Login/Password lock-out Login/Password lock-out
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Login/Password lock-out

Started by shockingsociety, September 14, 2009, 10:01:43 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

shockingsociety

At the moment I've got a temporary password system operating. I'd like to switch the main Coppermine password system on but the last time I did that it caused massive lock-out problems. Anyone who entered the wrong password caused the entire system to shut down. Not just his/her access to Coppermine but everyone's access to Coppermine. And if while I was testing the system and I entered an incorrect login/password my access to Coppermine, the cPanel, and even  access to my service provider's web site was blocked.

Has anyone else experience this problem? Any advice before I risk it again? My service provider has advised me to use an alternative system to Coppermine's but that sounds crazy to me. Coppermine seems to work for everyone else and I'm mystified why it caused such a ferocious lock-out on my site.

His advice...

"You are best to use a gallery script that includes a payment gateway and user login.  Suggest you look in hotscripts.com and look around to see what other webmasters are using. You need to spend time researching this."


phill104

Can you post a link to your site?

I agree that it sounds crazy. No script should destroy a server in the way you describe unless the server is very badly setup. If your host cannot tell you what went wrong and came out with such an excuse then maybe you should consider changing host.

As for Coppermine causing this, it is not something I have ever heard of before but maybe one of the other devs has though I am sure they will agree that is is a hosing issue if it locks out other sites on the same server.
It is a mistake to think you can solve any major problems just with potatoes.

onthepike

I don't believe that's a legitimate and responsible reply from your host support, so let's ignore it and move ahead.

Usually, with respect to login issues, forum policy mandates a link to your gallery and a non-admin test account, but I can understand your apprehensiveness due to the circumstances. Still, it will make it that much more difficult for some to provide assistance.

So, let's eliminate some settings that may cause something like this. First, I would update the gallery to the latest version. You didn't indicate your current version and you must. But before updating, FTP into your account (be sure your client is set to show hidden files, if necessary) and search your web space for files called .htaccess (including the "."). If you have any of them (and they may be inside every folder you have from your document root down, FTP them to your desktop, then delete them from your web space.

Next, access phpMyAdmin (you will have to log into your cPanel for this) and find your Coppermine database on the left-side navigation bar. Select and click the CPG database and then select and click cpg_config. If you are using a more recent release of CPG, look to your right for "Page number" and select 4. Scroll down to login_threshold and verify the number -- most use 5. If your number is 0 or 1, change it to 5 or more. If your number was 0, or has no data at all, this could cause your CPG issue, but not your account issue. And I don't see how they could be related unless (a) you were hacked and (b) the hack places .htaccess files within your web space directories.

I don't know that I could assist you any more than this. You can try the steps above, then update you gallery to the latest version.

You should also have a look at this thread: http://forum.coppermine-gallery.net/index.php/topic,51927.0.html

You may have been hacked, and if so, the above will cure you.

onthepike

Quote from: Phill Luckhurst on September 14, 2009, 10:18:18 AM
Can you post a link to your site? I agree that it sounds crazy. No script should destroy a server in the way you describe unless the server is very badly setup. If your host cannot tell you what went wrong and came out with such an excuse then maybe you should consider changing host. As for Coppermine causing this, it is not something I have ever heard of before but maybe one of the other devs has though I am sure they will agree that is is a hosing issue if it locks out other sites on the same server.

I agree. I have never heard of such a thing. Definitely sounds like a server issue, but the host support seems uninterested.

However, it could be a hack, nonetheless. It might be a hack that didn't penetrate CPG, but instead another, more vulnerable script.

shockingsociety

Thanks for your help guys. My site is an adult site and I was worried in case there are rules against such things. I notice you have to tip-toe on bulletin boards these days because there's always someone who takes offense at something and then I get banned. I'm dead new to this so I'm not even sure how I tell which version of CM I've got. All I can say is that I downloaded it about three months ago.

Joe Carver

Quote
Board Rule #8

........it's mandatory that you always post a link to your coppermine gallery page when asking for support. If your site contains adult content, make sure to post a warning together with your link!

In your settings for: Admin -> Config -> User settings -> Number of failed login attempts until temporary ban

What do you have set for a value?


onthepike

Because as stated, there exists the potential for lockout which requires host support, I asked the same question via phpMyAdmin:

Quote from: onthepike on September 14, 2009, 10:26:23 AMNext, access phpMyAdmin (you will have to log into your cPanel for this) and find your Coppermine database on the left-side navigation bar. Select and click the CPG database and then select and click cpg_config. If you are using a more recent release of CPG, look to your right for "Page number" and select 4. Scroll down to login_threshold and verify the number -- most use 5. If your number is 0 or 1, change it to 5 or more. If your number was 0, or has no data at all, this could cause your CPG issue, but not your account issue. And I don't see how they could be related unless (a) you were hacked and (b) the hack places .htaccess files within your web space directories.

If an attempt to login fails, the user may have to wait longer to resolve the issue.

phill104

Quote from: shockingsociety on September 14, 2009, 02:58:16 PM
My site is an adult site and I was worried in case there are rules against such things.

We are happy for you to post a link but as with any adult site we ask you to make users aware by tagging it with No Suitable For Work or similar in nice bold letters. I am sure you are aware that even mild nudity can cause problems for some people.

Please post a link to your site and hopefully we can begin to get to the bottom (no pun intended) of this.
It is a mistake to think you can solve any major problems just with potatoes.