Loaded Commerce Community

I was not sure where to post a bug that I have found, but there is a bug in the Credit Card Encryption.

It really messes up the CC Numbers and Expiration dates in the Order. It also seems to have corrupted them in the Database, as it still will not show them correctly when I disable the Encryption.

I know that Minkglove was also having this problem, as we both verified this in Patch 07.

Let me know what else you might need from me.

Bryan

I just noticed their is a test under the Encryption for the Credit card, maybe I have to do something else, that I am not doing. Anyways, here is what that Test states on my version.

Mcrypt Algorithms and Modes
Algorithm Status CBC CFB CTR ECB NCFB NOFB OFB STREAM
CAST-128 OK OK OK OK OK OK OK OK NOT TESTED
GOST OK OK OK OK OK OK OK OK NOT TESTED
RIJNDAEL-128 OK OK OK OK OK OK OK OK NOT TESTED
TWOFISH OK OK OK OK OK OK OK OK NOT TESTED
ARCFOUR OK NOT OK NOT OK NOT OK NOT OK NOT OK NOT OK NOT OK NOT TESTED
CAST-256 OK OK OK OK OK OK OK OK NOT TESTED
LOKI97 OK OK OK OK OK OK OK OK NOT TESTED
RIJNDAEL-192 OK OK OK OK OK OK OK OK NOT TESTED
SAFERPLUS OK OK OK OK OK OK OK OK NOT TESTED
WAKE OK NOT OK NOT OK NOT OK NOT OK NOT OK NOT OK NOT OK NOT TESTED
BLOWFISH-COMPAT OK OK OK OK OK OK OK OK NOT TESTED
DES OK OK OK OK OK OK OK OK NOT TESTED
RIJNDAEL-256 OK OK OK OK OK OK OK OK NOT TESTED
SERPENT OK OK OK OK OK OK OK OK NOT TESTED
XTEA OK OK OK OK OK OK OK OK NOT TESTED
BLOWFISH OK OK OK OK OK OK OK OK NOT TESTED
ENIGMA OK NOT OK NOT OK NOT OK NOT OK NOT OK NOT OK NOT OK NOT TESTED
RC2 OK OK OK OK OK OK OK OK NOT TESTED
TRIPLEDES OK OK OK OK OK OK OK OK NOT TESTED

Maximum Key Sizes Allowed
Algorithm Maximum Key Size
cast-128 16
gost 32
rijndael-128 16 24 32
twofish 16 24 32
arcfour 256
cast-256 16 24 32
loki97 16 24 32
rijndael-192 16 24 32
saferplus 16 24 32
wake 32
blowfish-compat 56
des 8
rijndael-256 16 24 32
serpent 16 24 32
xtea 16
blowfish 56
enigma 13
rc2 128
tripledes 24

There is a link to the bug tracker in the Admin Home page of every stock copy of CRE Loaded. That is the best place to report bugs.

David

I don't see this Bug Tracker.

I am on the Home Page of my 6.2 Pro Patch 08, White Label version, I see the following links at the top:

CRE Loaded Pro B2B Now Released

Now on creloaded.com

osCommerce.com | CRE Loaded.com Admin Home | View Catalog | CRE Forums | Purchase CRE Support | Certified CRE Hosting

But I don't see anything about a Bug Tracker.

its in the news feed box right side

bry21317, I would make sure you try and recover the file includes/key/cc_key.php from your prior installation. The patch 8 OVERWRITES this file, and if you had a different key prior to the patch then the result is corruption of data, since the key changed without decrypting and reencrypting the DB first.

If you never changed the encryption key, then with patch 7 and earlier the key was CC_KEY. You need to modify the includes/key/cc_key.php file or use the admin interface to set the value of CC_KEY = CC_KEY. Essentially it wasn't defined before patch 8, so PHP would pick up the value as CC_KEY.

I have a few more comments on this subject, that I wanted to share.

There is some work in this area that is necessary to improve the feature. Hopefully it will be pulled together and cleaned up a bit for the 6.3 release.

I know not everyone is a fan when people compare product A to product B, but I think it is healthy to have competition and for people to understand what the competition is doing. In any case, here I go...

X-Cart has the concept of
a) embedding an algorithm id in the crypted data, and
b) embedding a crc-32 in the crypted data.

Both of these ensure that encryption/decryption issues like this can be captured and alerted to the store admin.

Additionally it would be a really really good idea if includes/key/cc_key.php was added to the global-ignores in the repository, excluded from future patches, and this file was generated with a RANDOM key at installation time.

good points