CreditCard Entity XML export

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

CreditCard Entity XML export

Stephen Rufle-2
I created Credit Card entries using OfBiz 10.04. In the Web Tools and
when I export to XML I can see the credit card number I entered in plain
text. I expected that they would show up like UserLogin.currentPassword.
I am currently using test card numbers. Is it possible there is a
property file setting I am missing? Otherwise it looks like if a
malicious user was able to get access to the "Web Tools" application
they could steal credit card numbers.

I checked the credit_card database table using a sql tool and the values
do look encrypted in some way, but unlike the user_login table it does
not have an SHA prefix "{SHA}[long string of digits]"
Reply | Threaded
Open this post in threaded view
|

Re: CreditCard Entity XML export

BJ Freeman
how were the CC entered?

=========================
BJ Freeman
Strategic Power Office with Supplier Automation  <http://www.businessesnetwork.com/automation/viewforum.php?f=52>
Specialtymarket.com  <http://www.specialtymarket.com/>
Systems Integrator-- Glad to Assist

Chat  Y! messenger: bjfr33man


Stephen Rufle sent the following on 1/28/2011 6:36 AM:

> I created Credit Card entries using OfBiz 10.04. In the Web Tools and
> when I export to XML I can see the credit card number I entered in plain
> text. I expected that they would show up like UserLogin.currentPassword.
> I am currently using test card numbers. Is it possible there is a
> property file setting I am missing? Otherwise it looks like if a
> malicious user was able to get access to the "Web Tools" application
> they could steal credit card numbers.
>
> I checked the credit_card database table using a sql tool and the values
> do look encrypted in some way, but unlike the user_login table it does
> not have an SHA prefix "{SHA}[long string of digits]"
>

Reply | Threaded
Open this post in threaded view
|

Re: CreditCard Entity XML export

Scott Gray-2
In reply to this post by Stephen Rufle-2
It's a two-way encryption (for obvious reasons), I'm pretty sure the numbers remain encrypted when viewed through webtools but are purposely decrypted when exporting the table to facilitate database migrations and the like.

Regards
Scott

HotWax Media
http://www.hotwaxmedia.com

On 29/01/2011, at 3:36 AM, Stephen Rufle wrote:

> I created Credit Card entries using OfBiz 10.04. In the Web Tools and when I export to XML I can see the credit card number I entered in plain text. I expected that they would show up like UserLogin.currentPassword. I am currently using test card numbers. Is it possible there is a property file setting I am missing? Otherwise it looks like if a malicious user was able to get access to the "Web Tools" application they could steal credit card numbers.
>
> I checked the credit_card database table using a sql tool and the values do look encrypted in some way, but unlike the user_login table it does not have an SHA prefix "{SHA}[long string of digits]"


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CreditCard Entity XML export

Stephen Rufle-2
But if you can ever see them in webtools isn't that an issue. I thought
they should be treated the same as passwords.

My example was from logging in as admin then going to
https://demo-trunk.ofbiz.apache.org:8443/webtools/control/FindGeneric?entityName=CreditCard&find=true&VIEW_SIZE=50&VIEW_INDEX=0

On 1/28/2011 1:17 PM, Scott Gray wrote:

> It's a two-way encryption (for obvious reasons), I'm pretty sure the
> numbers remain encrypted when viewed through webtools but are
> purposely decrypted when exporting the table to facilitate database
> migrations and the like.
>
> Regards Scott
>
> HotWax Media http://www.hotwaxmedia.com
>
> On 29/01/2011, at 3:36 AM, Stephen Rufle wrote:
>
>> I created Credit Card entries using OfBiz 10.04. In the Web Tools
>> and when I export to XML I can see the credit card number I entered
>> in plain text. I expected that they would show up like
>> UserLogin.currentPassword. I am currently using test card numbers.
>> Is it possible there is a property file setting I am missing?
>> Otherwise it looks like if a malicious user was able to get access
>> to the "Web Tools" application they could steal credit card
>> numbers.
>>
>> I checked the credit_card database table using a sql tool and the
>> values do look encrypted in some way, but unlike the user_login
>> table it does not have an SHA prefix "{SHA}[long string of
>> digits]"
>
Reply | Threaded
Open this post in threaded view
|

Re: CreditCard Entity XML export

Scott Gray-2
Yeah I was wrong, it isn't encrypted when displayed in webtools.  I guess the rationale is that if you've got access to webtools then you can pretty much do anything you like, even if they were displayed encrypted the user would also have access to the key that was used to encrypt them anyway.

Passwords are different because they are one-way encrypted.

Regards
Scott

On 29/01/2011, at 9:42 AM, Stephen Rufle wrote:

> But if you can ever see them in webtools isn't that an issue. I thought they should be treated the same as passwords.
>
> My example was from logging in as admin then going to
> https://demo-trunk.ofbiz.apache.org:8443/webtools/control/FindGeneric?entityName=CreditCard&find=true&VIEW_SIZE=50&VIEW_INDEX=0
>
> On 1/28/2011 1:17 PM, Scott Gray wrote:
>> It's a two-way encryption (for obvious reasons), I'm pretty sure the
>> numbers remain encrypted when viewed through webtools but are
>> purposely decrypted when exporting the table to facilitate database
>> migrations and the like.
>>
>> Regards Scott
>>
>> HotWax Media http://www.hotwaxmedia.com
>>
>> On 29/01/2011, at 3:36 AM, Stephen Rufle wrote:
>>
>>> I created Credit Card entries using OfBiz 10.04. In the Web Tools
>>> and when I export to XML I can see the credit card number I entered
>>> in plain text. I expected that they would show up like
>>> UserLogin.currentPassword. I am currently using test card numbers.
>>> Is it possible there is a property file setting I am missing?
>>> Otherwise it looks like if a malicious user was able to get access
>>> to the "Web Tools" application they could steal credit card
>>> numbers.
>>>
>>> I checked the credit_card database table using a sql tool and the
>>> values do look encrypted in some way, but unlike the user_login
>>> table it does not have an SHA prefix "{SHA}[long string of
>>> digits]"
>>


smime.p7s (3K) Download Attachment