eZ Community » Forums » Install & configuration » Password lost - help!
expandshrink

Password lost - help!

Password lost - help!

Friday 05 June 2009 10:14:22 am - 6 replies

Hello;

How to retrieve admin password? I tried to insert new md5 hash into ezuser table but it's not working for me. What's the "type 2 hash"?

Modified on Friday 05 June 2009 10:16:38 am by Noicokuna Niemoge

Friday 05 June 2009 10:26:32 am

Hi,

If you look in the class user : kernel/classes/datatypes/ezuser/ezuer.php (line 1557 )

static function createHash( $user, $password, $site, $type, $hash = false )
    {
        $str = '';
        if( $type == self::PASSWORD_HASH_MD5_USER )
        {
            $str = md5( "$user\n$password" );
        }
        else if ( $type == self::PASSWORD_HASH_MD5_SITE )
        {
            $str = md5( "$user\n$password\n$site" );
        }
        else if ( $type == self::PASSWORD_HASH_MYSQL )
        {
            $db = eZDB::instance();
            $hash = $db->escapeString( $password );

            $str = $db->arrayQuery( "SELECT PASSWORD( '$hash' )" );
            $hashes = array_values( $str[0] );
            $str = $hashes[0];
        }
        else if ( $type == self::PASSWORD_HASH_PLAINTEXT )
        {
            $str = $password;
        }
        else if ( $type == self::PASSWORD_HASH_CRYPT )
        {
            if ( $hash )
            {
                $str = crypt( $password, $hash );
            }
            else
            {
                $str = crypt( $password );
            }
        }
        else // self::PASSWORD_HASH_MD5_PASSWORD
        {
            $str = md5( $password );
        }
        eZDebugSetting::writeDebug( 'kernel-user', $str, "ezuser($type)" );
        return $str;
    }

at the begining of class

    /// MD5 of password
    const PASSWORD_HASH_MD5_PASSWORD = 1;
    const PASSWORD_HASH_MD5_USER = 2;
    const PASSWORD_HASH_MD5_SITE = 3;
    const PASSWORD_HASH_MYSQL = 4;
    const PASSWORD_HASH_PLAINTEXT = 5;
    const PASSWORD_HASH_CRYPT = 6;

So in your case (the default case) the constant is PASSWORD_HASH_MD5_USER.

So to force a new valid pass in the ezuser table you have to make a hash like

$str = md5( "admin\n$MYPASSWORD" );

++

Modified on Friday 05 June 2009 10:28:46 am by Sébastien Morel

Friday 05 June 2009 10:28:58 am

Thanks for fast reply happy.gif Emoticon

Hmm... I try to generate this password as type 2 in an md5 hash calculator, but without any success. Any ideas? Should I include there that \n string or is it a break? I think it's a string?

I generated a password like admin\nmypassword, but the hash doesn't work. By now I login as type 1 pass, but every time I log out it gets changed in the DB to type 2, which is not that convenient.

Modified on Friday 05 June 2009 10:39:03 am by Noicokuna Niemoge

Friday 05 June 2009 10:55:01 am

For me

print md5("admin\nmypassword");

return

4a964898a3133cf2507ff82962c3a88a

and it's ok for me( I just tested)

Are you sure, your problem comes from the password ? eZ shows error from user/password or siteaccess ?

++

Friday 05 June 2009 10:58:48 am

Well, I noticed that whenever I log out (when I change hash in the database and hash type to 1), eZ Publish changes hash type to 2 and also... changes the hash itself (changes password).

eZ even doesn't display an error "invalid password" just redirects me again to login form. Also, no errors are visible in error log.

Hmm, is it possible that I got hacked?

If yes, tell me please how to manually disable logins because today I'm going abroad and won't be able to sit and solve that problem instantly. :/

Modified on Friday 05 June 2009 11:40:06 am by Noicokuna Niemoge

Friday 05 June 2009 12:20:31 pm

Try run:

UPDATE  `YOURDBNAME`.`ezuser` SET  `password_hash` =  '',
`password_hash_type` =  '4' WHERE  `ezuser`.`contentobject_id` =14;

Then login as admin without password and click change password on the right to set new admin password from eZ Publish,

Modified on Friday 05 June 2009 12:21:00 pm by Łukasz Serwatka

Friday 12 October 2012 2:51:44 pm

Or even something like:

update ezuser set password_hash="foobar", password_hash_type=5 where contentobject_id=473;

This inserts a plaintext password "foobar" and indicates that the password isn't hashed -- for some specific user.

The next time that you log in (I think) and depending on your configuration, ez will convert this to the default password storage which involves catenating various strings with the plaintext password, hashing all that, and updating the hash type.

So, it's ok that the password hash string changes.

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from