WeBid Bug Tracking

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000409WeBidAdmin Control Panelpublic2013-01-10 13:142013-01-10 19:15
ReporterChrissio 
Assigned To 
Priority@0@SeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version1.0.3 
Target VersionFixed in Version1.1.0 
Summary0000409: Admin can delete themselves
DescriptionThe admin user can delete stupid way! This allows you to lock out yourself !



WebID then shows "Create Admin Account" after calling the admin area, and you can create a new admin-account.



I think this opens the door to abuse.



It would be better, it would protect the last remaining administrator account (for example, can't be deleted all marked as active admins?).



moved from http://www.webidsupport.com/forums/project.php?issueid=327[/url] [^]
TagsNo tags attached.
import_id410
Thread
Attached Files

- Relationships

-  Notes
(0001061)
nay27uk (reporter)
2013-01-10 13:33
edited on: 2013-01-10 13:35

You need to be able to delete the admin account when you move to another server because when you move server the old admin password no longer works, it has somthing to do with the salt and md5 of the password, I think it uses some part of the server details when making the salt or md5.

normal user accounts are exactly the same when moved to a new server ordinary users passwords no longer work either
(0001062)
renlok (administrator)
2013-01-10 13:39
edited on: 1970-01-01 00:00

you shoudn't have to the the hash is unique to the admin user and the md5 salt is just defined in the config file.

just make sure you note done the $MD5_PREFIX value before moving
(0001063)
nay27uk (reporter)
2013-01-10 13:52
edited on: 2013-01-10 13:58

Sorry renlock I was talking about transfering everything to do with webid from one server to another including exporting the old database from the old server and importing it to the new server.

then change relevant config file for paths.

I have always had to go into phpmyadmin on the new server and delete the admin from the table to get the page to add him again I have also always had to set each user to a new password and send them all an email explaining it.

I have also helped a few members from this forum transfer to new servers and have had to do exactly the same thing as the original passwords no longer worked.

so the MD5_PREFIX = ""; remains exactly as it was on the old server because you just transfered it from the old server to the new one changing only the PATH line in config.inc.php
(0001065)
renlok (administrator)
2013-01-10 14:12
edited on: 1970-01-01 00:00

hmmm sounds like a bug to me. Ill have to look into it
(0001066)
nay27uk (reporter)
2013-01-10 19:15
edited on: 1970-01-01 00:00

Ok mate if you need a temp hosting account to transfer to let me know

- Issue History
Date Modified Username Field Change
2015-04-01 13:17 renlok New Issue
2015-04-01 13:17 renlok import_id => 410
2015-04-01 13:17 renlok Date Submitted 2015-04-01 13:17 => 2013-01-10 13:14
2015-04-01 13:17 renlok Last Update 2015-04-01 13:17 => 2013-01-10 19:15


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker