View Issue Details

IDProjectCategoryView StatusLast Update
0005444OXID eShop (all versions)1.05. Userspublic2014-08-18 09:06
Reporterhenrik.steffen 
PriorityurgentSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
PlatformallOSallOS Versionall
Product Version4.7.8 / 5.0.8 
Target Version4.8.5 / 5.1.5Fixed in Version4.9.0_5.2.0_beta1 
Summary0005444: Login by customer number should be prevented
DescriptionCustomer numbers are consecutively genereated by the shop. Attackers could guess customer numbers and use them for brut-forcing logins.

Would be better, if only e-mail-addresses could be used as usernames (maybe as a future option?)

TagsNo tags attached.
ThemeAzure
BrowserAll
PHP Versionany
Database Versionany

Activities

svetlana

2014-03-28 10:00

reporter   ~0009703

waiting for the PO decision.

aurimas.gladutis

2014-08-18 09:06

reporter   ~0010072

Customer number can no longer be used as user name.