cdrtz
-
Posts
1 -
Joined
-
Last visited
cdrtz's Achievements
Newbie (1/14)
0
Reputation
-
Hi, Looking around to solve some SMTP/IMAP connection problems I found the email configurations in the database. To my surprise I found that the password is not encrypted. If you are curious check the ps_configuration database table, entries with the name PS_SAV_IMAP_PWD and PS_MAIL_PASSWD, or, if you can access your database, just run these SQL queries: SELECT * FROM 'ps_configuration' WHERE 'name' LIKE '%PWD%' and SELECT * FROM 'ps_configuration' WHERE 'name' LIKE '%PASS%' If you are on the prestashop cloud then you are out of luck and you cannot acces the database. Moreover, if you look in the backoffice under Customers->Customer Service at the CUSTOMER SERVICE OPTIONS section the entry IMAP Password displays the password in clear right there, in the user interface. At least the entry for the SMTP settings under the Advanced Parameters->E-mail hides the password in the user interface. Thus anyone with a database access can read your email password(s). This might not seem like a big issue if you host your store locally and are the single person working on it and having access to the hosting. But what if your store is on a paid hosting, like I assume most of them are, or in the prestashop cloud? Then any hosting service admin has access to the clear password in the database. Or you might have multiple people working on the same store, each of them with different privilegies and access, and you might not share the email passwords with everyone that has cPanel/hosting access. Let's not talk about the situation when you do your best to set up different password for various accounts but then your email passwords are exposed in a prestashop hosting attack. To conclude, this is a very serious, overlooked security problem and I hope that the prestashop developers are aware of it and will solve it soon. That shouldn't be too hard as it looks like the user account passwords are stored encrypted. P.S.: If there is a hidden option somewhere to achieve email configuration password encryption please let me know. If that is the case, it shouldn't be an option.
