Login
Back to all discussion topics

Mono Support the default Admin user can be locked out 

Viewed 20614 time(s), 5 post(s), 7/25/2012 6:03:10 PM - by geobirbilis
geobirbilis
geobirbilis
7/25/2012 6:03:10 PM
155 Reputation 23 Total posts

I tried to log in at a MonoX installation as admin and I entered wrong pwd several times and now it tells me the account is locked!

1) I'd expect the admin account to not be lockable like that (this can be exploited)
2) How can I edit the db or visit some MonoX intallation webpage accessible only from the console (locally) to unlock the admin? Or is there other easier way?
3) If password is totally forgotten, is there a way to make blank (or change) the pwd from the db?

1
denis
denis
7/26/2012 10:31:39 AM
7207 Reputation 956 Total posts

Hi George,
Our usual strategy is to change the name of the admin acount, which makes it more difficult to exploit this feature. You can reset the locking status by switching the value of the IsLockedOut field in the aspnet_Membership table for that particular user. There are several properties in the membership provider that control this behavior, and you can change them in the web.config file - the most important one would be "maxInvalidPasswordAttempts"

2
geobirbilis
geobirbilis
7/27/2012 10:01:53 AM
155 Reputation 23 Total posts

Suppose the admin password for the portal has been forgotten, how can it be reset from the DB or other tool?

3
geobirbilis
geobirbilis
7/27/2012 10:12:27 AM
155 Reputation 23 Total posts

btw, how come the user password is unhashed (plain text) in the dbo.aspnet_Membership table? (the respective username is in dbo.aspnet_Users)
Is it some ASP.net setting?

4
khorvat
khorvat
7/27/2012 1:27:06 PM
15993 Reputation 2214 Total posts

Hi,

you should use the password recovery screen available e.g. here, yes passwords are by default unhashed and you can change that setting in the web.config by changing the passwordFormat in Membership and Role provider settings.

e.g.

<membership defaultProvider="AspNetSqlMembershipProvider" hashAlgorithmType="SHA1" >
      <providers>
         <remove name="AspNetSqlMembershipProvider"/>              
             <add connectionStringName="LocalSqlServer" enablePasswordRetrieval="true" enablePasswordReset="true" requiresQuestionAndAnswer="false" applicationName="MonoX" requiresUniqueEmail="false" passwordFormat="Clear" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="7" minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" passwordStrengthRegularExpression="" name="AspNetSqlMembershipProvider" type="MonoSoftware.MonoX.MonoXMembershipProvider, MonoX" />
        <!-- <add name="ActiveDirectoryMembershipProvider" type="MonoSoftware.MonoX.ActiveDirectoryMembershipProvider" connectionStringName="ADConnectionString" attributeMapUsername="sAMAccountName" applicationName="MonoX"
         connectionUsername="username@yourdomain"
         connectionPassword="pwd" /> -->
  </providers>
</membership>

Regards

5
This is a demo site for MonoX. Please visit Mono Software for more info.