Archive for July, 2013

Outsystems: changing/resetting your Servicecenter password without knowing it

Apparently Outsystems has a kind of security through obscurity (link1, link2) by not saying things which have nothing to do with intrusion or whatever to client servers per se. If it is easy, then obscuring how the password encryption/hashing is done, will not at all help them.

Anyway; someone asked me to change the servicecenter password as they could no longer log into their servicecenter via web or studio. They did have access to the MS-SQL server running their software.

What you need is at least one application account in one of the applications running on the server of which you actually know what the password is.

The passwords are salted hashes (MD5 they say in the forums but it doesn’t look like a salted MD5) so you can just replace one hash with another in the database.

Either connect via MS-SQL directly via SQL Server Management Studio or fire it up in MSTSC and run query:

select PASSWORD from dbo.ossys_User where USERNAME=’admin’;

and change the name of ‘admin’ to the user you actually know the password of. Copy the PASSWORD and save it somewhere.

Run the following query:

select * from dbo.ossys_User where USERNAME=’admin’;

Change the ‘admin’ name again in the user you want the password for and find the user capable of logging into servicecenter of whom you forgot the password (note: if you have other admin users with access to servicecenter you don’t have to do this ; you can simply use them to recreate new users / delete the users you forgot about). 
In basic installations of Outsystems, this would be the user with ID=1 (username = admin). 
Then you run the following final query: 
update dbo.ossys_User set PASSWORD=’THE HASH YOU FOUND ABOVE’ where ID=1;

With the correct hash and ID. 
Have fun.