Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

Displaying customer passwords to admin

 
Reply
   X-Cart forums > X-Cart 4 > Dev Questions
 
Thread Tools Search this Thread
  #61  
Old 11-22-2011, 06:43 AM
  JWait's Avatar 
JWait JWait is offline
 

X-Man
  
Join Date: Nov 2005
Location: California
Posts: 2,440
 

Default Re: Displaying customer passwords to admin

Your "design defect" appears in nearly every instance where there is a password involved on the internet.
__________________
Two Separate X-Cart Stores
Version 4.4.4 Gold - X-AOM - Vivid Dreams Aquamarine (modified) - Linux
Mods - Newest Products - View All -, and a few others. Numerous upgrades from 4.0.x series.
Integrated with Stone Edge Order Manager + POS

Version 4.1.12 Gold (fresh install) - X-AOM - Linux
Mods - XCSEO free
Reply With Quote
  #62  
Old 11-22-2011, 06:46 AM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: Displaying customer passwords to admin

Quote:
Originally Posted by JWait
Your "design defect" appears in nearly every instance where there is a password involved on the internet.

Does that make it "right"?
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #63  
Old 11-22-2011, 06:56 AM
 
exsecror exsecror is offline
 

X-Wizard
  
Join Date: Apr 2007
Posts: 1,284
 

Default Re: Displaying customer passwords to admin

I have to agree with carpeperdiem. In-fact I don't even agree with the fact that the passwords in X-Cart by default use a method that allows the passwords to even be decrypted. We re-wrote our system to use a one-way SHA512 hash for all passwords that way there's no way to access them or retrieve them (customers are required to reset them).
Reply With Quote
  #64  
Old 11-22-2011, 08:50 AM
  BCSE's Avatar 
BCSE BCSE is offline
 

X-Guru
  
Join Date: Apr 2003
Location: Ohio - bcsengineering.com
Posts: 3,060
 

Default Re: Displaying customer passwords to admin

Jeremy,

I put a post in the original thread to use at your own risk and it may violate current PCI compliance rules. I also was surprised that you could 'see' the customer's password back when I wrote the mod in 2004, but at the time it was a convenience as there was no way to 'operate as this user' etc in those versions of X-cart. I can definitely see how it's something people shouldn't use anymore. We never used it ourselves but had lots of requests for it, which is why I created that simple code change back then.

thanks,

Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002!

We support X-cart versions 3.x through 5.x!

Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more!


Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com

Please E-Mail us for questions/support!
Reply With Quote
  #65  
Old 11-22-2011, 08:58 AM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: Displaying customer passwords to admin

Quote:
Originally Posted by BCSE
Jeremy,

I put a post in the original thread to use at your own risk and it may violate current PCI compliance rules. I also was surprised that you could 'see' the customer's password back when I wrote the mod in 2004, but at the time it was a convenience as there was no way to 'operate as this user' etc in those versions of X-cart. I can definitely see how it's something people shouldn't use anymore. We never used it ourselves but had lots of requests for it, which is why I created that simple code change back then.

thanks,

Carrie

Carrie,

No blame to BCS here -- this is an xcart vulnerability and your mod simply does what Firefox web developer also does, which is make the unencrypted password visible.

I am fairly certain that KNOWING about this and NOT patching it will make our PCI survey blow up - i mean, how can we honestly answer the questions re: password privacy knowing this information?

I'm gonna ask qualiteam to patch this going forward.

Can you (or anyone) come up with a situation where a merchant needs to see a customer password? I can't think of any situation - and in 13 years of ecom, I've never needed this function. As long as we have password recovery tools that work, and the admin can force a temp password on an account, why on earth would an admin want/need to see a password? If someone has a reasonable answer with a real-world situation, please share!
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #66  
Old 11-22-2011, 09:25 AM
 
carpeperdiem carpeperdiem is offline
 

X-Guru
  
Join Date: Jul 2006
Location: New York City, USA
Posts: 5,399
 

Default Re: Displaying customer passwords to admin

https://bugtracker.qtmsoft.com/view.php?id=40622
__________________
xcart 4.5.4 gold+ w/x-payments 1.0.6; xcart gold 4.4.4
Reply With Quote
  #67  
Old 01-18-2012, 04:24 PM
 
chiactivate chiactivate is offline
 

Senior Member
  
Join Date: Feb 2007
Location: Canada
Posts: 148
 

Default Re: Displaying customer passwords to admin

it works for 4.4x too.

File is under:

/skin/common_files/main/register_account.tpl
__________________
www.ChiMassager.com
X-cart Version 4.44

www.SEOMarketing30days.com
--> Download FREE SEO marketing Ebook (valued $50)
Attract more visitors and sales with top 5 most powerful SEO marketing strategies. Converting visitors into buyers, not just traffic!
Reply With Quote
  #68  
Old 04-23-2014, 01:56 PM
 
chiactivate chiactivate is offline
 

Senior Member
  
Join Date: Feb 2007
Location: Canada
Posts: 148
 

Default Re: Displaying customer passwords to admin

how about for version 4.6 ?

Did anyone make it work (show the password)?
__________________
www.ChiMassager.com
X-cart Version 4.44

www.SEOMarketing30days.com
--> Download FREE SEO marketing Ebook (valued $50)
Attract more visitors and sales with top 5 most powerful SEO marketing strategies. Converting visitors into buyers, not just traffic!
Reply With Quote
  #69  
Old 04-23-2014, 07:09 PM
  BCSE's Avatar 
BCSE BCSE is offline
 

X-Guru
  
Join Date: Apr 2003
Location: Ohio - bcsengineering.com
Posts: 3,060
 

Default Re: Displaying customer passwords to admin

Quote:
Originally Posted by chiactivate
how about for version 4.6 ?

Did anyone make it work (show the password)?


You can't. You can reset it for a customer is the best you can do.

Carrie
__________________
Custom Development, Custom Coding and Pre-built modules for X-cart since 2002!

We support X-cart versions 3.x through 5.x!

Home of the famous Authorize.net DPM & CIM Modules, Reward Points Module, Point of Sale module, Speed Booster modules and more!


Over 200 X-cart Mods available & Thousands of Customizations Since 2002 - bcsengineering.com

Please E-Mail us for questions/support!
Reply With Quote

The following user thanks BCSE for this useful post:
qualiteam (04-23-2014)
Reply
   X-Cart forums > X-Cart 4 > Dev Questions


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 01:23 AM.

   

 
X-Cart forums © 2001-2020