Reissuing a password for a user

Posted December 11, 2002 · December 11, 2002

Hi,

A customer has said they have forgotten there password, so I am trying to reset the password for them.

Can anyone tell me how I can do this for this user?

If an administrator cannnot do this, then we all have one serious problem on our hands with oscommerce :(

Posted December 11, 2002 · December 11, 2002

Before anyone starts saying that - go to login.php as a customer and choose 'forgot password'. That has been done and still nothing. I have even changed his address to my own and tried and nothing...

Unusual error this time.

burt · December 11, 2002

Does the password just use the standard PHP crypt function ? If so just make a little algo that'll give you a new encrytped password and input it directly using PHPmyAdmin

hth

Posted December 11, 2002 · December 11, 2002

for the uneducated - how do u do that? I am using the stock standard "oscommerce sept snapshot"

rossdev · December 11, 2002

Well I created an account then requested a new password.

No email was sent and the password was reset.

So take a look at our code for sending mail .. you might want to check if you can send any mail from osC for example a newsletter?

Brian.

rubygirl · December 12, 2002

I am having a similar problem with a slight variation - the email is sent when you click on forgot password but the email is sending a "bizarre" password - so is the password encrypted or something and the user simply needs to copy and paste the new password and then edit it or is the system supposed to send the current password that the user forgot?

thanks!

Posted December 12, 2002 · December 12, 2002

The system generates a NEW random password when a user has forgotten their password. They need to then login using the random password and they can create a new password.

dreamscape · December 12, 2002

hey using phpMyadmin to look at your database (or any other prog that will let you), goto the customers table and copy their encypted password and paste it into the password login box... it will let you log in and then you can goto edit account and change their password for them...

kinda seems like a potential security hazard if you can just paste the encrypted password and it passes... but whatever I guess.

mattice · December 12, 2002

hey using phpMyadmin to look at your database (or any other prog that will let you), goto the customers table and copy their encypted password and paste it into the password login box... it will let you log in and then you can goto edit account and change their password for them...

kinda seems like a potential security hazard if you can just paste the encrypted password and it passes... but whatever I guess.

did you actual try that and it worked? AFAIK all passwords get encrypted upon submission from the login.php and then matched to the stored one in the database... meaning pasting an already encrypted pass would be encrypted again and therefor fail...?

dreamscape · December 12, 2002

hey using phpMyadmin to look at your database (or any other prog that will let you), goto the customers table and copy their encypted password and paste it into the password login box... it will let you log in and then you can goto edit account and change their password for them...

kinda seems like a potential security hazard if you can just paste the encrypted password and it passes... but whatever I guess.

did you actual try that and it worked? AFAIK all passwords get encrypted upon submission from the login.php and then matched to the stored one in the database... meaning pasting an already encrypted pass would be encrypted again and therefor fail...?

Yes I tried it and it actually does work... I wanted to see and sure enough... its bad enough to not require the old password when changing to a new password... now I noticed this... security holes all over the place

mattice · December 12, 2002

now I noticed this... security holes all over the place

Like what? I think you are right in saying an encrypted pass should not be working like in the method you describe but if someone has access to the database the last thing I would be afraid of is he'd copy-paste a userpass into the login box...

With full access to mySQL he'd probably root your system completely in a minute or two.. :)

dreamscape · December 12, 2002

well the biggest security hole is not requiring the old password before changing it to something else... if a user is logged in on a shared computer and forgets to log out (or just doesn't bother to), then it would be pretty easy for someone to go into their account and change their password and highjack that users account.

mattice · December 12, 2002

well the biggest security hole is not requiring the old password before changing it to something else... if a user is logged in on a shared computer and forgets to log out (or just doesn't bother to), then it would be pretty easy for someone to go into their account and change their password and highjack that users account.

Then you should be quick as the session which holds the login data expires automatically upon being idle. And even when that account is hijacked what can you do with that account you can not do with a newly opened one?

dreamscape · December 12, 2002

Then you should be quick as the session which holds the login data expires automatically upon being idle. And even when that account is hijacked what can you do with that account you can not do with a newly opened one?

I wouldn't do anything with it because I wouldn't hi-jack it... but their are people who would... what would someone do with it?? I dunno... place fake orders, change the users info all around, place vulgar comments, place bad reviews... you know stuff those 13 year old kiddies do to make an Administrator's job just a little harder that day....

the threat isn't really one that poses a SERIOUS problem... would cause more of a neusance than anything... but I think that it is still a problem...

mattice · December 12, 2002

Again all the things you mention can be done by anybody on any osCommerce (or other e-commerce) shop.

Furthermore anybody that wants to change his/her account settings will need to re-enter the password anyway.

Just checked that since I did not believe it would be THAT easy.

And fortunately the coders of osC have done a good job...

There is no security hole in the login procedure.

dreamscape · December 12, 2002

Furthermore anybody that wants to change his/her account settings will need to re-enter the password anyway.

that is pretty far from the truth... I just checked too and was able to change a test account around without the need of the old password... change info and change password in one go, and it passes... the password is not needed to be re-entered

mattice · December 12, 2002

you're right... oops. Never bothered to check with a different password... Getting old. Yet still I would not call this a security hole.

dreamscape · December 12, 2002

you're right... oops. Never bothered to check with a different password... Getting old. Yet still I would not call this a security hole.

you are right that it is not really that big of a deal... though I would still call it a hole, if only a small one...

Reissuing a password for a user

Recommended Posts

Guest

Guest

burt

Guest

rossdev

rubygirl

Guest

dreamscape

mattice

dreamscape

mattice

dreamscape

mattice

dreamscape

mattice

dreamscape

mattice

dreamscape

Archived

Browse

Activity