Page 1 of 1

Joomla! Admin Auto Password Generation and Change Script...

Posted: Wed Sep 06, 2006 2:26 pm
by Wizzie
This script is released in the light of the recent increase in attempted exploit activities directed at Joomla! installations. As with any of our scripts, this is released in the hope that it might be useful to folks.

Those that are used to our scripts will note that this is a PHP script, a rare release from us. Why PHP? As most of the Joomla! community is PHP based, we figured it would be easier for modification and improvment. As PHP is not our first language, please feel free to post updates and improvements here, you might find our methods/logic a bit crude to some of the guru's in these forums, excuse our in-experience.


Information/Overview:
This is a quick and (reasonably) dirty script to automatically change Joomla! or Mambo Administrator passwords on a regular basis using cron.

This script will generate a single or multiple passwords then change the Administrator's account password for each defined Joomla!/Mambo database. Each instance may have the same password or a different password assigned to it. For emergency recovery, the old passwords MD5 checksum is also displayed, this may be pasted back in to the appropriate password field in MySQL to return the password to its previous state.

The script uses the Administrator's Account NAME, not the username/login name. This provides functionality even if you have modified the login name for security reasons from the default of "admin".

Generated passwords and details can be view by terminal console output (if run manually) or email output or both. If run via cron turning off console output will reduce load a little and adding " >& /dev/null " so as not to output the resultant passwords in to logfiles or emailing to the server root for no reason.

Why this script?
None of us change our passwords often enough, especially those with large numbers of installs. No excuses anymore! :-)


Current Limitations:
Can only perform password changes on all Joomla! or all Mambo databases and the same time, no mixed application script runs at the moment. IE: If you have installations that use both jos_ nad mos_ table prefix's, you will need to copy the script and modify one for jos_ and the other for mos_ prefix's.


Important Notes:
1) As ever, use this script at your own risk, do extensive testing before going production due to the nature of this scripts action (tinkering in your database and with the admin user).

2) The generated passwords maybe emailed, these emails are plain text, this maybe seen as a security risk in its own right.




Example Output: (Remember the Joomla! Administrator password has already been changed by this time)

Terminal Console: (email output is similar, but in HTML table)
        ---------------------------------------------------------------------------------------------------------
        dataBase Instance                :    user1_joomladev
        Previous Administrator MD5    :    e548610e58359b2f1a5b6ddc4e4f88fa
        New Administrator Password  :    QTmF!drd#dcre
        ---------------------------------------------------------------------------------------------------------
        dataBase Instance                :    user2_joomlaprod
        Previous Administrator MD5    :    e548610e58359b2f1a5b6ddc4e4f88fa
        New Administrator Password  :    Ms3r^FJh*dIg
        ---------------------------------------------------------------------------------------------------------

        useSamePass = No,  Generating Diffferent Passwords For All Instances
        emailOut      = Yes, Email Notification Sent to youremail@yourdomain.com.au


Test Environment:
  PHP 4.4.2/ 4.4.4/ 5.1.6
  Joomla! 1.0.10/ 1.0.11 (Using jos_ table prefix)
  Joomla! 1.0.11 (using mos_ table prefix, previously upgraded from Mambo 4.5.2)
  FC3, FC4 and CentOS 3.8
  Windows Server 2003 / Windows XP/SP2



This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or (at your option) any later  version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY or support; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

Re: Joomla! Admin Auto Password Generation and Change Script...

Posted: Sat Sep 22, 2007 3:53 pm
by rtenny
Wizzie wrote: Test Environment:
  PHP 4.4.2/ 4.4.4/ 5.1.6
  Joomla! 1.0.10/ 1.0.11 (Using jos_ table prefix)
  Joomla! 1.0.11 (using mos_ table prefix, previously upgraded from Mambo 4.5.2)
  FC3, FC4 and CentOS 3.8
  Windows Server 2003 / Windows XP/SP2
Does this work with Joomla 1.0.13 as well?