Vulnerability in EPiServer.Forms
When I first installed VS and episerver plugin, and created an alloy project, it asked to create a user and password. I assumed this was just for the alloy project, so didnt write it down. then I created a new empty project, but when I go to localhost:xxx/episerver, I cant login. I cant use my local machine login because I am on a corporate network so only have a domain login, not a local administrator login.
Where is it storing this username and password?
I see that each new project creates a database like "EPiServerDB_972348aa". however, in these databases is no record of this username and password so I cant reset it.
I have been told there are 2 ways to "fix" this situation:
1) create a user programatically(1). Unfortuantely I cant do this because the example wont compile due to unresolvable dependencies (the other thread(2) has not found a solution unfortunately)
2) create a new database and point episerver at that. I am guessing this wont work, as episerver doesnt seem to be storing the user in the the projects database. I have looked through every table - no user. Also, if this solution was viable, then creating a new project would allow me to create a new user. There must be some secret "master" file or similar where this is being stored.
It doesnt seem possible to uninstall visual studio, as its not an item in the add/remove programs tool. I cant get the latpop imaged, as this has to be done by the IT staff which takes days, and I need to use the laptop.
I have spent 2 weeks trying to find a solution for this, so I am 2 weeks behind being able to learn episerver. Does anyone have any ideas for a workaround or hack? If I had known that this would "brick" the machine I would have written the password down in several places.
when submitting this post, it wont let me include any link (gives server error). So as a work around, I have included the links as text below:
(1) https:// <join these together> world.episerver.com <join these together> /blogs/kristoffer-linden/dates/2017/12/create-episerver-login-account-by-code/
(2) https:// <join these together> world.episerver.com <join these togeher> /forum/developer-forum/-Episerver-75-CMS/Thread-Container/2019/11/login-failed-with-new-empty-project/
Sorry, this forum softare wont let me edit my post to fix the typos. I hit "update", but it doesnt not update.
The username and password are, by default, stored via asp.Net identity in the database using the standard asp.Net identity tables so you can find them in the AspNetUsers table. That said, the password is hashed so will probably not be of much use to you.
Assuming you're running an alloy site, it looks as though the new user registration screen that you will have filled in will display when there are no users registered so it should be the case that, if you remove the user you've already created and restart the site, you'll get the new user registration screen again. I should point out that I've not tried it so, if you're going to give it a go, please back up the DB beforehand so you can restore if necessary.
You can also create an additional user account in the corporate system as well and then use that account for login.
OK, I know what the prolem is. When you create an empty project, it has no users. The only way to login is via a windows local administrator account. For those on corporate networks, who login to a domain, it is not possible to get a local administrators account. I had assumed that I could use the user created in the separate Alloy project, but now I know that this is stored in a different database.
The only viable solution in this case is to take development off the corproate network and corproate latpops and do it on a home laptop only.
I started a separate thread on how to loging with a non-local admin account into an empty project, but the posted configuration solutions have proved difficult to implement.
If your current solution is using AspNet Identity for membership management, I have a SQL script for you to create admin account with username "firstname.lastname@example.org" and password "store". Once you run the script successfully, you can go to <domain>/util/login.aspx, use above username and password without dobule quote to log in to CMS