Quote:
Originally Posted by BCSE
Jeremy,
I put a post in the original thread to use at your own risk and it may violate current PCI compliance rules. I also was surprised that you could 'see' the customer's password back when I wrote the mod in 2004, but at the time it was a convenience as there was no way to 'operate as this user' etc in those versions of X-cart. I can definitely see how it's something people shouldn't use anymore. We never used it ourselves but had lots of requests for it, which is why I created that simple code change back then.
thanks,
Carrie
|
Carrie,
No blame to BCS here -- this is an xcart vulnerability and your mod simply does what Firefox web developer also does, which is make the unencrypted password visible.
I am fairly certain that KNOWING about this and NOT patching it will make our PCI survey blow up - i mean, how can we honestly answer the questions re: password privacy knowing this information?
I'm gonna ask qualiteam to patch this going forward.
Can you (or anyone) come up with a situation where a merchant needs to see a customer password? I can't think of any situation - and in 13 years of ecom, I've never needed this function. As long as we have password recovery tools that work, and the admin can force a temp password on an account, why on earth would an admin want/need to see a password? If someone has a reasonable answer with a real-world situation, please share!