Got admin access without password- Serious

CoolSurfer · January 04, 2016, 02:12:53 PM

i imported the sql of site 1 to site 2, the salt key was changed, so when logging into the admin panel, it asked to reset the password.
on doing so, the image verification did not load up , hence could not reset the pwd, however the admin panel loaded fadedly in the bg, on clicking on the category link got access to the admin panel.

i think this should not be allowed.
just wondering....

also the smtp email pwd is not hashed/encrypted .... it should show up as stars...

Basara · January 06, 2016, 08:42:34 AM

Hello.

Please provide more details. What is your AbanteCart version? How you create your sql - via phpmadmin export or AbanteCart buit-in?

eCommerce Core · January 06, 2016, 08:47:55 AM

Are you saying you were able to get into Admin with no password reset or login? Are you sure? What were your steps?

FYI: When you migrate your site, you should not change your SALT key.

CoolSurfer · January 06, 2016, 08:54:41 AM

My friend also wanted a similar site on bodybuilding products, but he has 0 knowledge of computers n coding,
so i created a sql backup via cpanel sql backup, the one created by abantecart ( inbuilt) created a corrupted empty sql for some reason.

So u imported my sql into my friends AbanteCart sql via phpmyadmin, after dropping all tables.

Then i tried to make some changes to suite his site name etc.... but it didnt allow me to login.
the image verification thing didnt load the image hence i couldnt reset the password

i just clicked ok without image verification and the admin panel opened faintly which a regular user would not see or ignore. But i clicked on categories and i got access...

i am actually worried about security of my site also.

Then later i changed the salt key via ftp on my friends site.

CoolSurfer · January 06, 2016, 08:55:07 AM

I am using ver 1.2.5 latest

eCommerce Core · January 06, 2016, 09:25:42 AM

Do you have GD enabled? Missing GD can cause missing image for verification.

Regarding security, I do not think there is an issue here, but we can definitely check this.

I still do no see how you can skip this step. Did you change any PHP files?

abantecart · January 06, 2016, 09:33:30 AM

I think we are dealing with customer modifications or human error causing issues.

Check that this file is present and has correct permissions
admin/controller/responses/common/captcha.php

If this file is missing or not accessible, captcha will not show and validation will not work.
However, this will NEVER allow login without password.

abolabo · January 06, 2016, 09:40:51 AM

possibly you copied cache files that cause conflicts.
Try to remove all subdirectories from your public_html/system/cache folder

CoolSurfer · January 06, 2016, 10:41:25 AM

I installed AbanteCart using installatron in both sites. But will try to check the above suggested ... this caputa issue is on both the sites ...

abolabo · January 06, 2016, 11:24:54 AM

any errors in log?

CoolSurfer · January 07, 2016, 02:34:30 AM

admin/controller/responses/common/captcha.php is there and has file permission od 644

is that correct?

GD is enabled..

Didnt touch the php.ini file.

Any suggestions pl..

Basara · January 25, 2016, 03:00:53 AM

Quote from: CoolSurfer on January 07, 2016, 02:34:30 AM
admin/controller/responses/common/captcha.php is there and has file permission od 644

Try to set 755 permission to this file

abolabo · April 21, 2016, 11:27:54 AM

issue solved in v1.2.7.
See details here https://github.com/abantecart/abantecart-src/commit/ef60cbf500f332a04dea26a8e85316aac3a96916

News:

Got admin access without password- Serious