Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Coppermine CRUSHED!?  (Read 6044 times)

0 Members and 1 Guest are viewing this topic.

matija

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 20
Coppermine CRUSHED!?
« on: December 03, 2005, 04:08:19 pm »

Hi!

I updated from Coppermin 1.3.3 to 1.4.2 and everything was working with some small problems. Then I went to the admin panel and clicked 'Restore Defaults' instead of 'Update settings' and coppermine CRUSHED. I could login as a admin and now it says that 'You are banned from using coppermine'. The URL is: http://www.ana-ivanovic.net/gallery/ . PLEASE HELP ME!

Thanks in advance,
Matija.
« Last Edit: December 03, 2005, 06:19:25 pm by TranzNDance »
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: Coppermine CRUSHED!?
« Reply #1 on: December 03, 2005, 04:37:03 pm »

OK, my guess is that the "enable_encypted_passwords" configuration option did you in.  Looking at the update script, this option is turned off since previous versions did not use encrypted passwords, but since 1.4.2 now does, the factory default is to have this option on.  So your users table has the passwords not encrypted, Coppermine with its new default option thinks they are and so when you login it encrypts what you type in, compares it, and it doesn't match ... you're banned (after 5 attempts).  The default ban time is 10 minutes, but that doesn't help because you'll never get in just by logging in.

Oops, I may have overstepped my boundaries.  I just tried (right now), update.php on your site and it executed.  I guess that's by design (update.php doesn't check for admin access so you should remove it once you are done).  I may have just fixed your problem by running update.php which sets the "enable_encrypted_passwords" to OFF.  I didn't mean to do it myself.  I was going to recommend you do so.  Sorry about that.  I should look (more carefully) before I leap.

By the way, phpMyAdmin.net is a useful tool for modifying the database directly in case you get stuck. You could remove your ban for example and not wait 10 minutes for it to expire on its own.  Your web host probably has phpMyAdmin already installed but if it doesn't, you can download it and put it in a subdirectory on your web account and use it yourself.  Very very useful.
« Last Edit: December 03, 2005, 04:42:05 pm by Paver »
Logged

Nibbler

  • Guest
Re: Coppermine CRUSHED!?
« Reply #2 on: December 03, 2005, 04:44:10 pm »

Running update.php won't turn encrypted passwords off. There is a bug filed for the factory defaults issue though, that should be fixed in 1.4.3
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: Coppermine CRUSHED!?
« Reply #3 on: December 03, 2005, 04:46:34 pm »

Running update.php won't turn encrypted passwords off.

Isn't sql/update.sql run from update.php?
Logged

Nibbler

  • Guest
Re: Coppermine CRUSHED!?
« Reply #4 on: December 03, 2005, 04:49:51 pm »

Yes

Code: [Select]
INSERT INTO CPG_config VALUES ('enable_encrypted_passwords','0');
If that's what you were looking at then that won't change the value, it will just insert a new row for the setting if one doesn't exist already.
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: Coppermine CRUSHED!?
« Reply #5 on: December 03, 2005, 05:02:14 pm »

Yes

Code: [Select]
INSERT INTO CPG_config VALUES ('enable_encrypted_passwords','0');
If that's what you were looking at then that won't change the value, it will just insert a new row for the setting if one doesn't exist already.

Oh, of course.  I could blame the hour of the morning, but it's not fair to externalize my failings.

So do you recommend to Matija to use phpMyAdmin to change this option in CPG_CONFIG to 0?  I guess you could also add the following line to sql/update.sql and then run update.php:

UPDATE `CPG_config` SET `value` = '0' WHERE `name`= 'enable_encrypted_passwords' LIMIT 1 ;

(if you don't have phpMyAdmin on hand).  Of course using phpMyAdmin is much safer in general.
Logged

Nibbler

  • Guest
Re: Coppermine CRUSHED!?
« Reply #6 on: December 03, 2005, 05:03:55 pm »

Yes, that would work. It would need to be CPG_ though.
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: Coppermine CRUSHED!?
« Reply #7 on: December 03, 2005, 05:05:14 pm »

Roger.  Modified as specified.
Logged

matija

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 20
Re: Coppermine CRUSHED!?
« Reply #8 on: December 03, 2005, 05:07:38 pm »

I quite dont understand what should I do. I cant access the admin mode and I guess my ip is temporarily banned. So could you please tell me more precisly what to do (I am a dumb I know). Also why is the default language of coppermine polish now and I also couldn't change it. I would appriciate your kind help. The site is quite popular and it doesnt look to good right now.
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: Coppermine CRUSHED!?
« Reply #9 on: December 03, 2005, 05:16:14 pm »

Matija: I see English on your site right now.

If you have never used phpMyAdmin before (or never heard of it), you might want to put it on your "to do" list because it's a handy tool.

For now, a quicker fix (but a little riskier if you are not careful) is to modify this file on your web account: "update.sql" in your SQL folder (under coppermine).  This file is a text file so open it in a text editor and add the following line (at the bottom or anywhere really):

UPDATE CPG_config SET value = '0' WHERE name = 'enable_encrypted_passwords' LIMIT 1 ;

Make sure it's on a line by itself.  (You could put blank lines around it to make sure.)  If you modify the file on your home computer, upload the file to your web account in the SQL folder overwriting the previous file.

Then, in your web browser, go to http://www.ana-ivanovic.net/gallery/update.php.  That should fix the problem.  If you are still banned, you'll have to wait until the ban clears (up to 10 minutes), then try again.  I could give you another line to add to update.sql to remove the ban, but that's not safe because then anyone could clear the bans using this file.  After you are done and everything is working, I'd move update.php and upgrade-1.0-to-1.2.php out of your web folder so no one else can run them in the future.

Logged

matija

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 20
Re: Coppermine CRUSHED!?
« Reply #10 on: December 03, 2005, 05:36:06 pm »

Thank you for a wonderful response Paver! You see it in english cause I put different url: http://www.ana-ivanovic.net/gallery/index.php?lang=english&theme=water_drop. If you clean cookies or register it will be polish. I dont know how to solve it and it seems to be a major problem. Any ideas? Once more thank you!
Logged

Paver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1609
  • Paul V.
Re: Coppermine CRUSHED!?
« Reply #11 on: December 03, 2005, 05:44:38 pm »

You're welcome.  Are you able to log in as admin now?  If so, this thread is "solved".

If you want to ask a question about language issues, you should start a new thread.  One of the rules is "one question per thread".  It keeps things organized and easy to read & search later.  If you start another thread, a more detailed subject would be more helpful.   ;)
Logged

matija

  • Coppermine novice
  • *
  • Offline Offline
  • Posts: 20
Re: Coppermine CRUSHED!?
« Reply #12 on: December 03, 2005, 06:01:50 pm »

Solved! :)
Logged
Pages: [1]   Go Up
 

Page created in 0.019 seconds with 19 queries.