Results 1 to 9 of 9
  1. #1
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319

    Domain only cart - CE alternative?

    I'm in need of a cart that will do domains only and works with OpenSRS. Currently I use CE.

    I've been using CE for a while now and like it very much unfortunatelly I've noticed that CE doesn't encrypt domain name passwords. So basically anyone with access to the db for CE can browse the user names and view the unencrypted passwords for each domain that a client has registered through CE. This is the password that is used to login into the registrar and manage the domain(s)

    This scares me quite a bit expecially on a shared server not to mention the liabilites it creates for me if someone were to gain access to the db and get the domain name usernames and passwords. After that the'd be free to go and hijack all the domains in my CE db.

    I've used MBill before and it was too bloated. I also have whoiscart but didnt really like it.

    Thanks.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  2. #2

    Thumbs down

    Hi. You can try AWBS Domain Edition. But all of the hosting billing softwares don't encrypt the registrar password(s). We had purchased all of these softwares for our Hosting company. But we cannot use them because of security purpose, too.
    DomainCart - Domain and Hosting Shopping Cart with Integrated Bootstrap Hosting Template.
    www.domaincart.net - Demo

  3. #3
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by dhcart
    Hi. You can try AWBS Domain Edition. But all of the hosting billing softwares don't encrypt the registrar password(s). We had purchased all of these softwares for our Hosting company. But we cannot use them because of security purpose, too.
    Hm that sucks if none of them encrypt the password. First time I saw that registrar password was clearly readable I almost had a heart attack. Imagine someone gaining access on the server, phpmyadmin, CE or anyother billing software, they'd have a field day if they noticed that they clearly had the dokain name user name and password for the taking.

    Try explaining to your customers why their domain is not owned by them anymore


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  4. #4
    Join Date
    Mar 2001
    Location
    Ireland
    Posts
    1,354
    You should really put your billing software on a separate server to your clients and lock down access to it.

    What's CE?
    Blacknight
    ICANN accredited domain registrar

  5. #5
    We use www.awbs.com domain edition on one of our websites and it works great for "domain name only" sales and management.

    We use eNom, but I believe there is a module available for openSRS, too.

    Want to sell domain names? Sign up today for an eNom.com reseller account from a trusted eNom ETP provider.
    * We provide support and service to over 3245 happy eNom domain name and SSL certificate resellers!

  6. #6
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Quote Originally Posted by mrzippy
    We use www.awbs.com domain edition on one of our websites and it works great for "domain name only" sales and management.

    We use eNom, but I believe there is a module available for openSRS, too.


    Hi

    Can you tell me if awbs encrypts the users domain passwords in Mysql?


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  7. #7
    Quote Originally Posted by Evolver
    Hm that sucks if none of them encrypt the password. First time I saw that registrar password was clearly readable I almost had a heart attack. Imagine someone gaining access on the server, phpmyadmin, CE or anyother billing software, they'd have a field day if they noticed that they clearly had the dokain name user name and password for the taking.

    Try explaining to your customers why their domain is not owned by them anymore
    All of the billing softwares cannot encrypt the registrar passwords. This is imposible. But if the password placed in a php file(like at Whois.Cart) when you maybe encrypt it by a php encoder.
    Last edited by domaincart; 01-16-2007 at 09:36 AM.
    DomainCart - Domain and Hosting Shopping Cart with Integrated Bootstrap Hosting Template.
    www.domaincart.net - Demo

  8. #8
    The problem is that every time the billing software communicates with the the hosting panel (for example to update the user's info), it needs the password. Encrypting it would mean you have to store the encryption key. So the problem for the attacker is now finding that key and figuring out the encryption algorithm. Certainly harder to get there, but the "problem" remains. Not storing the encryption key would mean it would need to be asked every time it is needed, which is a hassle. That's why it is not encrypted.

    Cheers,

  9. #9
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    Well I know I'm just being paranoid but just seems like half of the hosts out here if not more are game for domain name password raping. Especially since so many are just resellers on shared servers.

    I know from reading the CE forums that CE used to encrypt those passwords but CE users bitched that is was iconvenient for their users so the passwords were left unencrypted.

    Well I not wanting to get into this kind of legal can of worms I'm just gonna have to remove domain registration for now.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •