Forums / Install & configuration / Password lost - help!

Password lost - help!

Author Message

Noicokuna Niemoge

Friday 05 June 2009 1:14:22 am

Hello;

How to retrieve admin password? I tried to insert new md5 hash into ezuser table but it's not working for me. What's the "type 2 hash"?

Shiki soku ze ku...

Sébastien Morel

Friday 05 June 2009 1:26:32 am

Hi,

If you look in the class user : kernel/classes/datatypes/ezuser/ezuer.php (line 1557 )

static function createHash( $user, $password, $site, $type, $hash = false )
    {
        $str = '';
        if( $type == self::PASSWORD_HASH_MD5_USER )
        {
            $str = md5( "$user\n$password" );
        }
        else if ( $type == self::PASSWORD_HASH_MD5_SITE )
        {
            $str = md5( "$user\n$password\n$site" );
        }
        else if ( $type == self::PASSWORD_HASH_MYSQL )
        {
            $db = eZDB::instance();
            $hash = $db->escapeString( $password );

            $str = $db->arrayQuery( "SELECT PASSWORD( '$hash' )" );
            $hashes = array_values( $str[0] );
            $str = $hashes[0];
        }
        else if ( $type == self::PASSWORD_HASH_PLAINTEXT )
        {
            $str = $password;
        }
        else if ( $type == self::PASSWORD_HASH_CRYPT )
        {
            if ( $hash )
            {
                $str = crypt( $password, $hash );
            }
            else
            {
                $str = crypt( $password );
            }
        }
        else // self::PASSWORD_HASH_MD5_PASSWORD
        {
            $str = md5( $password );
        }
        eZDebugSetting::writeDebug( 'kernel-user', $str, "ezuser($type)" );
        return $str;
    }

at the begining of class

    /// MD5 of password
    const PASSWORD_HASH_MD5_PASSWORD = 1;
    const PASSWORD_HASH_MD5_USER = 2;
    const PASSWORD_HASH_MD5_SITE = 3;
    const PASSWORD_HASH_MYSQL = 4;
    const PASSWORD_HASH_PLAINTEXT = 5;
    const PASSWORD_HASH_CRYPT = 6;

So in your case (the default case) the constant is PASSWORD_HASH_MD5_USER.

So to force a new valid pass in the ezuser table you have to make a hash like

$str = md5( "admin\n$MYPASSWORD" );

++

--
eZ c'est plus fort que toi !
http://www.ez-france.org
http://blog.plopix.net
@Novactive (http://www.novactive.com)

Noicokuna Niemoge

Friday 05 June 2009 1:28:58 am

Thanks for fast reply :)

Hmm... I try to generate this password as type 2 in an md5 hash calculator, but without any success. Any ideas? Should I include there that \n string or is it a break? I think it's a string?

I generated a password like admin\nmypassword, but the hash doesn't work. By now I login as type 1 pass, but every time I log out it gets changed in the DB to type 2, which is not that convenient.

Shiki soku ze ku...

Sébastien Morel

Friday 05 June 2009 1:55:01 am

For me

print md5("admin\nmypassword");

return

4a964898a3133cf2507ff82962c3a88a

and it's ok for me( I just tested)

Are you sure, your problem comes from the password ? eZ shows error from user/password or siteaccess ?

++

--
eZ c'est plus fort que toi !
http://www.ez-france.org
http://blog.plopix.net
@Novactive (http://www.novactive.com)

Noicokuna Niemoge

Friday 05 June 2009 1:58:48 am

Well, I noticed that whenever I log out (when I change hash in the database and hash type to 1), eZ Publish changes hash type to 2 and also... changes the hash itself (changes password).

eZ even doesn't display an error "invalid password" just redirects me again to login form. Also, no errors are visible in error log.

Hmm, is it possible that I got hacked?

If yes, tell me please how to manually disable logins because today I'm going abroad and won't be able to sit and solve that problem instantly. :/

Shiki soku ze ku...

Łukasz Serwatka

Friday 05 June 2009 3:20:31 am

Try run:

UPDATE  `YOURDBNAME`.`ezuser` SET  `password_hash` =  '',
`password_hash_type` =  '4' WHERE  `ezuser`.`contentobject_id` =14;

Then login as admin without password and click change password on the right to set new admin password from eZ Publish,

Personal website -> http://serwatka.net
Blog (about eZ Publish) -> http://serwatka.net/blog