Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Major Encryption Key Vulnerability
 
iPhony
Member
 
Avatar
Total Posts:  37
Joined:  2007-09-01
 

I was playing with magento and I just realized that once your store is up anyone can recover your encryption key in plain text by just adding
/install/wizard/end/
to the end of your store’s domain name.

This is critical and need to be fixed as soon as possible.
For instance you can retrieve Magento’s demo store encryption key by just launching the following link in your browser:

http://demo.magentocommerce.com/install/wizard/end/

I would like to hear from a magento team member about this is an issue.
I would rather have this key retrievable after login or simply not retrievable online but only via email or so. Not sure which one is best…

 
Magento Community Magento Community
Magento Community
Magento Community
 
Moshe
Magento Team
 
Avatar
Total Posts:  1770
Joined:  2007-08-07
Los Angeles
 

This has been fixed and will be available in next release

 
Magento Community Magento Community
Magento Community
Magento Community
 
iPhony
Member
 
Avatar
Total Posts:  37
Joined:  2007-09-01
 

Great thanks for your fast reply.

 
Magento Community Magento Community
Magento Community
Magento Community
 
Brandon
Sr. Member
 
Avatar
Total Posts:  76
Joined:  2007-08-31
Web Developer
 

Shouldn’t the entire install directory be deleted once installed?

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top