how much good it would do you. /backup is another story of course.

 

I suppose you could just add an index to each with

 

<?php
if(isset($_SESSION['osCAdminID'])) {
echo 'In';
} else {
echo 'Out';
}
?>

 

Or disable file listing. Anyone with a large brain want to chime in on this one?

 

Iggy

Edited by Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

in admin_members.php, look for this line (near line 599):

 

$top_categories_name_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where language_id=2 and categories_id=" . $top_categories['categories_id']);

and replace it with:

 

$top_categories_name_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where language_id=" . $languages_id ." and categories_id=" . $top_categories['categories_id']);

 

Now, it should work.

 

Cya,

Billsoft.

 

Hi,

 

I tried your solution but it didn't work and then I realised what was wrong when I looked in the database.

 

There are three instances of

 

language_id=2 (in admin_members.php)

 

I had to set mine to language_id=1, as mine is only in english I didn't include the german files/references.

 

Thanks :)

Link to comment
Share on other sites

Double hrrrm,

Well even WITH being able to see the files in images and such I'm not sure how much good it would do you. /backup is another story of course.

 

I suppose you could just add an index to each with

 

<?php
if(isset($_SESSION['osCAdminID'])) {
echo 'In';
} else {
echo 'Out';
}
?>

 

Or disable file listing. Anyone with a large brain want to chime in on this one?

 

Iggy

 

And it seems that this is the way the folks at Joomla do it, sorta. They just have index.html in all subdirs.

 

So as long as your file is calling application_top it appears to require the session login and all the other files don't parse and so aren't an issue unless you do something dumb like make a /includes/configure.php.bak.txt or somesuch that the server will return.

 

I'm still in though. How can you exploit AAL 2.2a to get unauthorized acccess?

 

Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Hi Iggy ... yes that is one problem i`ve noticed. I am not a wizard at php but understand a good portion. It seems the Admin side of the catalog is not using the same session code ... which seems to be better written on the catalog side. I have read that the osc admin code was written by different osc programmers who all had their own ideas on how things should be done.

 

One thing I noticed is that if you forget to do the logout in admin access the session is not destroyed .. sometimes if i reopen my browser and type an admin url to a file I can bypass the login intermittently.

 

I also noticed that even when restricting files to certain admins like categories.php for example ... that certain critical function buttons can be accessed if you know what url parameters and categories id etc to use. For example the copy, move, duplicate buttons are only disabled because the admin level is not equal to 1 .... but if you type in the correct url and paramters ... there is no code to stop the execution.

 

I have been adding bits and pieces of code myself to try and add more logic to the checking of admins level and which buttons can be clicked etc .. but it is a slow, complicating process. If somone was really good with code the Admin Access mod needs some core code added for selecting which buttons on pages can be used ... like Insert and New Product etc. , but I am not sure on what the best way to go about this would because there are other factors involved like any other mods which people have installed that have button links etc.

 

All in all I think Admin Access is a very impressive mod though and the creators and the contributors concepts are awesome. I can see this one going a long way and being developed further.

Link to comment
Share on other sites

Hi Iggy ... yes that is one problem i`ve noticed. I am not a wizard at php but understand a good portion. It seems the Admin side of the catalog is not using the same session code ... which seems to be better written on the catalog side. I have read that the osc admin code was written by different osc programmers who all had their own ideas on how things should be done.

 

One thing I noticed is that if you forget to do the logout in admin access the session is not destroyed .. sometimes if i reopen my browser and type an admin url to a file I can bypass the login intermittently.

 

I also noticed that even when restricting files to certain admins like categories.php for example ... that certain critical function buttons can be accessed if you know what url parameters and categories id etc to use. For example the copy, move, duplicate buttons are only disabled because the admin level is not equal to 1 .... but if you type in the correct url and paramters ... there is no code to stop the execution.

 

I have been adding bits and pieces of code myself to try and add more logic to the checking of admins level and which buttons can be clicked etc .. but it is a slow, complicating process. If somone was really good with code the Admin Access mod needs some core code added for selecting which buttons on pages can be used ... like Insert and New Product etc. , but I am not sure on what the best way to go about this would because there are other factors involved like any other mods which people have installed that have button links etc.

 

All in all I think Admin Access is a very impressive mod though and the creators and the contributors concepts are awesome. I can see this one going a long way and being developed further.

 

Well, there's a certain level of trust involved to hand-out an admin pass in the first place so in the cases above, although it would be good to get those fixed up, the security breach is the top admin.

 

As far as someone coming to the admin without a login/pass I can't see that there's an exploit that gets them past the login page (which doesn't mean there isn't one just that I can't figure out how to do it :) other than brute forcing it.

 

Someone ( ask not what osC can do for you people ) should update the admin contrib to include an index.php in all the subdirs though and especially in backups as that's wide open to anyone who knows the path.

 

Maybe we should move this discussion to the AAL Thread?

 

 

 

Iggy

Edited by Iggy

Everything's funny but nothing's a joke...

Link to comment
Share on other sites

Hi,

 

I tried your solution but it didn't work and then I realised what was wrong when I looked in the database.

 

There are three instances of

 

language_id=2 (in admin_members.php)

 

I had to set mine to language_id=1, as mine is only in english I didn't include the german files/references.

 

Thanks :)

 

Hi Thenes,

You're right, there are 3 instances of language_id=2. haven't seen them :(

 

You should replace all by

language_id=" . $languages_id ."

 

The way you've done works but it turns your solution less "customizable". It will always shows categories' names in english even if in the future you add another language in your site.

 

Best regards,

Billsoft.

Link to comment
Share on other sites

Hi Thenes,

You're right, there are 3 instances of language_id=2. haven't seen them :(

 

You should replace all by

language_id=" . $languages_id ."

 

The way you've done works but it turns your solution less "customizable". It will always shows categories' names in english even if in the future you add another language in your site.

 

Best regards,

Billsoft.

 

 

Thanks Billsoft, that's a good point to make, I wouldn't have realised that.

 

At the moment I've solved quite a few problems but also encountered others, the one I cannot work out to date is that the Administration Access Level sessions do not appear to be timing out. I've got a few mods and I've been over and over the installations to check if I missed or modified or could notice anything conflicting but I cannot.

 

Has anyone else encountered sessions not timing out. (I wish I noticed when it had stopped working - it was working previously but when I purchased SSL certs the site had to be moved, I think it might've stopped working around then.)

 

My current Contribs are:

SPPC

Hide Products for SPPC v103a

Admin Access Level Acc with the Category Ext. & Oliswiss Fix

Specials Module

Best Sellers & Best Seller for SPPC with Hide

Featured Products 1.5.6

Product Description v1.5

Card Zapper v1.13

 

I have Quick Updates for SPPC but that is not working at all. (Everytime I try to do something it takes me back to the Admin Login Page) :(

 

(Plus I've made various edits to change the way things look. Fingers crossed most of it was aesthetic. :blush: )

 

Has anyone come across this endless session or not timing out in the Admin Levels? :sweating:

Link to comment
Share on other sites

  • 2 weeks later...

Hi, I have installed this great mod and it appears to work except that when the variables are parsed to add a new member, I get an internal server error. My server logs aren't giving any clues, so if anyone could point me in the right direction, I would be grateful!

 

Thanks in advance!

Link to comment
Share on other sites

  • 4 weeks later...

I installed this contrib:

http://www.oscommerce.com/forums/index.php?sho...=186194&hl=

 

I did everything as it said in the readme, and... DONT WORK WELL

 

For me:

 

1) Is impossible to change the password of the created account "admin@localhost", I only can modify the name and emails, but not the password.

Why???

 

2) If I create another admin account I CAN NOT ENTER A PASSWORD, and of course there are no way to lnow what is it

 

3) To enter admin area I have to enter 2 times the first account details: name and password, and after this I arrive to a nother web page where I have to enter the new account email and password.

Is this the correct way to work for this mod??

If this is the way I will have to give the main password to all admins, and I don?t want to do this.

 

 

PLEASE HELP

Link to comment
Share on other sites

I use the Categorie Admin (Extension for Administration Access Level Account ) with Patches of Oliswiss , Administration Access Level Account 2.2a.

I found that, if one user who can view product (only create new, not edit, not copy, not delete), he can set the Status of all products! If someone "go to crazy", he can kill my shop!

 

And, beside that, can we have the log files of every accounts ? With that file I can know my user had did what things in my shop !

Paint for VietNamese :

Link to comment
Share on other sites

i have two questions:

can i use this contribution to set the permission to some admins that they arent allowed to see the configuration box (and some other boxes) in the admin control panel?

 

2nd question:

i would use oliswiss latest(from 3 Mar 2006) uploaded file but in first line of his install.txt he writes

"Install first the "Admin Account with Access Level 2.1" (http://www.oscommerce.com/community/contributions,1359) Contribution!"

 

is that true? i never installed any admin contribution before. therefore it is a lil bit complicated for me.

any advice?

 

the whole thread is very confusing with all patches in zips and answers :blink:

Edited by nicmare
Link to comment
Share on other sites

You must install Admin Account with Access Level 2.1 or 2.2a (at below). Then, you can install that contribution.

Admin Account with Access Level has all things that you need ! (but i need more ! :D)

Paint for VietNamese :

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...