Joomla Log In Problem

apps

#1

My Joomla 1.5 log in does not let me in anymore. I have not changed my user name or password. I have checked my site and find no suspicious activity. What recourse do I have to gain access to the backside of my website? The site is www.imnotafraidpublications.com .

Thanks
Rex

“Listen to someone’s stories and they will think you are a very interesting person”


#2

I know nothing of Joomla (Drupal man myself), but I would advise two things…

  • Tell us EXACTLY what it does when you try to log in, and what happens when you try to use the built in reset password function.
  • Also ask in the Joomla forums.

Daniel Runyon Com


#3

There is a known vulnerability for Joomla! versions 1.5.x less than 1.5.6 that can result in a compromised admin password, and this may have been the cause of what you are experiencing.

The first step, of course, it to regain access to the administrator area of the site, and there is a great guide to doing this here:

http://hpanswers.blogspot.com/2008/06/how-to-recover-reset-joomla-15-super.html

If you want to read more about the vulnerability, there are lots or links … here is one:

http://www.compassdesigns.net/joomla-blog/Admin-Password-Reset-Vulnerability-in-Joomla-1.5.html

–rlparker
–DreamHost Tech Support


#4

I have accessed the database and have tried to save my new password. I cannot save it. I have messed with it for over an hour and clicked on every button I can find. The data base remains the same. I have tried doing a copy and paste using the password listed in the data base to access the backside of the website. The response is incorrect user name and/or password. I have followed the link you sent me and it was great until I get to the end and try to save. All I get is a “go” button but then the next screen does not have a “save” button or anything I can find that says the change is complete. It lists the change I want to make and the existing password but I can find nothing to click on that completes the deal. What am I doing wrong?

Please help!

Rex Bernard

“Listen to someone’s stories and they will think you are a very interesting person”


#5

From your description of what you have done, you likely have saved the new password. phpMyAdmin doesn’t have a “save” button - when you hit “go”, a MySQL query is built and executed that updates the database (saves, if you will).

“Copying and Pasting” the password in the database after the save will not work, as that is the MD5’d string resulting from the text you entered (assuming you are following the instructions on the link I sent you).

What you should be using as the password is the text string that you first put in before you hit the go (and for which you used the MD5 function) - what is in the database after the save is the result of that MD5 hashing. So, if you changed the password to “letmein”, used the pulldown to apply the MD5 hash to it, and then hit go, the resulting string of characters is the hashed value, and will not work as the password. What will work is the “letmein” string (it will be converted as needed by the Joomla! code, and will be compared to what is found in the database - if it matches, you will be allowed access.

–rlparker
–DreamHost Tech Support


#6

I have done exactly that. I have entered a new password. Hit go and left. When I say —left— I mean closed the browser tab. Also… three times I have tried to exit the program by using the little exit icon on the upper left but I get a log in screen. To me…that is weird. When I insert my user name and password into the log in screen (the same user name and password that I used to get in originally) it would not take it. When I go back to the data base, the coded password is exactly as before. I assume it is the PHP scripting that goes with my typed password. However, when I try to log in to the backside of my website, it still locks me out. Any idea of what is happening or what I am doing wrong?

“Listen to someone’s stories and they will think you are a very interesting person”


#7

That is entirely normal. When “exiting” phpMyAdmin, you are returned to the basic Apache authentication screen to access phpMyAdmin, so nothing is out of order there.

At this point, without looking over your shoulder and watching what you are doing, no I don’t have a clue what might be happening.

–rlparker
–DreamHost Tech Support


#8

My guess is that the password needs to be encrypted. Sometimes, when all else fails, I blank out the password (empty) and then try logging in. Or make sure the account has a valid email address and go through the Recover Password process.

-Scott


#9

Actually, it seems that the problem with resetting the password was that the instructions for resetting the password assume you are using the default “jos_” prefix for your database tables. The database that was in use for the site had duplicate sets of tables (different prefixes) and it is not readily apparent which of those sets of tables the application uses (you need to inspect the configuration code to determine which is the one the site uses).

In this case, the application was using one of the other sets of tables (with a different prefix), so changing the “jos_users” table all day long would have no effect!

I only share this in the hopes that it will be of use to others - most generic applications’ instructions assume default installations, and if your installation differs, you will to adjust those instructions accordingly to accommodate your circumstances.

In this case, it meant editing a different table than the one the instructions described! :slight_smile:

[color=#CC0000]Added important note[/color] (not directed at Scott, who knows this well, but for other readers):

<on_soapbox>
It is very important, even critically important, if you are running a popular web application, to keep your installations current!

The very popularity of the platform you are using will almost guarantee that miscreants will try to find a way to compromise your application, and you really do need to keep abreast of developments in this area and upgrade your installations so that they are secured from known vulnerabilities.

Almost every update to a popular web application has some security related patch, and you need to have these!
<off_soapbox>

–rlparker
–DreamHost Tech Support


#10

Definitely. Fact is the majority of all software updates are pushed forward to close security issues.

I’m curious; do the “Basic” One-Click Installs auto-update to the latest versions?

From what I’ve read here they are quite vanilla and that if installed with the ‘Basic’ flag you can’t really change anything of importance in regard to core functionality. If that’s the case then autoupdate might be good for those who “set and forget”.

That’s if it’s not implemented already, of course.

Maximum Cash Discount on any plan with MAXCASH


#11

Actually, there are two types of “one-click” installs available on DreamHost - the “easy” and the “advanced”. I think what you are referring to, given your description of them, are the “easy” one-clicks.

While they don’t really “auto-update” in the sense that our one-click development team actually updates them, they appear to automatically update to the user, as there is no user interaction involved. Usually very quickly after a new release (often same day, sometimes within a few days, depending upon the nature of the release), our one-click development team updates the code base for these applications, so there is nothing for the user to do. In fact, as they can’t get at the codebase, users can’t update these applications themselves.

The “advanced” one-clicks work differently. With these, our development team also updates the software, but the user needs to go to the “Goodies -> One-Click” section of the account control panel and actually “trigger” the update themselves.

It is set up this way as, because the user does have access to the filesystem/codebase for these installations, users may have significant customizations they need to preserve before an update.

Of course, because of this access to the codebase of the “Advanced One-clicks”, the user can also update manually themselves if they want to do it that way, or if they want to do it before the development team makes the update available in the one-click system.

–rlparker
–DreamHost Tech Support


#12

Ahh yes, it was “Easy” mode I was babbling about.

Thanks for confirming that “Easies” are handled automagically via a communal codebase.

Maximum Cash Discount on any plan with MAXCASH