jerseyjoe Posted February 16, 2011 Share Posted February 16, 2011 I have a CC3 whose admin logins do not work. The password recovery says email sent but it is never received. I have access to the database. There are three admin accounts. The admin user email addresses are correct. How to fix? Quote Link to comment Share on other sites More sharing options...
bsmither Posted February 16, 2011 Share Posted February 16, 2011 Do you have access to your files? If so, see if the timestamps on /admin/login.php and requestPass.php appear to be not right. Replace if necessary. Even though CC may say that the email was sent, it just means the email was sent to the server's mail delivery agent. The hosting provider may have made changes that makes sending mail no longer possible, at least using the method specified in CC's settings. Have you consulted with the host provider? In addition (and I have personally experienced this), a New Password email may be seen as spam. Then there is the blocker. If you are blocked, there will be a message saying you have attempted to log in too many time within a timeframe. However, all messages, whatever they may be, are dropped in favor of the message saying that you have a new password sent. The 'new password sent' message is displayed if and only if an email address is included in the URL: /admin/login.php?email=address (In the login script, no actual check is made if one was actually sent.) Quote Link to comment Share on other sites More sharing options...
jerseyjoe Posted February 16, 2011 Author Share Posted February 16, 2011 (edited) Thanks for the response. About the email issue, I am the host. It's my servers. The emails addresses are correct and functional. in fact your reply came to an email address used here in these forums - and it also is an address one of the three not getting email. i have looked in spam folders and in my server's email manager and none of the messages are there. Further, I host about 80 web sites on that same server and many 9at least half) use one of those same email addresses and they go out and are received without a problem. I think it's a reasonable assumption that those emails are simply not going out, despite the notice that says they are. My server uses Bulk Mail Brute Force protection that works fine. I get a message whenever there is an attempted use that involves any of the blacklisted IPs. The server would not block its own access, so that can be ruled out. Regarding admin/login.php. there is the following: line 205: if(isset($_GET['email'])){ line 206: $msg = "<p class='infoText'>".$lang['admin']['other']['new_pass_sent']." ".treatGet(urldecode($_GET['email']))."</p>"; is that what you were referring to? Thanks again for the suggestions. Thanks for the response. About the email issue, I am the host. It's my servers. The emails addresses are correct and functional. in fact your reply came to an email address used here in these forums - and it also is an address one of the three not getting email. i have looked in spam folders and in my server's email manager and none of the messages are there. Further, I host about 80 web sites on that same server and many 9at least half) use one of those same email addresses and they go out and are received without a problem. I think it's a reasonable assumption that those emails are simply not going out, despite the notice that says they are. My server uses Bulk Mail Brute Force protection that works fine. I get a message whenever there is an attempted use that involves any of the blacklisted IPs. The server would not block its own access, so that can be ruled out. Regarding admin/login.php. there is the following: line 205: if(isset($_GET['email'])){ line 206: $msg = "<p class='infoText'>".$lang['admin']['other']['new_pass_sent']." ".treatGet(urldecode($_GET['email']))."</p>"; is that what you were referring to? Thanks again for the suggestions. added EDIT: Re your text " Do you have access to your files? If so, see if the timestamps on /admin/login.php and requestPass.php appear to be not right. Replace if necessary.' Where exactly would I look for that? Edited February 16, 2011 by jerseyjoe Quote Link to comment Share on other sites More sharing options...
bsmither Posted February 16, 2011 Share Posted February 16, 2011 Lines 205/206 is what I was referring to. If you have access to the server, then you have the ability to get a directory listing of that store's admin folder. When a directory gets listed, in addition to the filename you will (hopefully) see the date last modified. In my distribution of CC3.0.20, the login.php and requestPass.php files have a timestamp of 8/3/2009. Also /classes/htmlMimeMail.php and /classes/smtp.php are dated 8/3/2009. I'm asking about the file dates because if they have changed, then someone or something changed them and maybe some code was changed. Quote Link to comment Share on other sites More sharing options...
bsmither Posted February 16, 2011 Share Posted February 16, 2011 To brute force a fix, you will need to access a base64 encoder. 1. Pick a password 2. Base64 encode it 3. Access your database 4. In the _admin_users table, choose a record that is `isSuper`=1 5. Replace the password field with the new base64 encoded string 6. Apply changes 7. Delete all records in the _blocker table 8. Delete all cookies from the store's domain from your browser 9. Go here: /admin/logout.php (may have to do this two or three times) 10. Now try logging in with the username and password of the record you just updated Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.