I think a representative from the cscart team should explain why they need the admin name to verify a license.
Surely only need license number and URL?
BUMP !!
[size=6][font=arial,helvetica,sans-serif]8 months now and not a peep out of CS-Cart.[/font][/size]
So why not just ask at the helpdesk? But I think they said the no longer 'stored' the admin url, not that they didn't retrieve it. So the question would be “why are you retrieving the admin url and what do you use it for?”
[color=#282828][font=arial, verdana, tahoma, sans-serif][size=5]CS-cart.
Why are you retrieving the admin url and what do you use it for?[/size][/font][/color]
[quote name='termalert' timestamp='1434969974' post='219896']
[color=#282828]CS-cart.
Why are you retrieving the admin url and what do you use it for?[/color]
[/quote]
termalert,
Please refer to my message: Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2 - Page 6 - Security - CS-Cart Community Forums - Page 6
We do not store the admin script anywhere. At all! I can assure you 100% we do not store or use admin_script names for any purpose. I personally made all the required changes back in 2014 and they were tested by 2 best QA engineers from our team.
But CS-Cart installation still sends it to our server. I suppose this would be the right solution to remove admin script from request either. Will do it in 4.3.4. This code is still there because when this hacker attack happened we were in a hurry to find the solution that will protect our customers with any CS-Cart version and even those won't apply the patch by any reason.
Thank you for paying attention to it.
[color=#282828][font=arial, verdana, tahoma, sans-serif]" I suppose this would be the right solution to remove admin script from request either."[/font][/color]
[color=#282828][font=arial, verdana, tahoma, sans-serif]So all those using CS-Cart presently face the possibility of their admin names being intercepted.[/font][/color]
[font=arial, verdana, tahoma, sans-serif][color=#282828]Our admin names were the keys used to exploit a vulnerability. Much better if only WE know our[/color][/font]
[font=arial, verdana, tahoma, sans-serif][color=#282828]admin names. [/color][/font]
[font=arial, verdana, tahoma, sans-serif][color=#282828]I can understand why the license numbers are sent but why our admin names ?[/color][/font]
As Imac said, it's a bug and they will fix it. Was this ever reported in the infamous bugtracker or only complained about here in the “community” forums? If it's not already in bugtracker, why don't you add it so it won't be missed.
Sorry tbirnseth but a deliberately designed function is not a bug.
Maybe the software takes a snapshot to send and it may be like asking
a camera to ignore one of the people in a group portrait.
Will someone explain this in layman's terms or put a sign up
saying 'this is a forum for experts only'.
If you read Imac's response, they originally hurried to remove the storage and forgot about the 'send' portion. I can only believe that he is telling the truth and that it will be removed in V4.3.4 (which sounds to me like V4.3.3 is on the horizon).
Do note that I believe it is an SSL connection back to cs-cart so risk of someone actually getting your admin url is pretty low.
It's not a forum for experts only, it is a community forum (which should mean that it's open and that the primary vendor only plays an administrative role). Bugs (or forgotten pieces) should be reported to bugtracker. Cs-cart has demonstrated that responding to forum posts is a pretty low priority for them and I assume because the community tends to take care of itself. However, obvious bugs or code-related issues (like security or broken functionality) should be reported to bugtracker in addition to being discussed here.
Just my two cents.
Reported as bug. Yes the transport using SSL is safe enough but not having admin names sent in the first place is much safer still.
These guys do an absolutely fantastic job given the number of carts out there and ( believe it or not ) I hate to complain about things. Stop laughing.
This is the obsolete code, we can safely remove it as we do not use admin script anymore in our CRM (Help Desk).
Tony is right, we just forgot to remove it.
Will be done in 4.3.4
4.3.3 should be released this week.
[color=#282828][font=arial, verdana, tahoma, sans-serif]This is the obsolete code, we can safely remove it as we do not use admin script anymore in our CRM (Help Desk).[/font][/color]
[color=#282828][font=arial, verdana, tahoma, sans-serif]Tony is right, we just forgot to remove it.[/font][/color]
I started this thread in October 2014 and since then CS-Cart have released 4 versions 4.2.3 , 4.2.4 ,
4.3.1 & 4.3.2
I think anyone reading this thread will be asking the same question so I won't bother.
[quote name='termalert' timestamp='1435056312' post='220064']
I started this thread in October 2014 and since then CS-Cart have released 3 versions 4.2.3 , 4.2.4 ,
4.3.1 & 4.3.2
I think anyone reading this thread will be asking the same question so I won't bother.
[/quote]
termalert.
That's because Community forum is not the place to ask such question, it should go to Help Desk or Bugtracker. Officially CS-Cart representatives review only bug tracker.
Last time started to review all the forum content which is actually a time consuming process, but that's the only way to catch such complaints. I hope this will help us to make CS-Cart better.
4.3.4 will be the first version NOT to send our admin names.
Better late than never.