OSCommerce Product Manager

OSCommerce Product Manager for Windows
Tasklist

FS#260 - Use any database password when connecting.

Attached to Project: OSCommerce Product Manager
Opened by Mario A. Valdez-Ramirez (mvaldez) - Thursday, 01 September 2005, 04:23 GMT-6
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Monday, 14 May 2007, 06:17 GMT-6
Task Type Bug Report
Category Backend / Core
Status Assigned
Assigned To Mario A. Valdez-Ramirez (mvaldez)
Operating System All
Severity Low
Priority Low
Reported Version any
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Currently, you must enter the same user/password than the osCommerce scripts. Or you must force a fixed password in the server-side script. Or worst, you must disable authentication at all (which never should be done, excepting when debugging).

We should be able to use any valid user/password available.
This task depends upon

Comment by Mario A. Valdez-Ramirez (mvaldez) - Monday, 14 May 2007, 05:50 GMT-6
The server-side script doesn't really authenticates itself to MySQL using the credentials sent by the OSCPMWin application. Always use the connection data found in the configuration file of osCommerce. So, we have no way to authenticate with alternative credentials. (We authenticates the client just comparing salted hash the client sent with the salted hash of the osCommerce password).
Comment by Mario A. Valdez-Ramirez (mvaldez) - Monday, 14 May 2007, 05:52 GMT-6
I really don't think we should worry about this. There is no additional risks when using the same password than osCommerce. Because: the password is never sent in clear text, but salted and hashed, and the password used needs exactly the same permissions than the one used by osCommerce.

Comment by Mario A. Valdez-Ramirez (mvaldez) - Monday, 14 May 2007, 06:17 GMT-6
Lowering Priority and Severity to Low and Minor.

Loading...