It has been a while since I wrote in this weblog, mainly because I have been away on vacation, but it has been interesting to see the searches people have been using to find this site while I have been away.

Some of these are more innocuous than others, but 2 themes seem to be emerging:

1. How do I recover from the situation where I have forgotten my admin password?

2. How do I break into a password protected osCommerce admin?

Needless to say, I won't be writing about the second question - any hacker worth his salt should already have enough tools and knowledge to be able to break into a less well protected site.

Regarding the first question though, of forgotten admin passwords, the answer depends on what kind of password protection you are using:

A. If you are running a standard osCommerce site, without any form of administrator modification, then you will be using a .htaccess based protection mechanism. Usually, this is put in place using a "Password Protect Directories" feature within your hosting control panel. To set the username/password to a new one, all you have to do is to use this feature to remove the current protection and then put it back in place again using new details (remember to make a mental note of them!). You can also remove the current protection by deleting/renaming the .htaccess file in your admin folder, but you should remember to rename it back, or create a new one using the aforementioned procedure to prevent unauthorised access to your osCommerce admin.

B. If you are using a session based access control modification, such as that used with CRE Loaded for example, you will need to run some queries on your database in order to get out of the situation. Firstly, get yourself into phpmyadmin, or whatever database management tool you use and have a look at the admin table. You will see that the password is encrypted - you could use some kind of brute force tool in an attempt to break this, but the quicker way of dealing with things is simply to replace this entry with one of known values. If you go ahead and delete the entry from this table and then run this query (note this may need to be adjusted slightly if your database columns don't match the count of this particular query) :

INSERT INTO admin (admin_id, admin_groups_id, admin_firstname, admin_lastname, admin_email_address, admin_password, admin_created, admin_modified, admin_logdate, admin_lognum) VALUES (1, 1, 'Default', 'Admin', 'admin@localhost.com', '1060bdf4e47bc8b4ab3fb0cfea9ef70b:77', now(), now(), now(), '6');

then this will reset the username/password to the default values at installation, which are admin@localhost/admin.