X-Cart forums - Better Password Recovery

By default X-Cart sends the user's password in clear text via email when they try to recover their password. This is stupid and easily fixed with a few lines of code. This mod will set the user's password to a random string, email them that string, and force them to reset their password on next login. Yeah, I know a password is still sent in plain text, but at least it is not their actual password they were using and are probably going to set it back to.

Here are the changes you need to make (4.1.9).

ADD this function to include/func/func.core.php

Code:

function createRandomPassword() {

    $chars = "abcdefghijkmnopqrstuvwxyz023456789";

    srand((double)microtime()*1000000);

    $i = 0;

    $pass = '' ;



    while ($i <= 7) {

        $num = rand() % 33;

        $tmp = substr($chars, $num, 1);

        $pass = $pass . $tmp;

        $i++;

    }

    return $pass;

}

This function is compliments of http://www.totallyphp.co.uk/code/create_a_random_password.htm, I was lazy...:wink:

CHANGE include/help.php

Code:

    foreach ($accounts as $key => $account) {

        $accounts[$key]["password"] = text_decrypt($account["password"]);

        if (is_null($accounts[$key]["password"]) || $accounts[$key]["password"] === false) {

            $accounts[$key]["password"] = func_get_langvar_by_name("err_data_corrupted");

            if (is_null($accounts[$key]["password"])) {

                x_log_flag("log_decrypt_errors", "DECRYPT", "Could not decrypt password for the user ".$account['login'], true);

            }

        }  

    }



    $mail_smarty->assign("accounts",$accounts);

    func_send_mail($email, "mail/password_recover_subj.tpl", "mail/password_recover.tpl", $config["Company"]["support_department"], false);

    func_header_location("help.php?section=Password_Recovery_message&email=".urlencode($email));



}

TO:

Code:

   foreach ($accounts as $key => $account) {

        $accounts[$key]["password"] = text_decrypt($account["password"]);

        if (is_null($accounts[$key]["password"]) || $accounts[$key]["password"] === false) {

            $accounts[$key]["password"] = func_get_langvar_by_name("err_data_corrupted");

            if (is_null($accounts[$key]["password"])) {

                x_log_flag("log_decrypt_errors", "DECRYPT", "Could not decrypt password for the user ".$account['login'], true);

            }

        }

        $newpassword = createRandomPassword();

        $newcrpyt = text_crypt($newpassword);

        $newpasswordarray['password'] = $newcrpyt;

        $newpasswordarray['change_password'] = 'Y';

        func_array2update('customers', $newpasswordarray, "login='$account[login]' AND usertype='$account[usertype]'");        

    }

    $mail_smarty->assign("accounts",$accounts);

    $mail_smarty->assign("newpassword",$newpassword);

    func_send_mail($email, "mail/password_recover_subj.tpl", "mail/password_recover.tpl", $config["Company"]["support_department"], false);

    func_header_location("help.php?section=Password_Recovery_message&email=".urlencode($email));



}

Now you need to change your email templates. If you are using plain text email edit the template in skin1/mail/. If you are using HTML email edit the template in skin1/mail/html.

password_recover.tpl

Plain Text
FROM

Code:

{$lng.lbl_password|truncate:$max_truncate:"...":true|cat:":"|string_format:$max_space}{$accounts[acc_num].password}

Code:

Your password has been reset. Your new password is now ($newpassword). Please change you password when you login.

HTML

FROM

Code:

<td><tt>{$lng.lbl_password}:</tt></td>

<td>&nbsp;</td>

<td><tt>{$accounts[acc_num].password}</tt></td>

Code:

<td><tt>Your password has been reset.<br><br>Your new password is now {$newpassword}.<br><br>You will be required to change your password at next logon.</tt></td>

Make sure to check your colspan attrib in your TDs. I consolidated the 3 columns to 1.

Cheers & Happy Coding,