Are you telling us that WiseCP itself suffers (suffered) from the same problem, not just your website?
Currently the latest version is 1.6.3. This version was released on 23/01/2019 and there were some complementary arrangements for 1.6.2 Yi. So thereâs no such thing as you specified. We will take immediate action to update our own web site.
Please, see Screenshot by Lightshot
No, thatâs not what weâre saying. With WISECP 1.6.2 release, this situation has been eliminated and strong security measures have been taken.
What you see is a notification text of our own web site that uses an older version.
Weâve re-activated the trial version youâre using, so you can see it yourself.
No worries, thanks for the explanation. Hopefully, @FHR will report back with any additional findings.
In all fairness sending plain text password over email is far from new in our industry. Isnât that still the default function of WHMCS to this day? If not, it sure was for a very very long time regardless of how anyone felt about it.
Thanks for fixing it. I wonder how it couldâve happened in the first place, but the important thing is that it was fixed.
WHMCS sends a password in the âNew Account Registrationâ email, but doesnât actually store it in plaintext.
Fairly sure I remember someone reputable saying that SolusVM stores passwords in plaintext. So maybe thatâs what youâre remembering @Jarland
In fact, it was intended to allow users to easily log in at the beginning. Generally, users cannot remember the password information much. However, the password information was never stored in the database as text. Itâs encrypted in all circumstances. With a special method. The system is un-encrypted the password and sending you mail after that. So unless someone hacks your email address, theyâll never reach your account.
Weâve updated it with version 1.6.2, and under no circumstances is the password information shown. The user has to keep the password in mind.
This is how WHMCS works with service passwords to this day, actually. No one likes to talk about it.
Every reversible encryption is insecure by design if I can find your private key. You absolutely do need to use one-way hashing like PBKDF2 or Bcrypt for storing passwordsâŚ
I assume you thought that passwords were clearly stored in the database as text
There never was a situation like this. The password information in your incoming email is stored in encrypted form with a special method in the database. From the very beginning to this day.
If youâre using the old version WISECP, you can check and confirm your database.
Itâs technically hard to find the private key. Because part of the key is stored in an encrypted file with Iocube at the core level.
Still, he is right. Thereâs no need to be able to reverse encryption, so youâre better off encrypting it one-way.
I can fish that key out of memory
Easily with PHP, ioncube only helps to obfuscate and discourage.
Agreed. Consider that a feature request @sitemio
Please try this and inform us if possible.
Iâm not suggesting you underestimate the Ioncube. It is the only encryption technology that is currently undecoded. Do you know anyone who can decode a ioncube file encrypted with a dynamic key?
You can be sure weâll reconsider. Thanks.
If I find time to do that, I will. Seems like a nice exercise.
Google âcPanel nulledâ or âWHMCS nulledâ.
Itâs their incompetence. Itâs not ioncube thatâs causing it.
Theyâre still not developing their encryption technology. Whereas it was possible to get ahead of it.
Even if Ioncube provided perfect file encryption, the data is still stored in memory.
I can dump process memory and physically find the string you are using for encryption.
You seem to imply that the encryption key is universal across all installations (stored in code). Which is great, because I can get it on my machine and then use it to decrypt databases of all installations.
This used to be like this. But nowadays the situation is more complicated.
If you could try it and get a result. Please inform.
Thanks for your time and pleasant chat.