OSCommerce Product Manager

OSCommerce Product Manager for Windows

FS#146 - Upload script has no authentication mechanism.

Attached to Project: OSCommerce Product Manager
Opened by Mario A. Valdez-Ramirez (mvaldez) - Monday, 17 January 2005, 16:42 GMT-5
Last edited by Mario A. Valdez-Ramirez (mvaldez) - Tuesday, 18 January 2005, 08:05 GMT-5
Task Type Bug Report
Category Backend / Core
Status Closed
Assigned To Mario A. Valdez-Ramirez (mvaldez)
Operating System All
Severity Very Low
Priority Immediate
Reported Version any
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


The upload script does not have any authentication mechanism active. The password is passed but no password is checked.

Originally the idea was to check if there was already a password set. If there was not, one was created.

That's not very complex but now I think we should use a simpler mechanism. Let's retrieve the hashing of the database for the admin account (or something similar) and then let the oscpmwin application send a hash of the user-provided password.

That way, no password is ever sent on line, only the hashings.

Pending to check.
This task depends upon

Closed by  Mario A. Valdez-Ramirez (mvaldez)
Tuesday, 18 January 2005, 08:05 GMT-5
Reason for closing:  
Comment by Mario A. Valdez-Ramirez (mvaldez) - Tuesday, 18 January 2005, 08:05 GMT-5

Now the upload password is always the database password. Now the application sends a timestamp string and the hash of the database password salted with the timestamp. This allow authentication without the need to have another password, there is no need to read the OSCommerce database to read/write that password, and the password is never sent as clear-text to the PHP upload script.