Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Magento Admin - Password Lets ANY user log in! HELP! 
 
SteveChurch
Jr. Member
 
Total Posts:  10
Joined:  2013-08-07
 

Hi All,

We have a major security issue on our Magento install. Last night one of our websites was hacked. A message was placed on the home page and it looks like some form of German / Turkish hacking group.

The issue we have is when you type in the username admin you can put ANY password in the field and it will log you in. Does anyone know where to begin looking with this?

I have looked through the Varien file and other session files and they all look fine to me.

Regards
Steve

 
Magento Community Magento Community
Magento Community
Magento Community
 
SteveChurch
Jr. Member
 
Total Posts:  10
Joined:  2013-08-07
 

This has been resolved.

There was a major issue in the release code:

Un user.php this code was causing the issue:
if ($sensitive && $this->getId() || Mage::helper(’core’)->validateHash($password, $this->getPassword())) {

Changed to this
if ($sensitive && $this->getId() && Mage::helper(’core’)->validateHash($password, $this->getPassword())) {

 
Magento Community Magento Community
Magento Community
Magento Community
 
paulborsky
Member
 
Avatar
Total Posts:  31
Joined:  2009-01-14
Russia
 

Hello Steve,

I think, you earlier had a problem to login to magento admin panel and tried to find solution and possible you find it here: http://stackoverflow.com/a/13618532

So this is not magento problem, since you have changed core file.

Kind Regards,
Paul Borsky

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top