7 Comments

I recently ran into a situation where I had the wrong/forgot the password for my BugNET bug/project tracker site and had no way to get it back. The reasons for password recovery failure are probably due to one of the following:

  1. You didn’t use a real email address.
  2. You didn’t set a security question or forgot the answer.
  3. It’s the admin account, did you think it will be that easy?
  4. It’s the only admin account so you can’t login and change it.

I needed a fast way to get the password reset and because everything is hashed and salted in the database (as it should be) and it’s not that easy to just update the tables with your own generated password. The only thing I could find was unlocking your account from the DB. That got me to the next point…

Since BugNET uses the built-in ASP.NET Membership Role Provider, it’s actually quite easy as long as you have access to the web server or FTP site. This is a hack I’ve used before and will work for other sites as well, though usually if you have access to the web server you’re probably a big enough admin to do this and more.

Instructions

Create a page called ResetPass.aspx with the following code (or download it):

<%@ Page Language="C#" AutoEventWireup="true" %>
<%
  try
  {
    MembershipUser mem = Membership.GetUser("admin");
    if (mem.IsLockedOut)
    {
      mem.UnlockUser();
    }
    mem.ChangePassword(mem.ResetPassword(), "password");
  }
  catch (Exception ex)
  {
    Response.Write(ex.ToString());
  }
%>

<html>
  <head runat="server">
   <title>Admin Password Reset</title>
  </head>
  <body>
    <p>Done resetting password...</p>
    <p>Please delete this page from the web server!</p>
  </body>
</html>

Upload the page to the root of your BugNET website and browse to http://yourwebdomain/ResetPass.aspx.

If anything goes wrong your default error page will show or the usual yellow page of death, if not the password would have been reset to “password” and you’ll get a nice message.

NB:Delete the page from your web server as it poses a major security risk!

The code is simple pretty self-explanatory so I'm not going to go into detail, use it, don't use it (at your own risk).