WordPress Admin Permissions stripped ? by installer?

[hostmedic]

I have a user reporting an issue on their wordpress install using the cPanel installer.

Investigating I found the following:
WordPress › Support » No "Upgrade" subpanel under Tools

Okay, I am having the same problem. I have two user accounts, one admin and one editor. I log is as the admin all the time, never had a problem before. Trying to go to the update-core.php page results in this:

http://www.joelp.net/images/upgrade_fail.jpg

Here's a screen capture of my user page.
[removed sensitive info - not a good idea to post that stuff - samboll]

Sure enough - this is the users same issue.

Another User (genesteinberg) stated the following:

I wanted to update that cPanel support fixed the problem. It required changing a table string in the WordPress database. Once that was done, everything was fine.

I can get you the string, but I suspect it'll be better if you have cPanel or your host's support people work it out.

I can post the replacement string and instructions if enough people want it, but such things are dangerous (backups advised).

Peace,
Gene

So - how about the fix folks:?

Seems there are a growing number of links to that forum posting...

[cpanelkenneth]

Wordpress, as well as other applications, installed via cPAddons must be managed solely by cPAddons. To that end the installation and upgrade tools normally bundled with a product are removed.

[hostmedic]

Kenneth -

That sounds good in theory (and heck I more than understand why - being in development and having our own cPAddon ) - however users are unable to do most any admin functions - such as add a plugin.

This seriously strips out the ability to use the Word Press System -
for now we will simply just remove the Add On - but the question remains -
how to get around it now - that it is there for the users complaining...

There seems to be a fix - as something was done for the other user (see previous post)

[hostmedic]

well - lost that one...

The WordPress plugin - if it kills the ability to do timely upgrades just stinks.
I know Dan worked hard on this - and I respect that however - when a user cant install and do updates - we limit them.

It seems there was a fix to this - i would love to know what it was.
For now I am peeking @ file perms from an actual install as well as DB and will post if I find it.

[inwebico]

I'm running into this issue as well and was wondering if anyone has found a solution?

While performing a fresh install from cPanel (cPanel Version: 11.24.5-RELEASE / cPanel Build: 38506) everything loads just fine (the folders & db are created).. However, when I try to log in as "admin" I get the following error:

You do not have sufficient permission to access this page

Obviously if you can't log in, you can't add users, add/edit posts, etc.. so there is no point.

[hostmedic]

I think your issue is a bit different.
In short- if you cant get in as an admin @ all - that does not describe the behavior we saw.

If you need help resetting the admin password - follow these instructions:

Begin by logging into phpMyAdmin on that account via cpanel and click databases.

* A list of databases will appear. Click your WordPress database.

* All the tables in your database will appear. If not, click Structure.
* Look for wp_users.
* Click on the icon for browse or structure.

The next screen lists the fields within the wp_users table.

* On user_login click browse and find the ID number associated with your login. Remember it.
* Go back to the wp_users table.
* On the user_pass field, click browse and find the ID number associated with your login.

* Click edit.
* Next to the ID number is a long list of numbers and letters.
* Select and delete these and type in your new password.
* Type in the password you want to use. Just type it in normally, but remember, it is case-sensitive.
* In this example, the new password will be 'peopleforgetpasswordsreallyeasy'
* Once you have done that, click the dropdown menu indicated, and select MD5 from the menu.

* Check that your password is actually correct, and that MD5 is in the box.

save - and voila - your done

[inwebico]

Thanks hostmedic! I gave your method a try and I still received the same error. I also tried the "Lost your password?" method (where it resets the password) and that did *not* work either.

Any other thoughts on what might be happening?

[hostmedic]

It is important that users have the ability (server admins as well) to upgrade wordpress in a timely fashion.

This past week was a particular nasty week for Wordpress users who do not keep their software up-to-date. If you’re Worpress installation is before 2.8.4 and you haven’t been hit by the worm circuling the globe,its important that you upgrade now... (however... this limit hurts current users of the cpanel cpaddons installer version)


This worm used a known and patched SQL injection vulnerability to register a new user as admin, and then post spam to the blog. A SQL injection vulnerability occurs when a web page does not correctly scrub input from a user and allows the attacker to execute their own SQL statement.

For those who have no idea what any of that means, this is the break down.

Whenever you visit a website and there’s a box that you type in and then click a button, what you enter into that box is user input.

This could be the search box on Google, or the Username box when you login to your email. Either way, the code on the backend takes what you enter and does something with it.

Without any extra work by the developer of the web page your visiting, that box will accept any character you enter, and basically enter it into that pages code as if it were always there, typed in originally by the page designer.

So, lets say we have a textbox called username, and some code that accepts the username then logs in. The login page has a variable called $Username that whatever you type into the username textbox gets put into. So if your username is owncpanel, the code will look like:

Select * from users where username=’owncpanel’;

Notice, the word owncpanel is inside single quotes (’). Here’s where a simple SQL injection might work. Instead of typing owncpanel into the username box, I type owncpanel’;Insert into users (username,password,admin) values(’pwned’,’secret’,'True. Now the code sees:

Select * from users where username=’owncpanel’;Insert into users (username,password,admin) values(’pwned’,’secret’,'True‘;

So the page will actually execute what I typed into the login box, even if my login credential aren’t correct, becase it sees the single quote(’) that I typed in as the end of the first statement and runs the second statement as if it were something put in there when the page was first created.

(ok - so thats not really how it works - but giving the full details here would be kinda dangerous of course... in short if you know sql well - its pretty easy to follow --- )

Additional details on the WordPress attacks can be found at Wordpress blogs under attack from hack attack | Technology | guardian.co.uk

So once again I ask - how can we get it so that users can get to the admin.
An answer of - well sorry - we just cant do that - is irresponsible @ this point.

Just to check i even updated my cpaddons - but the version there is still outdated.

[cpanelkenneth]

Hmmm, my test servers are showing Wordpress 2.8.4 as available in the 'Install cPAddons' interface in WHM. You might try a forced refresh in 'Install cPAddons' if yours is not showing 2.8.4 as available.

[jerrek71]

None of which answered inwebico's problem of not having sufficient permissions to do anything at all once you've logged in to WordPress. His username and password are correct (otherwise he'll get a username/password error, not a permissions error).

The reason I say this is because I too am unable to install WordPress from the cpAddons scripts. It all /looks/ like it installs properly, but when you try to login you get the error all wrapped in a nice little box....

I tried modifying database tables and all sorts but in the end had to reinstall WordPress for the customer. Not a good outcome if I have to manually install it each time someone wants to run WP.

Anyone have any ideas?