I was browsing the oc_setting table as was astonished to find the amount of extremely sensitive data is stored in this table in plain text.
My UPS password and key are in plain text.
My USPS info is in plain text.
But most disturbing is the fact that my company's PayPal account - our username, password AND signature key are all stored in this table in PLAIN TEXT!
A third-party module - Advertikon Stripe - a credit card processing add on - is also storing our company's live public and SECRET keys in plain text!
Guys, this is a huge no no!
For anyone using OCs built-in PayPal functionality or a third-party add on for cc processing I strongly suggest you incorporate your own encrypt/decrypt functions on this data, preferably using a salt with half stored in the db and half in a config define.
We are doing this now.
I read this post a few days ago, you are right, the table has a lot of sensitive data.
I am currently creating an extension to encrypt the settings table data when settings are saved, and it will automatically decrypt when settings are being read.
It's currently only available for the newest version, I am going to test it for every available version (at least for the latest 6 releases), because it can have quite a big impact on a store if anything goes wrong.
https://www.opencart.com/index.php?rout ... n_id=28739
If anyone is interested in helping with testing this module let me know, I'll send you the extension for free.
I am currently creating an extension to encrypt the settings table data when settings are saved, and it will automatically decrypt when settings are being read.
It's currently only available for the newest version, I am going to test it for every available version (at least for the latest 6 releases), because it can have quite a big impact on a store if anything goes wrong.
https://www.opencart.com/index.php?rout ... n_id=28739
If anyone is interested in helping with testing this module let me know, I'll send you the extension for free.
If anyone is interested in helping with testing this module let me know, I'll send you the extension for free.
...then, it will be another 'OpenSource' immediately, downloadable from some known OC-specific freeware Sites...
you will get masses of PM's, I assume, so, just be aware !
Good Luck
Ernie
...then, it will be another 'OpenSource' immediately, downloadable from some known OC-specific freeware Sites...
you will get masses of PM's, I assume, so, just be aware !
Good Luck
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Correct me if I'm wrong, but if you encrypt the data in the database, but opencart can decrypt it whenever it needs, that means the decrypt key is accessible and therefore a hacker who's gotten into the server will still have access to everything they need to decrypt those credentials, no?
It depends, the extension saves the encryption key in a file on the server, so if they only manage to get data from the db with sql injection or mysql vulnerabilities / credentials they will not be able to decrypt it.oclcas wrote:Correct me if I'm wrong, but if you encrypt the data in the database, but opencart can decrypt it whenever it needs, that means the decrypt key is accessible and therefore a hacker who's gotten into the server will still have access to everything they need to decrypt those credentials, no?
If they have file access they will be able to decrypt it, if they find the key, but in general getting file access is not as common as mysql problems.
Who is online
Users browsing this forum: No registered users and 35 guests
