Re: Displaying customer passwords to admin
Your "design defect" appears in nearly every instance where there is a password involved on the internet.
|
Re: Displaying customer passwords to admin
Quote:
Does that make it "right"? |
Re: Displaying customer passwords to admin
I have to agree with carpeperdiem. In-fact I don't even agree with the fact that the passwords in X-Cart by default use a method that allows the passwords to even be decrypted. We re-wrote our system to use a one-way SHA512 hash for all passwords that way there's no way to access them or retrieve them (customers are required to reset them).
|
Re: Displaying customer passwords to admin
Jeremy,
I put a post in the original thread to use at your own risk and it may violate current PCI compliance rules. I also was surprised that you could 'see' the customer's password back when I wrote the mod in 2004, but at the time it was a convenience as there was no way to 'operate as this user' etc in those versions of X-cart. I can definitely see how it's something people shouldn't use anymore. We never used it ourselves but had lots of requests for it, which is why I created that simple code change back then. thanks, Carrie |
Re: Displaying customer passwords to admin
Quote:
Carrie, No blame to BCS here -- this is an xcart vulnerability and your mod simply does what Firefox web developer also does, which is make the unencrypted password visible. I am fairly certain that KNOWING about this and NOT patching it will make our PCI survey blow up - i mean, how can we honestly answer the questions re: password privacy knowing this information? I'm gonna ask qualiteam to patch this going forward. Can you (or anyone) come up with a situation where a merchant needs to see a customer password? I can't think of any situation - and in 13 years of ecom, I've never needed this function. As long as we have password recovery tools that work, and the admin can force a temp password on an account, why on earth would an admin want/need to see a password? If someone has a reasonable answer with a real-world situation, please share! |
Re: Displaying customer passwords to admin
|
Re: Displaying customer passwords to admin
it works for 4.4x too.
File is under: /skin/common_files/main/register_account.tpl |
Re: Displaying customer passwords to admin
how about for version 4.6 ?
Did anyone make it work (show the password)? |
Re: Displaying customer passwords to admin
Quote:
You can't. You can reset it for a customer is the best you can do. Carrie |
All times are GMT -8. The time now is 06:47 AM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.