Please help us to make AbanteCart Ideal Open Source Ecommerce Solution for everyone.

Support AbanteCart eCommerce

Author Topic: Got admin access without password- Serious  (Read 7676 times)

Offline CoolSurfer

  • Jr. Member
  • **
  • Posts: 89
  • Karma: +2/-2
    • View Profile
Got admin access without password- Serious
« on: January 04, 2016, 02:12:53 PM »
i imported the sql of site 1 to site 2, the salt key was changed, so when logging into the admin panel, it asked to reset the password.
on doing so, the image verification did not load up , hence could not reset the pwd, however the admin panel loaded fadedly in the bg, on clicking on the category link got access to the admin panel.

i think this should not be allowed.
just wondering....

also the smtp email pwd is not hashed/encrypted .... it should show up as stars...
« Last Edit: January 05, 2016, 07:35:51 AM by CoolSurfer »

Offline Basara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3826
  • Karma: +185/-0
    • View Profile
Re: Got admin access without password- Serious
« Reply #1 on: January 06, 2016, 08:42:34 AM »
Hello.

Please provide more details. What is your AbanteCart version? How you create your sql - via phpmadmin export or AbanteCart buit-in?
“Chuck Norris is so amazing.”
― Mother Teresa

Offline eCommerce Core

  • Administrator
  • Hero Member
  • *****
  • Posts: 1596
  • Karma: +92/-1
    • View Profile
Re: Got admin access without password- Serious
« Reply #2 on: January 06, 2016, 08:47:55 AM »
Are you saying you were able to get into Admin with no password reset or login? Are you sure? What were your steps?

FYI: When you migrate your site, you should not change your SALT key.

“If you’re in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent.”
― Warren Buffett

Offline CoolSurfer

  • Jr. Member
  • **
  • Posts: 89
  • Karma: +2/-2
    • View Profile
Re: Got admin access without password- Serious
« Reply #3 on: January 06, 2016, 08:54:41 AM »
My friend also wanted a similar site on bodybuilding products, but he has 0 knowledge of computers n coding,
so i created a sql backup via cpanel sql backup, the one created by abantecart ( inbuilt) created a corrupted empty sql for some reason.

So u imported my sql into my friends AbanteCart sql via phpmyadmin, after dropping all tables.

Then i tried to make some changes to suite his site name etc.... but it didnt allow me to login.
the image verification thing didnt load the image hence i couldnt reset the password

i just clicked ok without image verification and the admin panel opened faintly which a regular user would not see or ignore. But i clicked on categories and i got access...

i am actually worried about security of my site also.

Then later i changed the salt key via ftp on my friends site.


Offline CoolSurfer

  • Jr. Member
  • **
  • Posts: 89
  • Karma: +2/-2
    • View Profile
Re: Got admin access without password- Serious
« Reply #4 on: January 06, 2016, 08:55:07 AM »
I am using ver 1.2.5 latest

Offline eCommerce Core

  • Administrator
  • Hero Member
  • *****
  • Posts: 1596
  • Karma: +92/-1
    • View Profile
Re: Got admin access without password- Serious
« Reply #5 on: January 06, 2016, 09:25:42 AM »
Do you have GD enabled? Missing GD can cause missing image for verification.

Regarding security, I do not think there is an issue here, but we can definitely check this.

I still do no see how you can skip this step. Did you change any PHP files?
“If you’re in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent.”
― Warren Buffett

Online abantecart

  • Administrator
  • Hero Member
  • *****
  • Posts: 4083
  • Karma: +243/-9
    • View Profile
    • Ideal Open Source Ecommerce Solution
Re: Got admin access without password- Serious
« Reply #6 on: January 06, 2016, 09:33:30 AM »
I think we are dealing with customer modifications or human error causing issues.

Check that this file is present and has correct permissions
admin/controller/responses/common/captcha.php

If this file is missing or not accessible, captcha will not show and validation will not work.
However, this will NEVER allow login without password. 
We need your help to build better free open source eCommerce platform for everyone.
See how you can help

Offline abolabo

  • core-developer
  • Administrator
  • Hero Member
  • *****
  • Posts: 1752
  • Karma: +240/-10
  • web for all, all for web!
    • View Profile
    • AbanteCart
Re: Got admin access without password- Serious
« Reply #7 on: January 06, 2016, 09:40:51 AM »
possibly you copied cache files that cause conflicts.
Try to remove all subdirectories from your public_html/system/cache folder
“No one is useless in this world who lightens the burdens of another.”
― Charles Dickens

Offline CoolSurfer

  • Jr. Member
  • **
  • Posts: 89
  • Karma: +2/-2
    • View Profile
Re: Got admin access without password- Serious
« Reply #8 on: January 06, 2016, 10:41:25 AM »
I installed AbanteCart using installatron in both sites. But will try to check the above suggested ... this caputa  issue is on both the sites ...

Offline abolabo

  • core-developer
  • Administrator
  • Hero Member
  • *****
  • Posts: 1752
  • Karma: +240/-10
  • web for all, all for web!
    • View Profile
    • AbanteCart
Re: Got admin access without password- Serious
« Reply #9 on: January 06, 2016, 11:24:54 AM »
any errors in log?
“No one is useless in this world who lightens the burdens of another.”
― Charles Dickens

Offline CoolSurfer

  • Jr. Member
  • **
  • Posts: 89
  • Karma: +2/-2
    • View Profile
Re: Got admin access without password- Serious
« Reply #10 on: January 07, 2016, 02:34:30 AM »
admin/controller/responses/common/captcha.php is there and has file permission od 644

is that correct?

GD is enabled..

Didnt touch the php.ini file.

Any suggestions pl..
« Last Edit: January 07, 2016, 12:20:30 PM by CoolSurfer »

Offline Basara

  • Administrator
  • Hero Member
  • *****
  • Posts: 3826
  • Karma: +185/-0
    • View Profile
Re: Got admin access without password- Serious
« Reply #11 on: January 25, 2016, 03:00:53 AM »
admin/controller/responses/common/captcha.php is there and has file permission od 644

Try to set 755 permission to this file
“Chuck Norris is so amazing.”
― Mother Teresa

Offline abolabo

  • core-developer
  • Administrator
  • Hero Member
  • *****
  • Posts: 1752
  • Karma: +240/-10
  • web for all, all for web!
    • View Profile
    • AbanteCart
“No one is useless in this world who lightens the burdens of another.”
― Charles Dickens