Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19
  1. #11
    Join Date
    Jan 2007
    Location
    Australia
    Posts
    6,167
    Plugin Contributions
    7

    Default Re: Installation Issue - Admin Password not recognized

    Quote Originally Posted by dewragdave View Post
    Well, the Wikipedia definition of a hacker is:
    Hacker (computer security) or cracker, who accesses a computer system by circumventing its security system.
    I wasn't intererested in Wikipedia's definintion. I was interested in what *you* consider to be a 'hack'. This means many different thing to different people.

    Quote Originally Posted by dewragdave View Post
    So why would a Zen-cart tutorial tell us to rename the ADMIN folder?
    Two reasons spring to mind.
    1. Security by obscurity
    2. There are ready made scripts that the 'script kiddies' (often mis-labled as 'hackers') can execute to gain access to vulnerable versions of zencart that rely/depend on certain files located in the /admin/ folder. The simple act of renaming this folder prevents these 'hacks' from working.

    Quote Originally Posted by dewragdave View Post
    Is it that easy to open someone's folder
    I don't know... exactly how easy is 'that easy'? This question makes no sense.

    Quote Originally Posted by dewragdave View Post
    and open the configure.php file
    By design, this file is unreadable via HTTP access to anyone other than a logged in administrator.

    Quote Originally Posted by dewragdave View Post
    and low and behold there is an un-encrypted password that gets them full admin rights.
    Err, no it doesn't. The username/password stored in that file gives them the login details to the *database* only.
    Needless to say, this isn't something you want to give other people, which is why the file itself is protected from being accessable to anyone.

    Quote Originally Posted by dewragdave View Post
    It was encrypted in v1.39... why is in not encrypted in v1.5?????
    You are mistaken. This username/password in configure.php has never been encrypted, and it never will be, for reasons that will take you several lessons to understand. No offense intended. You'd need to familiarise yourself with the workings of an SQL server for this, and that is something that most zenners will never need to concern themselves with.

    Quote Originally Posted by dewragdave View Post
    I'm looking for a way to fix it not the resulting problems from someone finding it.
    Unless I'm completely misunderstanding you, there is nothing to be fixed.

    Cheers
    Rod

  2. #12
    Join Date
    Nov 2009
    Posts
    30
    Plugin Contributions
    0

    Default Re: Installation Issue - Admin Password not recognized

    Quote Originally Posted by DrByte View Post
    I'm not sure where you got that idea from.
    No, the database-password in the configure.php files have never been "encrypted". Because it doesn't work that way.
    There was no change to that between v1.3.9 and v1.5.0. You must be thinking of something completely different.
    Well, I've been using the same password in v1.38, v1.39 and now in v1.50.
    I have a copy of my v1.39 configure.php and the password is a lot longer and composed of a bunch of scrambled letters and numbers. In my v1.50 configure.php it is the actual password that I use. I don't have a copy of the v1.38 version to see what it looks like. I just assumed that it was encrypted because of that. So now I'm wondering how I was able to sign on to the v1.39 version??? I think I understand how it all works now, it just seems kind of vulnerable to have the actual password showing anywhere not encrypted. I used OSC before this and the password is encrypted in the configure.php and my admin was hacked and I ended up with a completely trashed website. They went as far as to create 5 extra admin signons. My website only displayed a picture of the Algerian flag and text that said: "Hacked by BrOx-Dz your security is 0". Thanks for the feedback.

  3. #13
    Join Date
    Nov 2009
    Posts
    30
    Plugin Contributions
    0

    Default Re: Installation Issue - Admin Password not recognized

    Quote Originally Posted by RodG View Post
    I wasn't intererested in Wikipedia's definintion. I was interested in what *you* consider to be a 'hack'. This means many different thing to different people.



    Two reasons spring to mind.
    1. Security by obscurity
    2. There are ready made scripts that the 'script kiddies' (often mis-labled as 'hackers') can execute to gain access to vulnerable versions of zencart that rely/depend on certain files located in the /admin/ folder. The simple act of renaming this folder prevents these 'hacks' from working.



    I don't know... exactly how easy is 'that easy'? This question makes no sense.



    By design, this file is unreadable via HTTP access to anyone other than a logged in administrator.



    Err, no it doesn't. The username/password stored in that file gives them the login details to the *database* only.
    Needless to say, this isn't something you want to give other people, which is why the file itself is protected from being accessable to anyone.



    You are mistaken. This username/password in configure.php has never been encrypted, and it never will be, for reasons that will take you several lessons to understand. No offense intended. You'd need to familiarise yourself with the workings of an SQL server for this, and that is something that most zenners will never need to concern themselves with.



    Unless I'm completely misunderstanding you, there is nothing to be fixed.

    Cheers
    Rod

    I guess if banks and the govt can be hacked then so can zen-cart. Identity theft is running rampant and literally everyone tells you to protect you passwords, don't write them down, change them every 60 days etc...etc...etc... It just seems odd to me that a password would be displayed anywhere un-encrypted, whether or not it was in a secured server, or folder, or whatever... The whole thing makes be nervous because of my prior bad experience with OSC. (see my comment to DrByte). Thank you for all the helpful comments, you obviously have an extensive knowledge of zen-cart.

  4. #14
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: Installation Issue - Admin Password not recognized

    I still think you're mistaken about the passwords in prior versions.

    Just to be clear: the DB_PASSWORD in the configure.php file IS NOT the same password as what you use to login to your store's admin. The admin password is definitely encrypted when stored. There is no need to decrypt it, because the validation of that password is done in real time when the "user" supplies the password, which is re-encrypted and compared with the stored encrypted value. That's completely different than the database password stored in configure.php which Zen Cart must tell PHP to read and pass over to MySQL to enable access to the database. This access, on a properly secured server, is kept internal to the server and not allowed to outside users, unlike your store admin access which is always from outside.

    Quote Originally Posted by dewragdave View Post
    It just seems odd to me that a password would be displayed anywhere un-encrypted
    Um. It is NOT "displayed" anywhere.


    That said if you have some expertise on how to store the password in the configure.php file in encrypted format, and use that encrypted password to pass over to MySQL without decrypting it so MySQL can actually use it for login, please share. In all my open source app work I've never seen a site's mysql db password stored encrypted in a PHP file. Heck, even in other languages it's stored unencrypted too ... because it has to be.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  5. #15
    Join Date
    Jan 2007
    Location
    Australia
    Posts
    6,167
    Plugin Contributions
    7

    Default Re: Installation Issue - Admin Password not recognized

    Quote Originally Posted by dewragdave View Post
    The whole thing makes be nervous because of my prior bad experience with OSC. (see my comment to DrByte). Thank you for all the helpful comments, you obviously have an extensive knowledge of zen-cart.
    My knowlege of MySQL is far greater than my knowlege of Zencart, hense my response "This username/password in configure.php has never been encrypted, and it never will be, for reasons that will take you several lessons to understand. No offense intended. You'd need to familiarise yourself with the workings of an SQL server"

    And for the record, I've just taken a look at my configure.php files for OSC V2.2 and V2.3.1 (mainly to see if there was a *another* password that you were thinking of, and the only ones I see are for the DB, which *out of necessity* is not encrypted.

    I've also taken a look at my osCommerce V3.0 & V3.2 installallations (where the settings are stored in a different file, called "settings.ini" and once again, all plain text.

    Same with Opencart V1.49, V1.5,0, V1.5.1 & the current V1.5.2 .. and
    PrestaShop V1.44 - to the current V1.50 ... plain text...
    Not to mention InterSpire (a commecial system).... plain text
    VirtueMart (a Joomla module).. Same again...

    I could go on, but I know that I'll not find anything different.

    What I think you *could* have seen is a "complex" password that *looks* as though it was encrypted, for example "728d43851f0105418cfab".
    This is quite feasible, because it's not as though you need to type these passwords in anywhere, other than initial setups (for Store operations), so the more complex the better.

    I've just provided you with a way to 'save face', so if you are smart you will accept this explanation and cease this discussion

    Cheers
    Rod

    ps. If you think it strange that I just happen to have all of these different carts at my disposal, you'll find the reasons by visiting http://ozpost.net/
    pss. ZenCart beats all others hands down (IMO). Some may be 'prettier' but I prefer functionality, support and versatility over 'pretty' any day :)
    Last edited by RodG; 16 May 2012 at 07:29 AM.

  6. #16
    Join Date
    Nov 2009
    Posts
    30
    Plugin Contributions
    0

    Default Re: Installation Issue - Admin Password not recognized

    Quote Originally Posted by RodG View Post
    What I think you *could* have seen is a "complex" password that *looks* as though it was encrypted, for example "728d43851f0105418cfab".
    This is quite feasible, because it's not as though you need to type these passwords in anywhere, other than initial setups (for Store operations), so the more complex the better.
    )
    Rod
    I guess the squeaky wheel really does get the grease.
    Yes, this is the kind of password that was in the configure.php of all my OSC's and prior versions of zen. I assumed (you know what that means) that it was encrypted because it didn't match my password. So what you are saying is that I could delete the password in configure.php or change it to anything I wanted and it would not effect my signon anyway, right? At least if someone did gain access to the file it at least would not have my current password. So if I change my password in admin it does not change in the configure.php just in the Mysql data base file. Case Closed.
    Dave

  7. #17
    Join Date
    Jan 2007
    Location
    Australia
    Posts
    6,167
    Plugin Contributions
    7

    Default Re: Installation Issue - Admin Password not recognized

    "So what you are saying is that I could delete the password in configure.php or change it to anything I wanted and it would not effect my signon anyway, right"
    Hhhm *mostly* right, but if you delete/change the password in configure.php your site will just 'die' unless you add the *same* password into your MySQL database admin user. This 'user' not found in any of the zencart tables. It is located in the 'master' Mysql database called 'mysql'.

    Unless you are running your *own* server you will NOT have direct access to this data, and the password can only be changed via a system permitted interface (such as the MySQL database wizzard that is found in most cPanels).

    "At least if someone did gain access to the file it at least would not have my current password"
    The password in the configure files would give access to all of the databases under your control. This is NOT to be confused the Zencart admin user (which only allows access to ZenCart itself).

    "So if I change my password in admin it does not change in the configure.php"
    Correct. This is a *different* password. The two must not be confused.

    The user/password stored in the configure files allows access to ALL databases under that account (typically this would be for the zencart database only, but many people will have several different databases under the same account. These are the ones that can only be set up via cPanel or similar.

    The 'admin' user for Zencart allows access to ZenCart store only (not the zencart database itself). The *database* users/passwords are a 'one time only' setting, and once set would rarely ever need changing. The zencart 'admin' user is what you use to administer the *store*. This user/password is stored in the database itself (encrypted). ...

    Cheers
    Rod

  8. #18
    Join Date
    Aug 2004
    Location
    Fountain Hills, AZ
    Posts
    515
    Plugin Contributions
    1

    Default Re: Installation Issue - Admin Password not recognized

    I know this is an old thread, but I'm having a similar if not the same issue. I just ran a new install on the latest release. System had no problem finding the renamed admin folder; however I am unable to access the admin. I did a pass reset, and was sent a new pass and it still refused to accept it.

    I checked and as far as I can see the sessions are being saved in the cache folder - so just not sure. Now we've gone to great lengths to lock down our server (we have total control), so I'm thinking maybe it's some of our security creating the problem. Do you have suggestions as to what I need to look at? FYI - I have two other legacy carts, one recently upgraded to the latest release working just fine, so I'm not exactly sure what to look for.

    Thanks

    Ruth

  9. #19
    Join Date
    Jan 2007
    Location
    Australia
    Posts
    6,167
    Plugin Contributions
    7

    Default Re: Installation Issue - Admin Password not recognized

    Quote Originally Posted by rwoody View Post
    I'm thinking maybe it's some of our security creating the problem. Do you have suggestions as to what I need to look at?
    The problem here is that we don't know what security you have in place, and if we assume your diagnosis is correct there really isn't much we can suggest.

    One way to identify the cause would be to disable all security measures to prove that it is indeed a security issue, and then re-enable them one by one until you identify which measure is causing the issue.

    I assume that you've already done the 'obvious', such as clearing any cache files and trying a different browser?

    Cheers
    RodG

 

 
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Replies: 1
    Last Post: 1 Feb 2015, 03:12 PM
  2. User and password not recognized
    By sparktronic in forum General Questions
    Replies: 8
    Last Post: 5 Jan 2014, 12:12 AM
  3. v150 admin password expired, won't reset, will not send new password to email
    By baltimorestreetmods in forum General Questions
    Replies: 2
    Last Post: 6 Sep 2012, 07:16 PM
  4. Installation issue with admin area
    By cpallant in forum Installing on a Windows Server
    Replies: 1
    Last Post: 26 Jan 2011, 07:02 PM
  5. Admin ID & Password Re-Set Issue
    By Adds in forum General Questions
    Replies: 0
    Last Post: 23 Mar 2008, 09:47 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR