| ||||||||||
Shopping cart software Solutions for online shops and malls | ||||||||||
|
X-Cart Home | FAQ | Forum rules | Calendar | User manuals | Login |
Displaying customer passwords to admin | ||||
|
|
Thread Tools | Search this Thread |
#61
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
Your "design defect" appears in nearly every instance where there is a password involved on the internet.
__________________
Two Separate X-Cart Stores Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series. Integrated with Stone Edge Order Manager + POS Version 4.1.12 Gold (fresh install) - X-AOM - Linux Mods - XCSEO free |
|||||||||
#62
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
Quote:
Does that make it "right"?
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4 |
|||||||
#63
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
I have to agree with carpeperdiem. In-fact I don't even agree with the fact that the passwords in X-Cart by default use a method that allows the passwords to even be decrypted. We re-wrote our system to use a one-way SHA512 hash for all passwords that way there's no way to access them or retrieve them (customers are required to reset them).
|
|||||||
#64
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
Jeremy,
I put a post in the original thread to use at your own risk and it may violate current PCI compliance rules. I also was surprised that you could 'see' the customer's password back when I wrote the mod in 2004, but at the time it was a convenience as there was no way to 'operate as this user' etc in those versions of X-cart. I can definitely see how it's something people shouldn't use anymore. We never used it ourselves but had lots of requests for it, which is why I created that simple code change back then. thanks, Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002! We support X-cart versions 3.x through 5.x! Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more! Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com Please E-Mail us for questions/support! |
|||||||||
#65
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
Quote:
Carrie, No blame to BCS here -- this is an xcart vulnerability and your mod simply does what Firefox web developer also does, which is make the unencrypted password visible. I am fairly certain that KNOWING about this and NOT patching it will make our PCI survey blow up - i mean, how can we honestly answer the questions re: password privacy knowing this information? I'm gonna ask qualiteam to patch this going forward. Can you (or anyone) come up with a situation where a merchant needs to see a customer password? I can't think of any situation - and in 13 years of ecom, I've never needed this function. As long as we have password recovery tools that work, and the admin can force a temp password on an account, why on earth would an admin want/need to see a password? If someone has a reasonable answer with a real-world situation, please share!
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4 |
|||||||
#66
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4 |
|||||||
#67
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
it works for 4.4x too.
File is under: /skin/common_files/main/register_account.tpl
__________________
www.ChiMassager.com X-cart Version 4.44 www.SEOMarketing30days.com --> Download FREE SEO marketing Ebook (valued $50) Attract more visitors and sales with top 5 most powerful SEO marketing strategies. Converting visitors into buyers, not just traffic! |
|||||||
#68
|
|||||||
|
|||||||
Re: Displaying customer passwords to admin
how about for version 4.6 ?
Did anyone make it work (show the password)?
__________________
www.ChiMassager.com X-cart Version 4.44 www.SEOMarketing30days.com --> Download FREE SEO marketing Ebook (valued $50) Attract more visitors and sales with top 5 most powerful SEO marketing strategies. Converting visitors into buyers, not just traffic! |
|||||||
#69
|
|||||||||
|
|||||||||
Re: Displaying customer passwords to admin
Quote:
You can't. You can reset it for a customer is the best you can do. Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002! We support X-cart versions 3.x through 5.x! Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more! Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com Please E-Mail us for questions/support! |
|||||||||
|
|
|||
X-Cart forums © 2001-2020
|