OSCommerce Product Manager for Windows
FS#260 - Use any database password when connecting.
Attached to Project:
OSCommerce Product Manager
Opened by Mario A. Valdez-Ramirez (mvaldez) - Thursday, 01 September 2005, 09:23 GMT
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Monday, 14 May 2007, 11:17 GMT
Opened by Mario A. Valdez-Ramirez (mvaldez) - Thursday, 01 September 2005, 09:23 GMT
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Monday, 14 May 2007, 11:17 GMT
|
DetailsCurrently, you must enter the same user/password than the osCommerce scripts. Or you must force a fixed password in the server-side script. Or worst, you must disable authentication at all (which never should be done, excepting when debugging).
We should be able to use any valid user/password available. |
This task depends upon
Comment by Mario A. Valdez-Ramirez (mvaldez) -
Monday, 14 May 2007, 10:50 GMT
The server-side script doesn't really authenticates itself to MySQL using the credentials sent by the OSCPMWin application. Always use the connection data found in the configuration file of osCommerce. So, we have no way to authenticate with alternative credentials. (We authenticates the client just comparing salted hash the client sent with the salted hash of the osCommerce password).
Comment by Mario A. Valdez-Ramirez (mvaldez) -
Monday, 14 May 2007, 10:52 GMT
I really don't think we should worry about this. There is no additional risks when using the same password than osCommerce. Because: the password is never sent in clear text, but salted and hashed, and the password used needs exactly the same permissions than the one used by osCommerce.
Comment by Mario A. Valdez-Ramirez (mvaldez) -
Monday, 14 May 2007, 11:17 GMT
Lowering Priority and Severity to Low and Minor.