Lost password - cant receive reset email

Topic: Lost password - cant receive reset email (Read 3047 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Lost password - cant receive reset email

June 21, 2016, 06:32:57 pm

Hello everyone. I would lose my head if it wasn't attached.

I am the admin and proud user of a forum built with Elkarte. I know it will send me a mail if I lose my password. Unfortunately, the "cheapie" host I have, apparently is not allowing scripts to send mail.

1, what do I need to tell the host? I think its "allow sendmail" or can I allow it myself from cPanel?
2, is there a way for me to retrieve my password, maybe using FTP looking at the config file?

Congrats to all those involved in the creation of Elkarte BTW. I have used half a dozen free forum scripts and this is by far the best. I just removed a forum script (that's named after a milkshake flavor if you get my drift) and am using Elkarte in its place.

Thanks
Matt

Re: Lost password - cant receive reset email

Reply #1 – June 21, 2016, 07:43:30 pm

Do you have access to the database? If so, register a second account. In the database make it a member of group 1. This gives it admin privileges. Then use that account to reset your other account. Finally, do whatever you like with the second account. Keep it as an admin, delete it, or whatever. I like having a second account on my forums for testing purposes. It can assigned to various membergroups so you can see precisely what they see. Great for troubleshooting permissions issues, etc.

Re: Lost password - cant receive reset email

Reply #2 – June 21, 2016, 07:46:06 pm

Thanks badmonkey. May try that as a last resort. I do have full access to cPanel and DB. Thought there was a place in phpMyAdmin where I could go in and reset it. Or a config file.

Re: Lost password - cant receive reset email

Reply #3 – June 21, 2016, 08:15:33 pm

Quote from: elk_is_cool – June 21, 2016, 07:46:06 pmThanks badmonkey. May try that as a last resort. I do have full access to cPanel and DB. Thought there was a place in phpMyAdmin where I could go in and reset it. Or a config file.

There isnt direct password access in the database. The stored info is hashed. Now, in theory someone could throw together all the variables, use some software to reproduce the hash, copy it into the database. But that's more work than the first.

Setting another user to admin privileges in the database is literally editing a 2 to a 1. Just a thought.

Re: Lost password - cant receive reset email

Reply #4 – June 21, 2016, 09:17:50 pm

OK, maybe I'll give that a try.

Re: Lost password - cant receive reset email

Reply #5 – June 22, 2016, 03:07:09 am

Hi and welcome.

Another way is to go to the members table in phpmyadmin, find your nick, edit the password_salt field, remove the value (leave it empty), in the same way change the field passwd to whatever password you want, and then login with it.

Thinking about it, this is (still) a potential surface of attack, I feel we should consider removing this "goodie".

Re: Lost password - cant receive reset email

Reply #6 – June 22, 2016, 03:33:13 am

Quote from: emanuele – June 22, 2016, 03:07:09 amThinking about it, this is (still) a potential surface of attack, I feel we should consider removing this "goodie".

Doesn't make much sense, if you have phpmyadmin access, you can create an admin account and do bad things anyway

Re: Lost password - cant receive reset email

Reply #7 – June 22, 2016, 03:56:37 am

That's not the whole picture.

Re: Lost password - cant receive reset email

Reply #8 – June 22, 2016, 05:15:42 am

You could also edit other people's passwords? You can do it anyway... :/
Tell me that "whole picture" then, if it's not what you mean.

Re: Lost password - cant receive reset email

Reply #9 – June 22, 2016, 07:42:27 am

For the moment it's enough that I and a handful of people with good eye for security know the whole picture.
It's not particularly wise to publicly disclose surfaces of attack even if are rather narrow and require quite a bit of things to happen at once.

Re: Lost password - cant receive reset email

Reply #10 – June 22, 2016, 10:26:45 am

Thanks everyone for the suggestions. Since its a brand new forum I made, (no members yet) and I really don't know phpMyAdmin enough to be fooling around there, I just deleted the DB and install and recreated the forum. I sure don't want to give hackers any help on attacking ElkArte, so DO feel free to delete this thread if you think its a good idea to do so Emanuele, or if I can delete my own thread, I will if you want me to. Will leave it up to you all...

Re: Lost password - cant receive reset email

Reply #11 – June 22, 2016, 10:41:07 am

Well, usually is better to learn a new tools (phpmyadmin) when you have the possibility to rebuild our forum from scratch.
Now you still don't know phpmyadmin and next time you may have members you can't afford to lose.

Re: Lost password - cant receive reset email

Reply #12 – June 22, 2016, 11:05:57 am

Quote from: elk_is_cool – June 22, 2016, 10:26:45 amso DO feel free to delete this thread if you think its a good idea to do so Emanuele, or if I can delete my own thread, I will if you want me to. Will leave it up to you all...

There is no reason to delete it. The code is there speaking for itself.
Just there are edge cases not written in the code that may very well be worth taking into account.

Re: Lost password - cant receive reset email

Reply #13 – June 22, 2016, 01:50:55 pm

Quote from: emanuele – June 22, 2016, 10:41:07 amWell, usually is better to learn a new tools (phpmyadmin) when you have the possibility to rebuild our forum from scratch.
Now you still don't know phpmyadmin and next time you may have members you can't afford to lose.

VERY good point I never thought about. If I had members, that would not have been good to do what I did. I think its time I study up on using phpMyAdmin.