Jump to content

SSL Modules Enom Password

vincent_g
 Share

Recommended Posts

vincent_g Member

vincent_g

Posted
Posted

I have just noticed that WHMCS inserts your Enom user name and password in the products table when you choose an Enom module for the product.

 

Now it would be fine if the password was encripted but it's not.

The password is in plain text.

 

It's not a biggie but it shouldn't be not encrypted.

 

I don't know if other Modules picked do the same thing which maybe a bigger problem.

Enom has two steps of security which requires users to also answer saved questions should the PC not match the stored info. Others may not have this.

 

To see this and if you are using this feature go to your products table in phpmyadmin

Use SQL to sellect only rows from the Group so as to filter out all others.

 

And you will see your Enom password clear as day.

Now I created the product with the latest prior version and have not tested it with the new version but I expect it to be same

 

Vincent G.

0
Link to comment
Share on other sites
  • WHMCS CEO
Matt Senior Member

Matt

Posted
  • WHMCS CEO
Posted

Encryption could (perhaps should) be used, but by definition encryption is reversable, so it doesn't particularly add much in terms of real security.

 

As I explained via your ticket regarding this, the proper solution for this would be for Enom to provide a better and more secure way to interface with their API rather than requiring passing the password in plain text. We have been petitioning them for some time now to implement some kind of API Key/Token system as an alternative to the password, but they have seemed a bit reluctant so far.

 

Matt

0
Link to comment
Share on other sites
laszlof Senior Member

laszlof

Posted
Posted

Encrypting it in the database ensures that it would be highly difficult to decrypt should a SQL injection be found. While it wont protect against much more than that, its still slightly better than being not encrypted at all. My 2 cents.

0
Link to comment
Share on other sites
vincent_g Member

vincent_g

Posted
  • Author
Posted (edited)

Also for bigger hosting companies this helps prevent employee theft.

An employee can just look into the tables and gain access to a company's Enom account.

If he is angry at the company he can cause a lot of problems.

 

Don't look at security from a standpoint of only outside security.

 

Also if you are looking at security as being reversable then there is no security.

It's only reversable if the person has a copy of your encription scheme.

Yes they can get a copy of your software but this then leaves a trail.

 

That's only a small sample of my viewpoint - lol

Edited by vincent_g
0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept