alex_hill Posted August 3, 2010 Posted August 3, 2010 I went to login to the administration area today and my password wouldnt be accepted, so I truncated the 'administrators' table, and it asked me to enter new details, which i did, then i tried to log straight in, but the password wont be accepted. I have made a few mods recently, but dont see how they would affect it: SiteMonitor IP Trap SecurityPro Some .htaccess updates as shown below (with my URL replaced with SITE.com): RewriteEngine on php_flag register_globals off SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots Deny from env=block_bad_bots RewriteCond %{HTTP_HOST} ^SITE.com [NC] RewriteRule ^(.*)$ SITE.com/$1 [L,R=301] RewriteBase / # filter for most common exploits RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR] RewriteCond %{QUERY_STRING} tool25 [OR] RewriteCond %{QUERY_STRING} cmd.txt [OR] RewriteCond %{QUERY_STRING} cmd.gif [OR] RewriteCond %{QUERY_STRING} r57shell [OR] RewriteCond %{QUERY_STRING} c99 [OR] # ban spam bots RewriteCond %{HTTP_USER_AGENT} almaden [OR] #MORE BOTS IN HERE, BUT REMOVED FOR THIS POST RewriteCond %{HTTP_USER_AGENT} ^Zeus RewriteRule ^.* - [F,L] RewriteCond %{HTTP_REFERER} ^http://www.SITE.com$ RewriteRule !^http://[^/.]\.SITE.com.* - [F,L] <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files> # Disable access to config.php <Files ~ "includes\configure.php$"> deny from all </Files> I also removed the include statement for downloads.php in the checkout_success.php file (completely unrelated). Can anyone think of what may be causing the problem?
alex_hill Posted August 3, 2010 Author Posted August 3, 2010 As an update, checked my database and when I created the new admin account, the username was not stored in the database (was blank). I put a username in and tried to login, but same problem. Is it possible there is a problem "mapping" the login form to the administrators.user_name field, hence causing the error?
Jan Zonjee Posted August 3, 2010 Posted August 3, 2010 Is it possible there is a problem "mapping" the login form to the administrators.user_name field, hence causing the error? There is a bug report on this and a "fix" by Harald but so far I think the how and why of this bug is not determined.
alex_hill Posted August 3, 2010 Author Posted August 3, 2010 I installed that mod but it still isnt inserting the user_name into the db. Any other options?
alex_hill Posted August 3, 2010 Author Posted August 3, 2010 Disregarding the error in not putting in the details correctly, if I inserted the following into the database the login should work??? user_name: username user_password: md5(12password):12 ie add 12 (salt) to get "12password", encrypt it and add :12 to the end When I do that, I still cant login.
Jan Zonjee Posted August 3, 2010 Posted August 3, 2010 Disregarding the error in not putting in the details correctly, if I inserted the following into the database the login should work??? user_name: username user_password: md5(12password):12 ie add 12 (salt) to get "12password", encrypt it and add :12 to the end When I do that, I still cant login. Sounds like that should be right. Perhaps if you deliberately make an error in the first query in the case process you can see if it ever reaches that part of the code. Of course you only tell us that you can't login but you don't tell us whether you get an error back that an invalid password or user was used or that nothing happens. Quite a big difference... // add an error to see if this piece of code is used $check_query = tep_db_query("select id, user_name, user_password from " . TABLE_AD_MINISTRATORS . " where user_name = '" . tep_db_input($username) . "'");
alex_hill Posted August 3, 2010 Author Posted August 3, 2010 I will try the error bit when I get a chance this afternoon (its 8am over in Australia, I need my coffee before I start looking at code). But the error I am getting, which I did put in the topic, which I now see can be interpreted as a general topic title, is "Error: Invalid administrator login attempt." I will try debugging with errors a bit later, but if anything else pops into your mind, I would love to hear it.
alex_hill Posted August 4, 2010 Author Posted August 4, 2010 OK, I have tried a few things, and I have got to this point, and it is mighty confusing: switch ($action) { case 'process': $username = tep_db_prepare_input($HTTP_POST_VARS['username']); $password = tep_db_prepare_input($HTTP_POST_VARS['password']); echo $HTTP_POST_VARS['username']; echo $username; echo $_POST['username']; echo $_POST['password']; echo "Got Here"; I get "Got Here" echoed, but nothing else. The form (with URL edited) is: <form name="login" action="http://SITE.com/admin/login.php?action=process" method="post"> <table border="0" width="100%" cellspacing="0" cellpadding="2"> <tbody><tr> <td class="infoBoxContent">Username:<br><input type="text" name="username"></td> </tr> <tr> <td class="infoBoxContent"><br>Password:<br><input type="password" name="password" maxlength="40"></td> </tr> <tr> <td align="center" class="infoBoxContent"><br><input type="submit" value="Login"></td> </tr> </tbody></table> </form> Which should mean that I at least get SOMETHING echoed based on the submitted values...
alex_hill Posted August 4, 2010 Author Posted August 4, 2010 OK, I figured it out finally. The problem was in admin/configure.php I had: define('HTTP_SERVER', 'http://site.com'); define('HTTP_CATALOG_SERVER', 'http://site.com'); define('HTTPS_CATALOG_SERVER', 'http://site.com'); Which didnt play nicely with my .htaccess which redirected the site to www.site.com/admin/login.php when the form itself submitted to http://site.com/admin/login.php, losing the POST variables in the process...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.