Post by Fredf » Fri Nov 13, 2015 11:01 pm

I was browsing the oc_setting table as was astonished to find the amount of extremely sensitive data is stored in this table in plain text.

My UPS password and key are in plain text.

My USPS info is in plain text.

But most disturbing is the fact that my company's PayPal account - our username, password AND signature key are all stored in this table in PLAIN TEXT!

A third-party module - Advertikon Stripe - a credit card processing add on - is also storing our company's live public and SECRET keys in plain text!

Guys, this is a huge no no!

For anyone using OCs built-in PayPal functionality or a third-party add on for cc processing I strongly suggest you incorporate your own encrypt/decrypt functions on this data, preferably using a salt with half stored in the db and half in a config define.

We are doing this now.

Newbie

Posts

Joined
Fri Nov 13, 2015 12:04 pm

Post by Tomit » Tue Dec 13, 2016 5:53 am

I read this post a few days ago, you are right, the table has a lot of sensitive data.

I am currently creating an extension to encrypt the settings table data when settings are saved, and it will automatically decrypt when settings are being read.

It's currently only available for the newest version, I am going to test it for every available version (at least for the latest 6 releases), because it can have quite a big impact on a store if anything goes wrong.

https://www.opencart.com/index.php?rout ... n_id=28739

If anyone is interested in helping with testing this module let me know, I'll send you the extension for free.

Image


New member

Posts

Joined
Sat Sep 14, 2013 9:54 pm
Location - Netherlands

Post by IP_CAM » Tue Dec 13, 2016 9:44 am

If anyone is interested in helping with testing this module let me know, I'll send you the extension for free.
...then, it will be another 'OpenSource' immediately, downloadable from some known OC-specific freeware Sites... :laugh:
you will get masses of PM's, I assume, so, just be aware !
Good Luck ;)
Ernie

Ernie's OpenCart v.1.5.6.5 LIGHT + OpenShop Admin v.1.75 Test Sites
http://www.bigmax.ch - http://www.evelo.li - http://www.openshop.li
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Tomit » Tue Dec 13, 2016 8:44 pm

lol, you are right didn't think that one through :laugh:

ok, sorry to dissappoint, but no free test for now.

Image


New member

Posts

Joined
Sat Sep 14, 2013 9:54 pm
Location - Netherlands

Post by oclcas » Sat Dec 24, 2016 3:53 am

Correct me if I'm wrong, but if you encrypt the data in the database, but opencart can decrypt it whenever it needs, that means the decrypt key is accessible and therefore a hacker who's gotten into the server will still have access to everything they need to decrypt those credentials, no?

New member

Posts

Joined
Wed Sep 14, 2016 11:22 pm

Post by Tomit » Sat Dec 24, 2016 4:09 am

oclcas wrote:Correct me if I'm wrong, but if you encrypt the data in the database, but opencart can decrypt it whenever it needs, that means the decrypt key is accessible and therefore a hacker who's gotten into the server will still have access to everything they need to decrypt those credentials, no?
It depends, the extension saves the encryption key in a file on the server, so if they only manage to get data from the db with sql injection or mysql vulnerabilities / credentials they will not be able to decrypt it.

If they have file access they will be able to decrypt it, if they find the key, but in general getting file access is not as common as mysql problems.

Image


New member

Posts

Joined
Sat Sep 14, 2013 9:54 pm
Location - Netherlands
Who is online

Users browsing this forum: No registered users and 7 guests