Jump to content

ACP locked out


jerseyjoe
 Share

Recommended Posts

Do you have access to your files? If so, see if the timestamps on /admin/login.php and requestPass.php appear to be not right. Replace if necessary.

Even though CC may say that the email was sent, it just means the email was sent to the server's mail delivery agent. The hosting provider may have made changes that makes sending mail no longer possible, at least using the method specified in CC's settings. Have you consulted with the host provider? In addition (and I have personally experienced this), a New Password email may be seen as spam.

Then there is the blocker. If you are blocked, there will be a message saying you have attempted to log in too many time within a timeframe. However, all messages, whatever they may be, are dropped in favor of the message saying that you have a new password sent. The 'new password sent' message is displayed if and only if an email address is included in the URL:

/admin/login.php?email=address

(In the login script, no actual check is made if one was actually sent.)

Link to comment
Share on other sites

Thanks for the response.

About the email issue, I am the host. It's my servers. The emails addresses are correct and functional. in fact your reply came to an email address used here in these forums - and it also is an address one of the three not getting email. i have looked in spam folders and in my server's email manager and none of the messages are there. Further, I host about 80 web sites on that same server and many 9at least half) use one of those same email addresses and they go out and are received without a problem.

I think it's a reasonable assumption that those emails are simply not going out, despite the notice that says they are.

My server uses Bulk Mail Brute Force protection that works fine. I get a message whenever there is an attempted use that involves any of the blacklisted IPs. The server would not block its own access, so that can be ruled out.

Regarding admin/login.php. there is the following:

line 205: if(isset($_GET['email'])){

line 206: $msg = "<p class='infoText'>".$lang['admin']['other']['new_pass_sent']." ".treatGet(urldecode($_GET['email']))."</p>";

is that what you were referring to?

Thanks again for the suggestions.

Thanks for the response.

About the email issue, I am the host. It's my servers. The emails addresses are correct and functional. in fact your reply came to an email address used here in these forums - and it also is an address one of the three not getting email. i have looked in spam folders and in my server's email manager and none of the messages are there. Further, I host about 80 web sites on that same server and many 9at least half) use one of those same email addresses and they go out and are received without a problem.

I think it's a reasonable assumption that those emails are simply not going out, despite the notice that says they are.

My server uses Bulk Mail Brute Force protection that works fine. I get a message whenever there is an attempted use that involves any of the blacklisted IPs. The server would not block its own access, so that can be ruled out.

Regarding admin/login.php. there is the following:

line 205: if(isset($_GET['email'])){

line 206: $msg = "<p class='infoText'>".$lang['admin']['other']['new_pass_sent']." ".treatGet(urldecode($_GET['email']))."</p>";

is that what you were referring to?

Thanks again for the suggestions.

added EDIT:

Re your text "

Do you have access to your files? If so, see if the timestamps on /admin/login.php and requestPass.php appear to be not right. Replace if necessary.'

Where exactly would I look for that?

Edited by jerseyjoe
Link to comment
Share on other sites

Lines 205/206 is what I was referring to.

If you have access to the server, then you have the ability to get a directory listing of that store's admin folder. When a directory gets listed, in addition to the filename you will (hopefully) see the date last modified. In my distribution of CC3.0.20, the login.php and requestPass.php files have a timestamp of 8/3/2009. Also /classes/htmlMimeMail.php and /classes/smtp.php are dated 8/3/2009.

I'm asking about the file dates because if they have changed, then someone or something changed them and maybe some code was changed.

Link to comment
Share on other sites

To brute force a fix, you will need to access a base64 encoder.

1. Pick a password

2. Base64 encode it

3. Access your database

4. In the _admin_users table, choose a record that is `isSuper`=1

5. Replace the password field with the new base64 encoded string

6. Apply changes

7. Delete all records in the _blocker table

8. Delete all cookies from the store's domain from your browser

9. Go here: /admin/logout.php (may have to do this two or three times)

10. Now try logging in with the username and password of the record you just updated

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...