Need help

[Madhosh]

All,

I need an urgent help. I can't login to my backend shop. I tried to reset my password but I don't get my new password anymore.

 

[DRMasterChief]

Hi, this can be done super simple in Database,  do you have phpMyAdmin login?  I hope so...  just use the simple option...:

Select your thirty bees database in phpMyAdmin
Locate the _employee table  (the prefix might vary, e.g., tb_employee).
Click Browse and find your user account row, then click Edit.
Under the passwd column, change the Function dropdown to MD5.
In the Value field, type your new password.
(the shop will now turn your new password automatically in a MD5 hash)
Click Go at the bottom right to save changes.
You can now log in to the admin panel.

and you can also find help here:  

and 

 

 

[datakick]

The approach described by @DRMasterChief will not work on newer versions of thirty bees, intentionally.

You can check if your tb_employee table contains column signature - if the column exists, you can't change the email/password in the table manually. You also need to change the value of column signature, but for that you need to know a secret that's not available to mysl.

This mechanism exists to prevent attackers to elevate sql injections into complete access. If your store contained SQL-injection vulnerability (often caused by older third party modules), attacker could use it to change admin password, and then log in (basically the same mechanism described above). With the requirement to change signature as well, this no longer works.

You can use force-login php script to log into your admin, see this post: 

 

You will have to:

1. upload force-login.php file into your admin123xyz directory (every installation have different admin folder name)
2. open url https://your.store/admin123xyz/force-login.php
3. this will logs you in as an admin
4. change password
5. delete force-login.php script 

[Yabber]

12 hours ago, Madhosh said:

I tried to reset my password but I don't get my new password anymore.

It is likely that, following the upgrade, neither the ‘Mail via PHPMailer’ nor the ‘Mail via SwiftMailer’ email transport module has been configured.

Since version 1.6.0, email is no longer supported via the PHP mail() function.

[nickz]

9 hours ago, datakick said:

will not work on newer versions of thirty bees, intentionally.

Well you guys will make TB so secure that the owner can not get back into the BE. 
 

Edited 3 hours ago by nickz

[datakick]

54 minutes ago, nickz said:

Well you guys will make TB so secure that the owner can not get back into the BE. 

As it should be.

SQL injections are really bad, of course, as attacker can extract or change all informations in your store.

But gaining access to PHP side is much more severe. Attacker can then do anything they want.

Making it impossible for store owners to change email and password manually in database is a small price to pay.

[nickz]

9 minutes ago, datakick said:

SQL injections are really bad, of course, as attacker can extract or change all informations in your store.

You can monitor your shop and all files, it does not cost the world. 
A little self responsibility is not wrong to have. If that would be optional it would be user friendly. 
Truth be told I'd liked best TB1.3.  

[datakick]

1 minute ago, nickz said:

You can monitor your shop and all files, it does not cost the world. 
A little self responsibility is not wrong to have. If that would be optional it would be user friendly. 
Truth be told I'd liked best TB1.3.  

Not really sure what are we talking here about.

The fix for this problem was, previously, to change password directly in database. Which would, in fact, be a bit more complicated than it was written in the post above, because plain md5 would not work. The password would have to be salted with _COOKIE_KEY_ for this mechanism to work. You could, however, insert any password generated by php function password_hash.

The new solution is to use a php script to log in into your server.

To me, those two solutions are similar in complexity. For a lot people the new solution might even be easier, as it's just upload file using FTP. Changing data directly in database may be more scary.

[nickz]

1 minute ago, datakick said:

To me, those two solutions are similar in complexity.

Knowing the admin name a hacker just uses the php script. 
To secure your backend you could use a redirect, and have no contact form as those a gateways into the database. 

[datakick]

2 minutes ago, nickz said:

Knowing the admin name a hacker just uses the php script

that's why the recovery steps explicitly says:

Quote

delete force-login.php script 

 

[DRMasterChief]

What’s your take on additionally securing the admin page with an .htpasswd file?  (regardless of everything else)

I think it's great that there is an official script that is user-friendly and also prevents the simple replacement of access credentials in SQL. Thanks!

Edited 1 hour ago by DRMasterChief

[datakick]

3 minutes ago, DRMasterChief said:

What’s your take on additionally securing the admin page with an .htpasswd file?

A little bit unnecessary, since everything is protected behind admin pwd anyway.

One of the reasons to do this is to protect against any potential vulnerabilities in admin PHP files -- attacker can't exploit them if they can't access that portion of website in the first place. But there are not that many php files in /admin directory, so...