Security settings / options

ragingraven · November 6, 2023, 10:10am

We just got an e-mail by a white-hat hacker that saw some issues with our CS-Cart installation.

There were 2 issues which i can’t seem to find a solution for:

The option ‘forgot password’ should be protected by the ReCaptcha plugin, but it seems people can still brute force this system and use it to e-mailbomb other e-mailaddresses.
the user registration password requirements/policy only allows for lenght and the requirement of letters and number, but not an option to require special-characters.
This makes bruteforcing the password way easier than when customers are required to also use special-characters.

How can we address these issues or is there already a solution to these issues I haven’t found yet?

CS-Cart_team · November 9, 2023, 11:22am

Hi!

The ability to enable reCAPTCHA for the password recovery form will be added in the next patch version of CS-Cart (4.17.2).

In case you need to force your customers to also add the special characters to the password, you may to make additional changes in your installation:

In the file app/functions/fn.users.php replace the following code:

            if (Registry::get('settings.Security.account_passwords_must_contain_mix') === YesNo::YES) {
                $tmp_result =
                    preg_match('/\d+/', $user_data['password1'])
                    && preg_match('/\D+/', $user_data['password1'])
                    && preg_match('/\d+/', $user_data['password2'])
                    && preg_match('/\D+/', $user_data['password2']);

with this code:

            if (Registry::get('settings.Security.account_passwords_must_contain_mix') === YesNo::YES) {
                $tmp_result =
                    preg_match('/\d+/', $user_data['password1'])
                    && preg_match('/\D+/', $user_data['password1'])
                    && preg_match('/\W+/', $user_data['password1'])
                    && preg_match('/\d+/', $user_data['password2'])
                    && preg_match('/\D+/', $user_data['password2'])
                    && preg_match('/\W+/', $user_data['password2']);

Update the error_password_content language variable to reflect new requirements.

system · November 11, 2023, 10:40am

This topic was automatically closed 12 hours after the last reply. New replies are no longer allowed.