Hi all

While code audits are not the kind of work Open Query engages in, we do advise, audit and help improve architecture and security. During a discussion with a developer at a client last week, the method of password encryption/storage by their new e-commerce platform came up (replacing an older system), and because of some things that were stated about how it worked, I asked to have a brief look at the code.
A can of worms it was...

I published an article on the password encryption method that osCommerce (< v2.3) and most of its derivatives use (that includes ZenCart, CRELoaded and many more).
  See https://openquery....­

In a nutshell, the code is very insecure and likely to cause you grief.
Of course it's a pest since this is not your code, so a pragmatic fix is also suggested.
Please action this.

Note that new laws are coming in to place in Australia that will force everybody to be quite a bit more responsible with user data. Best to keep it secure.

Also mind that CREloaded somehow passed its PCI DSS certification with this code in place, while it clearly breaches basic safety guidelines. So, it slipped through. PCI DSS and other certification on e-commerce components are *not* a guarantee that the code is good/safe.


Cheers,
Arjen.
-- 
Exec.Director @ Open Query (https://openquery....­) MySQL services
Sane business strategy explorations at https://Upstarta.b...­
Personal blog at https://lentz.com....­