It seems that besides the useful info, the debugger (which I call using a secret key in the url / get parameter) also contains the admin link, admin user and admin pass.
These are under $settings => General => proxy user and proxy pass
The $config => db_host, db_name, etc. contain the database private info.
Isn’t it a security problem to display all this sensible info? I know that no one else knows my secret key, and I hope there is no way that people can access the Smarty Debug Console, because this would be a major flaw.
[quote name=‘CsssCart’]It seems that besides the useful info, the debugger (which I call using a secret key in the url / get parameter) also contains the admin link, admin user and admin pass.
These are under $settings => General => proxy user and proxy pass
The $config => db_host, db_name, etc. contain the database private info.
Isn’t it a security problem to display all this sensible info? I know that no one else knows my secret key, and I hope there is no way that people can access the Smarty Debug Console, because this would be a major flaw.[/quote]
Proxy information should not be sensitive information? Better yet, why are you even using the Proxy system? I’ve never seen a need for it, the cs-cart also does NOT keep the admin password stored any where, other than in encrypted (hashed, md5) form, in your session data, and in the database.
It’s debug… There should be no restrictions. The insecure part is your adding a GET parameter that invokes the debugger without any security.