CreditCard Entity XML export
Locked
CreditCard Entity XML export
 
|
Re: CreditCard Entity XML export
|
|
Re: CreditCard Entity XML export
|
|
In reply to this post by Stephen Rufle-2
It's a two-way encryption (for obvious reasons), I'm pretty sure the numbers remain encrypted when viewed through webtools but are purposely decrypted when exporting the table to facilitate database migrations and the like.
Regards Scott HotWax Media http://www.hotwaxmedia.com On 29/01/2011, at 3:36 AM, Stephen Rufle wrote: > I created Credit Card entries using OfBiz 10.04. In the Web Tools and when I export to XML I can see the credit card number I entered in plain text. I expected that they would show up like UserLogin.currentPassword. I am currently using test card numbers. Is it possible there is a property file setting I am missing? Otherwise it looks like if a malicious user was able to get access to the "Web Tools" application they could steal credit card numbers. > > I checked the credit_card database table using a sql tool and the values do look encrypted in some way, but unlike the user_login table it does not have an SHA prefix "{SHA}[long string of digits]" |
smime.p7s (3K)
Re: CreditCard Entity XML export
|
|
Re: CreditCard Entity XML export
|
|
Yeah I was wrong, it isn't encrypted when displayed in webtools. I guess the rationale is that if you've got access to webtools then you can pretty much do anything you like, even if they were displayed encrypted the user would also have access to the key that was used to encrypt them anyway.
Passwords are different because they are one-way encrypted. Regards Scott On 29/01/2011, at 9:42 AM, Stephen Rufle wrote: > But if you can ever see them in webtools isn't that an issue. I thought they should be treated the same as passwords. > > My example was from logging in as admin then going to > https://demo-trunk.ofbiz.apache.org:8443/webtools/control/FindGeneric?entityName=CreditCard&find=true&VIEW_SIZE=50&VIEW_INDEX=0 > > On 1/28/2011 1:17 PM, Scott Gray wrote: >> It's a two-way encryption (for obvious reasons), I'm pretty sure the >> numbers remain encrypted when viewed through webtools but are >> purposely decrypted when exporting the table to facilitate database >> migrations and the like. >> >> Regards Scott >> >> HotWax Media http://www.hotwaxmedia.com >> >> On 29/01/2011, at 3:36 AM, Stephen Rufle wrote: >> >>> I created Credit Card entries using OfBiz 10.04. In the Web Tools >>> and when I export to XML I can see the credit card number I entered >>> in plain text. I expected that they would show up like >>> UserLogin.currentPassword. I am currently using test card numbers. >>> Is it possible there is a property file setting I am missing? >>> Otherwise it looks like if a malicious user was able to get access >>> to the "Web Tools" application they could steal credit card >>> numbers. >>> >>> I checked the credit_card database table using a sql tool and the >>> values do look encrypted in some way, but unlike the user_login >>> table it does not have an SHA prefix "{SHA}[long string of >>> digits]" >> |
| Free forum by Nabble | Edit this page |