My UPS password and key are in plain text.
My USPS info is in plain text.
But most disturbing is the fact that my company's PayPal account - our username, password AND signature key are all stored in this table in PLAIN TEXT!
A third-party module - Advertikon Stripe - a credit card processing add on - is also storing our company's live public and SECRET keys in plain text!
Guys, this is a huge no no!
For anyone using OCs built-in PayPal functionality or a third-party add on for cc processing I strongly suggest you incorporate your own encrypt/decrypt functions on this data, preferably using a salt with half stored in the db and half in a config define.
We are doing this now.
I am currently creating an extension to encrypt the settings table data when settings are saved, and it will automatically decrypt when settings are being read.
It's currently only available for the newest version, I am going to test it for every available version (at least for the latest 6 releases), because it can have quite a big impact on a store if anything goes wrong.
https://www.opencart.com/index.php?rout ... n_id=28739
If anyone is interested in helping with testing this module let me know, I'll send you the extension for free.
...then, it will be another 'OpenSource' immediately, downloadable from some known OC-specific freeware Sites...
you will get masses of PM's, I assume, so, just be aware !
For Sale: Turnkey URLs with Opencart installed
My present Opencart Testsite: http://www.velomech.ch/shop/
Attacker IP Blocks are denied from further access to my Sites!
Just contact me for more Information at: email@example.com
690 FREE OC Extension-Repositories - from OC v.1.5.x up
on the largest Opencart-Mod Github Site: https://github.com/IP-CAM
It depends, the extension saves the encryption key in a file on the server, so if they only manage to get data from the db with sql injection or mysql vulnerabilities / credentials they will not be able to decrypt it.oclcas wrote:Correct me if I'm wrong, but if you encrypt the data in the database, but opencart can decrypt it whenever it needs, that means the decrypt key is accessible and therefore a hacker who's gotten into the server will still have access to everything they need to decrypt those credentials, no?
If they have file access they will be able to decrypt it, if they find the key, but in general getting file access is not as common as mysql problems.
Users browsing this forum: No registered users and 10 guests