Guest Posted December 11, 2002 Share Posted December 11, 2002 Hi, A customer has said they have forgotten there password, so I am trying to reset the password for them. Can anyone tell me how I can do this for this user? If an administrator cannnot do this, then we all have one serious problem on our hands with oscommerce :( Link to comment Share on other sites More sharing options...
Guest Posted December 11, 2002 Share Posted December 11, 2002 Before anyone starts saying that - go to login.php as a customer and choose 'forgot password'. That has been done and still nothing. I have even changed his address to my own and tried and nothing... Unusual error this time. Link to comment Share on other sites More sharing options...
burt Posted December 11, 2002 Share Posted December 11, 2002 Does the password just use the standard PHP crypt function ? If so just make a little algo that'll give you a new encrytped password and input it directly using PHPmyAdmin hth Link to comment Share on other sites More sharing options...
Guest Posted December 11, 2002 Share Posted December 11, 2002 for the uneducated - how do u do that? I am using the stock standard "oscommerce sept snapshot" Link to comment Share on other sites More sharing options...
rossdev Posted December 11, 2002 Share Posted December 11, 2002 Well I created an account then requested a new password. No email was sent and the password was reset. So take a look at our code for sending mail .. you might want to check if you can send any mail from osC for example a newsletter? Brian. Link to comment Share on other sites More sharing options...
rubygirl Posted December 12, 2002 Share Posted December 12, 2002 I am having a similar problem with a slight variation - the email is sent when you click on forgot password but the email is sending a "bizarre" password - so is the password encrypted or something and the user simply needs to copy and paste the new password and then edit it or is the system supposed to send the current password that the user forgot? thanks! Link to comment Share on other sites More sharing options...
Guest Posted December 12, 2002 Share Posted December 12, 2002 The system generates a NEW random password when a user has forgotten their password. They need to then login using the random password and they can create a new password. Link to comment Share on other sites More sharing options...
dreamscape Posted December 12, 2002 Share Posted December 12, 2002 hey using phpMyadmin to look at your database (or any other prog that will let you), goto the customers table and copy their encypted password and paste it into the password login box... it will let you log in and then you can goto edit account and change their password for them... kinda seems like a potential security hazard if you can just paste the encrypted password and it passes... but whatever I guess. The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke Link to comment Share on other sites More sharing options...
mattice Posted December 12, 2002 Share Posted December 12, 2002 hey using phpMyadmin to look at your database (or any other prog that will let you), goto the customers table and copy their encypted password and paste it into the password login box... it will let you log in and then you can goto edit account and change their password for them... kinda seems like a potential security hazard if you can just paste the encrypted password and it passes... but whatever I guess. did you actual try that and it worked? AFAIK all passwords get encrypted upon submission from the login.php and then matched to the stored one in the database... meaning pasting an already encrypted pass would be encrypted again and therefor fail...? "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
dreamscape Posted December 12, 2002 Share Posted December 12, 2002 hey using phpMyadmin to look at your database (or any other prog that will let you), goto the customers table and copy their encypted password and paste it into the password login box... it will let you log in and then you can goto edit account and change their password for them... kinda seems like a potential security hazard if you can just paste the encrypted password and it passes... but whatever I guess. did you actual try that and it worked? AFAIK all passwords get encrypted upon submission from the login.php and then matched to the stored one in the database... meaning pasting an already encrypted pass would be encrypted again and therefor fail...? Yes I tried it and it actually does work... I wanted to see and sure enough... its bad enough to not require the old password when changing to a new password... now I noticed this... security holes all over the place The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke Link to comment Share on other sites More sharing options...
mattice Posted December 12, 2002 Share Posted December 12, 2002 now I noticed this... security holes all over the place Like what? I think you are right in saying an encrypted pass should not be working like in the method you describe but if someone has access to the database the last thing I would be afraid of is he'd copy-paste a userpass into the login box... With full access to mySQL he'd probably root your system completely in a minute or two.. :) "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
dreamscape Posted December 12, 2002 Share Posted December 12, 2002 well the biggest security hole is not requiring the old password before changing it to something else... if a user is logged in on a shared computer and forgets to log out (or just doesn't bother to), then it would be pretty easy for someone to go into their account and change their password and highjack that users account. The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke Link to comment Share on other sites More sharing options...
mattice Posted December 12, 2002 Share Posted December 12, 2002 well the biggest security hole is not requiring the old password before changing it to something else... if a user is logged in on a shared computer and forgets to log out (or just doesn't bother to), then it would be pretty easy for someone to go into their account and change their password and highjack that users account. Then you should be quick as the session which holds the login data expires automatically upon being idle. And even when that account is hijacked what can you do with that account you can not do with a newly opened one? "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
dreamscape Posted December 12, 2002 Share Posted December 12, 2002 Then you should be quick as the session which holds the login data expires automatically upon being idle. And even when that account is hijacked what can you do with that account you can not do with a newly opened one? I wouldn't do anything with it because I wouldn't hi-jack it... but their are people who would... what would someone do with it?? I dunno... place fake orders, change the users info all around, place vulgar comments, place bad reviews... you know stuff those 13 year old kiddies do to make an Administrator's job just a little harder that day.... the threat isn't really one that poses a SERIOUS problem... would cause more of a neusance than anything... but I think that it is still a problem... The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke Link to comment Share on other sites More sharing options...
mattice Posted December 12, 2002 Share Posted December 12, 2002 Again all the things you mention can be done by anybody on any osCommerce (or other e-commerce) shop. Furthermore anybody that wants to change his/her account settings will need to re-enter the password anyway. Just checked that since I did not believe it would be THAT easy. And fortunately the coders of osC have done a good job... There is no security hole in the login procedure. "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
dreamscape Posted December 12, 2002 Share Posted December 12, 2002 Furthermore anybody that wants to change his/her account settings will need to re-enter the password anyway. that is pretty far from the truth... I just checked too and was able to change a test account around without the need of the old password... change info and change password in one go, and it passes... the password is not needed to be re-entered The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke Link to comment Share on other sites More sharing options...
mattice Posted December 12, 2002 Share Posted December 12, 2002 you're right... oops. Never bothered to check with a different password... Getting old. Yet still I would not call this a security hole. "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
dreamscape Posted December 12, 2002 Share Posted December 12, 2002 you're right... oops. Never bothered to check with a different password... Getting old. Yet still I would not call this a security hole. you are right that it is not really that big of a deal... though I would still call it a hole, if only a small one... The only thing necessary for evil to flourish is for good men to do nothing - Edmund Burke Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.