The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

WordPress Admin Permissions stripped ? by installer?

Discussion in 'cPanel Developers' started by hostmedic, Aug 2, 2009.

  1. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    I have a user reporting an issue on their wordpress install using the cPanel installer.

    Investigating I found the following:
    WordPress › Support » No "Upgrade" subpanel under Tools

    Sure enough - this is the users same issue.

    Another User (genesteinberg) stated the following:
    So - how about the fix folks:?

    Seems there are a growing number of links to that forum posting...
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Wordpress, as well as other applications, installed via cPAddons must be managed solely by cPAddons. To that end the installation and upgrade tools normally bundled with a product are removed.
     
  3. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    while that sounds good in theory ...

    Kenneth -

    That sounds good in theory (and heck I more than understand why - being in development and having our own cPAddon ) - however users are unable to do most any admin functions - such as add a plugin.

    This seriously strips out the ability to use the Word Press System -
    for now we will simply just remove the Add On - but the question remains -
    how to get around it now - that it is there for the users complaining...

    There seems to be a fix - as something was done for the other user (see previous post)
     
  4. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    lost that client

    well - lost that one...

    The WordPress plugin - if it kills the ability to do timely upgrades just stinks.
    I know Dan worked hard on this - and I respect that however - when a user cant install and do updates - we limit them.

    It seems there was a fix to this - i would love to know what it was.
    For now I am peeking @ file perms from an actual install as well as DB and will post if I find it.
     
  5. inwebico

    inwebico Registered

    Joined:
    Sep 3, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I'm running into this issue as well and was wondering if anyone has found a solution?

    While performing a fresh install from cPanel (cPanel Version: 11.24.5-RELEASE / cPanel Build: 38506) everything loads just fine (the folders & db are created).. However, when I try to log in as "admin" I get the following error:

    Obviously if you can't log in, you can't add users, add/edit posts, etc.. so there is no point.
     
    #5 inwebico, Sep 4, 2009
    Last edited: Sep 5, 2009
  6. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    different issue

    I think your issue is a bit different.
    In short- if you cant get in as an admin @ all - that does not describe the behavior we saw.

    If you need help resetting the admin password - follow these instructions:

    Begin by logging into phpMyAdmin on that account via cpanel and click databases.

    * A list of databases will appear. Click your WordPress database.

    * All the tables in your database will appear. If not, click Structure.
    * Look for wp_users.
    * Click on the icon for browse or structure.

    The next screen lists the fields within the wp_users table.

    * On user_login click browse and find the ID number associated with your login. Remember it.
    * Go back to the wp_users table.
    * On the user_pass field, click browse and find the ID number associated with your login.

    * Click edit.
    * Next to the ID number is a long list of numbers and letters.
    * Select and delete these and type in your new password.
    * Type in the password you want to use. Just type it in normally, but remember, it is case-sensitive.
    * In this example, the new password will be 'peopleforgetpasswordsreallyeasy'
    * Once you have done that, click the dropdown menu indicated, and select MD5 from the menu.

    * Check that your password is actually correct, and that MD5 is in the box.

    save - and voila - your done
     
  7. inwebico

    inwebico Registered

    Joined:
    Sep 3, 2009
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Thanks hostmedic! I gave your method a try and I still received the same error. I also tried the "Lost your password?" method (where it resets the password) and that did *not* work either. :(

    Any other thoughts on what might be happening?
     
  8. hostmedic

    hostmedic Well-Known Member

    Joined:
    Apr 30, 2003
    Messages:
    559
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Washington Court House, Ohio, United States
    cPanel Access Level:
    DataCenter Provider
    so reasons to update: : :wordpress

    It is important that users have the ability (server admins as well) to upgrade wordpress in a timely fashion.

    This past week was a particular nasty week for Wordpress users who do not keep their software up-to-date. If you’re Worpress installation is before 2.8.4 and you haven’t been hit by the worm circuling the globe,its important that you upgrade now... (however... this limit hurts current users of the cpanel cpaddons installer version)


    This worm used a known and patched SQL injection vulnerability to register a new user as admin, and then post spam to the blog. A SQL injection vulnerability occurs when a web page does not correctly scrub input from a user and allows the attacker to execute their own SQL statement.

    For those who have no idea what any of that means, this is the break down.

    Whenever you visit a website and there’s a box that you type in and then click a button, what you enter into that box is user input.

    This could be the search box on Google, or the Username box when you login to your email. Either way, the code on the backend takes what you enter and does something with it.

    Without any extra work by the developer of the web page your visiting, that box will accept any character you enter, and basically enter it into that pages code as if it were always there, typed in originally by the page designer.

    So, lets say we have a textbox called username, and some code that accepts the username then logs in. The login page has a variable called $Username that whatever you type into the username textbox gets put into. So if your username is owncpanel, the code will look like:

    Select * from users where username=’owncpanel’;

    Notice, the word owncpanel is inside single quotes (’). Here’s where a simple SQL injection might work. Instead of typing owncpanel into the username box, I type owncpanel’;Insert into users (username,password,admin) values(’pwned’,’secret’,'True. Now the code sees:

    Select * from users where username=’owncpanel’;Insert into users (username,password,admin) values(’pwned’,’secret’,'True‘;

    So the page will actually execute what I typed into the login box, even if my login credential aren’t correct, becase it sees the single quote(’) that I typed in as the end of the first statement and runs the second statement as if it were something put in there when the page was first created.

    (ok - so thats not really how it works - but giving the full details here would be kinda dangerous of course... in short if you know sql well - its pretty easy to follow --- )

    Additional details on the WordPress attacks can be found at Wordpress blogs under attack from hack attack | Technology | guardian.co.uk

    So once again I ask - how can we get it so that users can get to the admin.
    An answer of - well sorry - we just cant do that - is irresponsible @ this point.

    Just to check i even updated my cpaddons - but the version there is still outdated.
     
  9. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Hmmm, my test servers are showing Wordpress 2.8.4 as available in the 'Install cPAddons' interface in WHM. You might try a forced refresh in 'Install cPAddons' if yours is not showing 2.8.4 as available.
     
  10. jerrek71

    jerrek71 Active Member

    Joined:
    Jul 27, 2006
    Messages:
    42
    Likes Received:
    1
    Trophy Points:
    6
    None of which answered inwebico's problem of not having sufficient permissions to do anything at all once you've logged in to WordPress. His username and password are correct (otherwise he'll get a username/password error, not a permissions error).

    The reason I say this is because I too am unable to install WordPress from the cpAddons scripts. It all /looks/ like it installs properly, but when you try to login you get the error all wrapped in a nice little box....

    I tried modifying database tables and all sorts but in the end had to reinstall WordPress for the customer. Not a good outcome if I have to manually install it each time someone wants to run WP.

    Anyone have any ideas?
     
Loading...
Similar Threads - WordPress Admin Permissions
  1. FabryB
    Replies:
    1
    Views:
    603

Share This Page