Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Invalid Administrator Login


alex_hill

Recommended Posts

Posted

I went to login to the administration area today and my password wouldnt be accepted, so I truncated the 'administrators' table, and it asked me to enter new details, which i did, then i tried to log straight in, but the password wont be accepted.

 

I have made a few mods recently, but dont see how they would affect it:

SiteMonitor

IP Trap

SecurityPro

Some .htaccess updates as shown below (with my URL replaced with SITE.com):

RewriteEngine on

php_flag register_globals off

SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots

Deny from env=block_bad_bots

RewriteCond %{HTTP_HOST} ^SITE.com [NC]

RewriteRule ^(.*)$ SITE.com/$1 [L,R=301]
RewriteBase /

# filter for most common exploits

RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]

RewriteCond %{QUERY_STRING} tool25 [OR]

RewriteCond %{QUERY_STRING} cmd.txt [OR]

RewriteCond %{QUERY_STRING} cmd.gif [OR]

RewriteCond %{QUERY_STRING} r57shell [OR]

RewriteCond %{QUERY_STRING} c99 [OR]


# ban spam bots

RewriteCond %{HTTP_USER_AGENT} almaden [OR]

#MORE BOTS IN HERE, BUT REMOVED FOR THIS POST

RewriteCond %{HTTP_USER_AGENT} ^Zeus

RewriteRule ^.* - [F,L]

RewriteCond %{HTTP_REFERER} ^http://www.SITE.com$

RewriteRule !^http://[^/.]\.SITE.com.* - [F,L]


<Files ~ "^\.ht">

Order allow,deny

Deny from all

Satisfy All

</Files>



# Disable access to config.php

<Files ~ "includes\configure.php$">

deny from all

</Files>

 

I also removed the include statement for downloads.php in the checkout_success.php file (completely unrelated).

 

Can anyone think of what may be causing the problem?

Posted

As an update, checked my database and when I created the new admin account, the username was not stored in the database (was blank). I put a username in and tried to login, but same problem.

 

Is it possible there is a problem "mapping" the login form to the administrators.user_name field, hence causing the error?

Posted

Is it possible there is a problem "mapping" the login form to the administrators.user_name field, hence causing the error?

There is a bug report on this and a "fix" by Harald but so far I think the how and why of this bug is not determined.

Posted

Disregarding the error in not putting in the details correctly, if I inserted the following into the database the login should work???

 

user_name: username

user_password: md5(12password):12 ie add 12 (salt) to get "12password", encrypt it and add :12 to the end

 

When I do that, I still cant login.

Posted

Disregarding the error in not putting in the details correctly, if I inserted the following into the database the login should work???

 

user_name: username

user_password: md5(12password):12 ie add 12 (salt) to get "12password", encrypt it and add :12 to the end

 

When I do that, I still cant login.

Sounds like that should be right.

 

Perhaps if you deliberately make an error in the first query in the case process you can see if it ever reaches that part of the code. Of course you only tell us that you can't login but you don't tell us whether you get an error back that an invalid password or user was used or that nothing happens. Quite a big difference...

 

// add an error to see if this piece of code is used
$check_query = tep_db_query("select id, user_name, user_password from " . TABLE_AD_MINISTRATORS . " where user_name = '" . tep_db_input($username) . "'");

Posted

I will try the error bit when I get a chance this afternoon (its 8am over in Australia, I need my coffee before I start looking at code).

 

But the error I am getting, which I did put in the topic, which I now see can be interpreted as a general topic title, is "Error: Invalid administrator login attempt."

 

I will try debugging with errors a bit later, but if anything else pops into your mind, I would love to hear it.

Posted

OK, I have tried a few things, and I have got to this point, and it is mighty confusing:

 

switch ($action) {
     case 'process':
       $username = tep_db_prepare_input($HTTP_POST_VARS['username']);
       $password = tep_db_prepare_input($HTTP_POST_VARS['password']);
	echo $HTTP_POST_VARS['username'];
	echo $username;
	echo $_POST['username'];
	echo $_POST['password'];
	echo "Got Here";

 

I get "Got Here" echoed, but nothing else. The form (with URL edited) is:

<form name="login" action="http://SITE.com/admin/login.php?action=process" method="post">
<table border="0" width="100%" cellspacing="0" cellpadding="2">
 <tbody><tr>
   <td class="infoBoxContent">Username:<br><input type="text" name="username"></td>
 </tr>
 <tr>
   <td class="infoBoxContent"><br>Password:<br><input type="password" name="password" maxlength="40"></td>
 </tr>
 <tr>
   <td align="center" class="infoBoxContent"><br><input type="submit" value="Login"></td>
 </tr>
</tbody></table>
</form>

Which should mean that I at least get SOMETHING echoed based on the submitted values...

Posted

OK, I figured it out finally.

 

The problem was in admin/configure.php I had:

 define('HTTP_SERVER', 'http://site.com');
 define('HTTP_CATALOG_SERVER', 'http://site.com');
 define('HTTPS_CATALOG_SERVER', 'http://site.com');

Which didnt play nicely with my .htaccess which redirected the site to www.site.com/admin/login.php when the form itself submitted to http://site.com/admin/login.php, losing the POST variables in the process...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...