| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
Displaying customer passwords to admin | ||||
|
|
Thread Tools | Search this Thread |
#41
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
Works perfect in version 4.3.1. Just wanted to say thanks.
__________________
Shareen sparker2@cox.net http://www.stitches4u.com X-Cart Version 4.5.0 with Smart Template vs 4.4.x |
|||||||
#43
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
1++
It is worrisome that some people are justifying this mod with ...because users have problems with their passwords, therefore the admin need to see their [users] passwords to go in to help them modify their profiles... In other words, convenience is placed ahead of security. Imagine if BOA [bank of america] has a similar functioning software and BOA admins insist on mods that will display customers passwds in order to be able to help those customers! No one would want that and, certainly, the responsible Federal authority will not certify such software suite. 2++ It appears that QT shares some of the blame for this problem. Although it can still be defeated just like anything else, at least QT should implement a one-way hash functionality on the front end [client side] so that only the hash of the user's passwd get transported via the ssl channel and get saved by the time it gets to the server side. In this case, the admin will not be able to see the actual passwd unless she resorts to brute force since she would still have access to the hash value in the server. On the other hand, if someone then creates a mod on the client side to either disable the client side passwd hashing functionality or save an un-hashed copy of the the customer's passwd the whole world, especially diligent QSAs will be able to more easily flag such sites as in blatant violation of basic security, basic PCI compliance principles. Security experts have consistently emphasized there is no perfect security if the system is to be conveniently useful and that sensible security is a balance between security and convenience. So I urge QT to look into this problem to implement a solution such as putting the hashing functionality on the client side. 3++ In this connection, I have also seen some policies in which merchants claim/guarantee security because, although they save both CC numbers and the corresponding CVV codes, they delete all credit card information from their servers after 30 days. I hope you don't operate this way. The CVV code and the CC number should not be saved together as you do not need the info after the authorization and as long as the authorization is valid. The merchants that save them claim convenience because they need the CC info to process returns or to charge customer the extra due to the difference between the return and substituted item in case of exchanges. 4++ By the way, in the current design, a mod is not needed for an admin to see a customer's passwd value. Just install webdev plug-in into FireFox (FF). Then login as admin and bring up the customer's profile. Scroll down to the passwd section. Verify that it is masked, displaying as dots. Then (since you've installed the appropriate webdev FF plugin) reveal the passwd by clicking FF's Forms > Show passwords. Voila! the passwd exposed.
__________________
Recommend www.paintball-gear-supplies.com for good deals on camping & outdoor supplies. x-cart v4.1.10 on LAMP |
|||||||
#44
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
Anyone tried in v4.4
__________________
-------------- V4.6.1 xcartmods - Reboot Template X-cart - X-PDF Altered Cart - Checkout one |
|||||||||
#45
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
Is there a way to only show the password for "Usertype"customer and not the Administrator.
__________________
4.1.11 gold x-special offers CDSEO Pro |
|||||||
#46
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
Quote:
You could encapsulate the code inside a {if $usertype ne "A"}code{/if}
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#47
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
I would also like to modify this so if the profile being viewed is an Admin, it does not show the password.
Quote:
If anyone figured this out, please post the code. The code already has an if statement about $usertype, referring to the active user, not the profile being viewed, and I don't know how to modify it. Code:
Thanks, Dan
__________________
X-Cart version 4.0.17 X-Cart version 4.0.18 Web servers = Apache OS = Linux |
|||||||
#48
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
In ver 4.4.4, how can I see the customer's password when i get a registration notice?
__________________
ver 4.1.10 and 4.4.4 xc-seo cdseo one page checkout mod 7dana remember me mod add to cart mod www.caworldwifi.com |
|||||||||
#49
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
Not to be obtuse, but if you use Firefox there is "web developer toolbar" addon that will allow you to see any passwords on the web page in the browser window.
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#50
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
I find this entire thread to be offensive.
There is a reason I use crappy temp passwords for ecom sites, simply because the passwords are meaningless. If anyone wants to know my order history at a website, let them crack my password. The fact that we (merchants) have the ability to see a user password is simply wrong. We should all stop buying from x-cart stores. Or shut down the password features -- and tell the customers as they "register" that their password is insecure. Carrie, I would pull this mod, but that's just me. Just because we can doesn't mean we should, right?
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4 |
|||||||
|
|||
X-Cart forums © 2001-2020
|