Re: Displaying customer passwords to admin
 

Your "design defect" appears in nearly every instance where there is a password involved on the internet.

Re: Displaying customer passwords to admin
 

Does that make it "right"?

Re: Displaying customer passwords to admin
 

I have to agree with carpeperdiem. In-fact I don't even agree with the fact that the passwords in X-Cart by default use a method that allows the passwords to even be decrypted. We re-wrote our system to use a one-way SHA512 hash for all passwords that way there's no way to access them or retrieve them (customers are required to reset them).

Re: Displaying customer passwords to admin
 

Jeremy,

I put a post in the original thread to use at your own risk and it may violate current PCI compliance rules. I also was surprised that you could 'see' the customer's password back when I wrote the mod in 2004, but at the time it was a convenience as there was no way to 'operate as this user' etc in those versions of X-cart. I can definitely see how it's something people shouldn't use anymore. We never used it ourselves but had lots of requests for it, which is why I created that simple code change back then.

thanks,

Carrie

Re: Displaying customer passwords to admin
 

Carrie,

No blame to BCS here -- this is an xcart vulnerability and your mod simply does what Firefox web developer also does, which is make the unencrypted password visible.

I am fairly certain that KNOWING about this and NOT patching it will make our PCI survey blow up - i mean, how can we honestly answer the questions re: password privacy knowing this information?

I'm gonna ask qualiteam to patch this going forward.

Can you (or anyone) come up with a situation where a merchant needs to see a customer password? I can't think of any situation - and in 13 years of ecom, I've never needed this function. As long as we have password recovery tools that work, and the admin can force a temp password on an account, why on earth would an admin want/need to see a password? If someone has a reasonable answer with a real-world situation, please share!

Re: Displaying customer passwords to admin
 

Re: Displaying customer passwords to admin
 

it works for 4.4x too.

File is under:

/skin/common_files/main/register_account.tpl

Re: Displaying customer passwords to admin
 

how about for version 4.6 ?

Did anyone make it work (show the password)?

Re: Displaying customer passwords to admin
 

You can't. You can reset it for a customer is the best you can do.

Carrie