AbanteCart Community

Shopping Cart Operations => Security => Topic started by: CoolSurfer on January 04, 2016, 02:12:53 PM

Title: Got admin access without password- Serious
Post by: CoolSurfer on January 04, 2016, 02:12:53 PM
i imported the sql of site 1 to site 2, the salt key was changed, so when logging into the admin panel, it asked to reset the password.
on doing so, the image verification did not load up , hence could not reset the pwd, however the admin panel loaded fadedly in the bg, on clicking on the category link got access to the admin panel.

i think this should not be allowed.
just wondering....

also the smtp email pwd is not hashed/encrypted .... it should show up as stars...
Title: Re: Got admin access without password- Serious
Post by: Basara on January 06, 2016, 08:42:34 AM
Hello.

Please provide more details. What is your AbanteCart version? How you create your sql - via phpmadmin export or AbanteCart buit-in?
Title: Re: Got admin access without password- Serious
Post by: eCommerce Core on January 06, 2016, 08:47:55 AM
Are you saying you were able to get into Admin with no password reset or login? Are you sure? What were your steps?

FYI: When you migrate your site, you should not change your SALT key.

Title: Re: Got admin access without password- Serious
Post by: CoolSurfer on January 06, 2016, 08:54:41 AM
My friend also wanted a similar site on bodybuilding products, but he has 0 knowledge of computers n coding,
so i created a sql backup via cpanel sql backup, the one created by abantecart ( inbuilt) created a corrupted empty sql for some reason.

So u imported my sql into my friends AbanteCart sql via phpmyadmin, after dropping all tables.

Then i tried to make some changes to suite his site name etc.... but it didnt allow me to login.
the image verification thing didnt load the image hence i couldnt reset the password

i just clicked ok without image verification and the admin panel opened faintly which a regular user would not see or ignore. But i clicked on categories and i got access...

i am actually worried about security of my site also.

Then later i changed the salt key via ftp on my friends site.

Title: Re: Got admin access without password- Serious
Post by: CoolSurfer on January 06, 2016, 08:55:07 AM
I am using ver 1.2.5 latest
Title: Re: Got admin access without password- Serious
Post by: eCommerce Core on January 06, 2016, 09:25:42 AM
Do you have GD enabled? Missing GD can cause missing image for verification.

Regarding security, I do not think there is an issue here, but we can definitely check this.

I still do no see how you can skip this step. Did you change any PHP files?
Title: Re: Got admin access without password- Serious
Post by: abantecart on January 06, 2016, 09:33:30 AM
I think we are dealing with customer modifications or human error causing issues.

Check that this file is present and has correct permissions
admin/controller/responses/common/captcha.php

If this file is missing or not accessible, captcha will not show and validation will not work.
However, this will NEVER allow login without password. 
Title: Re: Got admin access without password- Serious
Post by: abolabo on January 06, 2016, 09:40:51 AM
possibly you copied cache files that cause conflicts.
Try to remove all subdirectories from your public_html/system/cache folder
Title: Re: Got admin access without password- Serious
Post by: CoolSurfer on January 06, 2016, 10:41:25 AM
I installed AbanteCart using installatron in both sites. But will try to check the above suggested ... this caputa  issue is on both the sites ...
Title: Re: Got admin access without password- Serious
Post by: abolabo on January 06, 2016, 11:24:54 AM
any errors in log?
Title: Re: Got admin access without password- Serious
Post by: CoolSurfer on January 07, 2016, 02:34:30 AM
admin/controller/responses/common/captcha.php is there and has file permission od 644

is that correct?

GD is enabled..

Didnt touch the php.ini file.

Any suggestions pl..
Title: Re: Got admin access without password- Serious
Post by: Basara on January 25, 2016, 03:00:53 AM
admin/controller/responses/common/captcha.php is there and has file permission od 644

Try to set 755 permission to this file
Title: Re: Got admin access without password- Serious
Post by: abolabo on April 21, 2016, 11:27:54 AM
issue solved in v1.2.7.
See details here https://github.com/abantecart/abantecart-src/commit/ef60cbf500f332a04dea26a8e85316aac3a96916