VIVO Documentation
Page History
...
Note |
---|
This page is intended to make access easier for VIVO developers and maintainers.An attacker cannot use these techniques to gain access to your VIVO installation. These techniques can only be used by someone who already has full access to your installation. |
VIVO release 1.6 and beyond
To gain access to the database, simply create a new root account.
Modify the
runtime.properties
file to include a root account of your choosing, and restart VIVOCode Block rootUser.emailAddress = new_root@mydomain.edu
- Open VIVO in the browser. You will see a warning screen like the following:
ClickContinue
to view the VIVO home page. - Log in using the new root account. The first-time password for your new root account will be
rootPassword
, and you will be asked to assign a new password.
You now have two root accounts, and you know the password to the new one. Use the User Accounts pages to either
- Delete the old root account,
or - Change the password on the old root account and delete the new root account.
VIVO releases from 1.3 to 1.5.2
These releases of VIVO include a "back door" to permit this operation. A developer can add a special file to the VIVO code, which will enable a special URL that will give access.
In more detail:
Create a file called
friend.xml
, containing a line like this:<date value="2013-02-18"/>
, and put it in the[tomcat]/webapps/<vivocontext>/WEB-INF/classes
directory. The date in the file must not be more than 1 week old. If you need to use this mechanism for more than 1 week, you will need to update the file. For example:Code Block cd /usr/local/tomcat/webapps/vivo/WEB-INF/classes echo '<date value="2013-02-18"/>' > friend.xml
- Go to http://localhost:8080/vivo/admin/friend (or whatever is correct for your host and port number and context path), and you are immediately logged in as root.
- Go to the Site Admin page, User Accounts, and either change the password on the root account or create a new admin account for your use.
This back door will offer no diagnostics if it is attempted incorrectly. The /admin/friend
URL will return a simple 404
status
- if
friend.xml
does not exist - if
friend.xml
is in the wrong directory - if
friend.xml
is not in the correct format - if
friend.xml
contains a stale date
VIVO releases prior to 1.3
Older VIVO instances did not have a "root" account, per se. Instead, they had "default_admin" accounts.
...
Find out the name of the default_admin account (in this example, the name is
admin
):Code Block mysql> select obj from jena_g3t1_stmt -> where subj = 'Uv::http://vitro.mannlib.cornell.edu/ns/vitro/default#defaultAdminUser:' -> and prop = 'Uv::http://vitro.mannlib.cornell.edu/ns/vitro/0.7#username:'; +-------------------------------------------------------+ | Obj | +-------------------------------------------------------+ | Lv:0:39:http://www.w3.org/2001/XMLSchema#stringadmin: | +-------------------------------------------------------+ 1 row in set (0.00 sec)
Set the password to
rootPassword
Code Block mysql> update jena_g3t1_stmt -> set obj = 'Lv:0:39:http://www.w3.org/2001/XMLSchema#string4BBA69E66998C59F03530EE02C406CB0:' -> where subj = 'Uv::http://vitro.mannlib.cornell.edu/ns/vitro/default#defaultAdminUser:' -> and prop = 'Uv::http://vitro.mannlib.cornell.edu/ns/vitro/0.7#md5password:'; Query OK, 1 row affected (0.01 sec) Rows matched: 1 Changed: 1 Warnings: 0
Log in with the name that you found in the first step, and the password of
rootPassword
.
VIVO releases from 1.3 to 1.5.2
These releases of VIVO include a "back door" to permit this operation. A developer can add a special file to the VIVO code, which will enable a special URL that will give access.
In more detail:
Create a file called
friend.xml
, containing a line like this:<date value="2013-02-18"/>
, and put it in the[tomcat]/webapps/<vivocontext>/WEB-INF/classes
directory. The date in the file must not be more than 1 week old. If you need to use this mechanism for more than 1 week, you will need to update the file. For example:Code Block cd /usr/local/tomcat/webapps/vivo/WEB-INF/classes echo '<date value="2013-02-18"/>' > friend.xml
- Go to http://localhost:8080/vivo/admin/friend (or whatever is correct for your host and port number and context path), and you are immediately logged in as root.
- Go to the Site Admin page, User Accounts, and either change the password on the root account or create a new admin account for your use.
This back door will offer no diagnostics if it is attempted incorrectly. The /admin/friend
URL will return a simple 404
status
- if
friend.xml
does not exist - if
friend.xml
is in the wrong directory - if
friend.xml
is not in the correct format - if
friend.xml
contains a stale date
VIVO release 1.6 and beyond
To gain access to the database, simply create a new root account.
Modify the
runtime.properties
file to include a root account of your choosing, and restart VIVOCode Block rootUser.emailAddress = new_root@mydomain.edu
- Open VIVO in the browser. You will see a warning screen like the following:
ClickContinue
to view the VIVO home page. - Log in using the new root account. The first-time password for your new root account will be
rootPassword
, and you will be asked to assign a new password.
You now have two root accounts, and you know the password to the new one. Use the User Accounts pages to either
- Delete the old root account,
or - Change the password on the old root account and delete the new root account.
...