can not log in after update to newest version

[robertr]

Hi there,

first thanks for your excelent work.

I just upgraded to the newest Frolor version.

When try to log in, I now get a yellow warning: A newer version of Froxlor has been installed but not yet set up.
Only the administrator can log in and finish the update.

However I can not login. I always get a : Error The username or password you typed in is wrong. Please try it again!

I did try to set the password of the Admin user in mysql using:

mysql> UPDATE `panel_admins` SET `password` = MD5('XXXXX') where `adminid`='1';
Query OK, 1 row affected (0.00 sec)
Rows matched: 1  Changed: 1  Warnings: 0

mysql> select adminid,loginname,name,password from panel_admins where adminid='1';
+---------+-----------+------------+----------------------------------+
| adminid | loginname | name       | password                         |
+---------+-----------+------------+----------------------------------+
|       1 | Admin     | Rottermann | d21c9d881eba6988be480efab45de2b9 |
+---------+-----------+------------+----------------------------------+
1 row in set (0.00 sec)

 

could anybody please help

thanks

Robert

 

[robertr]

Ahhhhhhhhhhhhhhhh

As so very often in such cases, it was mere stupidity ..

I copied a wrong userdata.inc.php, which still had syscp as databse. And mysql still has such a database.

Time to clean up

 

thanks for your support

robert

[d00p]

Anything in the syslog/Apache error log? Remember the login name is also case sensitive

[robertr]

Thanks a lot

Using the old version of froxlor (Installierte Version:     0.9.38-rc2 (DB: 201610070), this is what I found in the pannel)

I can easily login as Admin, with the password I set.

When I swap the froxlor folder with the newest version, and restart apache2, I can not login anymore.

In the syslog file I get the following error:

/var/log/syslog
102756:Feb 28 17:37:32 susanne froxlor[32103]: froxlor.WARNING: User 'Admin' tried to login with wrong password. {"source":"login","action":"50","user":"46.140.127.198"} []

 

robert

[d00p]

The login procedure did not change from 0.9.x to 0.10.x - this should still work just fine (and does so for most of the users I guess or else I would have many more reports about that here).

What setting according to Password Hash Algorithm do you have enabled? Froxlors default is SHA256 - possibly, if set to BLOWFISH it can happen that the system does not support it (as froxlor tries to update the given password from md5 - if still stored in that format to the currently used). But froxlor's settings should only show you the available hashes - maybe it's set to a prior available setting and it was never changed?

[robertr]

Where would I find out what algorithm should be used?

In v0.9 I used:

mysql> UPDATE `panel_admins` SET `password` = MD5('XXXXX') where `adminid`='1';

so for v0.9 it is MD5.

Where in the settings can I see/set the used algorithm?

Is there a way to hack a bypass?

I am a programmer myself, but unfortunately I never learned about php...

robert

[d00p]

Just now, robertr said:

so for v0.9 it is MD5.

not necessarily, was a setting even in 0.9.x, as said, if froxlor finds "old" md5 it tries to update it to the currently used hash-algorithm (if not set to md5)

You can find the corresponding option in Settings -> Seurity Options

[d00p]

You can read that from mysql directly: 

SELECT `value` FROM `panel_settings` WHERE `varname` = 'passwordcryptfunc'

The result is mapped as following:

0 => system default
1 => MD5
2 => BLOWFISH
3 => SHA-256
4 => SHA-512

 

[robertr]

the result is 1, so it is MD5

I now even set a new password from froxlor itself, with which I can login in the old version

in the new version, this credentials are not accepted.

Is there a way to tell froxlor to create more debug info?

[d00p]

No, the little information on failed logins is intended. If you want you can PM me the server credentials (root) and I can debug live to see what's wrong there

[d00p]

nice

[Exploit]

Same I have here with an account from a client. From my linux machine the login works fine, from a windows machine not. I didn't dive into the used login procedure, but I guess that the cause is something with the character set.
I've noticed issues with an previous froxlor version from the last year, where it helped to remove the browser cache. On both machines, Linux and Windows, I've been using Firefox.

[Exploit]

Now I have had a look at the HTTP requests. What happens is not the same as when I try to log in with the wrong password. In summary, the following happens:

Request: POST index.php, what is striking here is the cookie line of the request, in which the PHPSESSID variable is set twice with two different values!
Response: 302 to customer_index.php, Set-Cookie: PHPSESSID=(new value)

Request: customer_index.php, Cookie: PHPSESSID set twice again
Response: 302 to index.php

No error message appears, as after entering an incorrect password,

After deleting the cookies in the browser, the login also worked under Windows!

Conclusion: something messes up the Session Cookie.