theillo Posted January 4, 2015 Share Posted January 4, 2015 (edited) I have been looking for a decent CMS for a while now, and actually been working on my own because I found nothing I liked for the longest time. PrestaShop looks very promising, giving me the functionality I need, and the code architecture I was looking for (MVC, smarty templates). I was pretty much ready to dive in, learn the system, learn the code, and write those modules that I still need. But here's one thing that was a setback: I registered at prestashop.com to download some themes and modules, and I received an email back, which contains my password in plain text. O_o I am shocked! This actually makes me very uncomfortable, moving forward and relying on PrestaShop, because I am wondering: Are there other security issues like that? Will it be super easy for my website to get hacked, and confidential information of my customers to be leaked? How hard is it going to be for me to track down the registration module and fix it? I registered an account on my own store, did not receive an email verification email (which I am not happy about, but hey: at least no plain text passwords being send around). Looking at the database it looks as if my password got at least stored as a hash - looks like an MD5, but not plain string to MD5 fortunately. Any thoughts and comments would be appreciated! Edited January 4, 2015 by theillo (see edit history) 1 Link to comment Share on other sites More sharing options...
Dh42 Posted January 4, 2015 Share Posted January 4, 2015 The passwords are sent plaintext in a welcome email. This is an issue I know. But rest assured that they are salted with a unique key for each shop before they are stored in the database. 1 Link to comment Share on other sites More sharing options...
theillo Posted January 11, 2015 Author Share Posted January 11, 2015 Okay thanks for letting me know. Do you happen to know where I would find the file for this particular email, that's sent out to any new registrant of my store, so that I can just delete the line where it shows the password? Link to comment Share on other sites More sharing options...
Richard S Posted January 11, 2015 Share Posted January 11, 2015 You can find an emails in root/mails/[your_lang_iso_code].If you are changing emails, you should copy /mails/ catalog to your theme in order to have them properly overridden. The code that executes and sends email is in AuthController.php controller. This is a known issue for all of use, but the passwords are encrypted with salt, so they are safe in database. 1 Link to comment Share on other sites More sharing options...
theillo Posted January 12, 2015 Author Share Posted January 12, 2015 Thanks, very helpful! Link to comment Share on other sites More sharing options...
theillo Posted January 12, 2015 Author Share Posted January 12, 2015 Thanks, helpful! Link to comment Share on other sites More sharing options...
OuTopos Posted February 27, 2016 Share Posted February 27, 2016 Just discovered Prestashop and got the welcome mail with my password in plain text.This is not acceptable at all. Makes you look like total idiots.I can see NO REASON WHAT SO EVER for why I need to receive my password in plain text in an email.I was so happy about finding Prestashop and this made me rethink using prestashop for my client.And yes I'm furious. Link to comment Share on other sites More sharing options...
Recommended Posts