Patch is updated but still shown failed
https://magento.stackexchange.com/questions/317017
-
14-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I applied the SUPEE-11314 patch in magento 1.7.0.2 but secuity scan shows the below error. SUPEE-11314 - Failed.Weak password requirements found (MPERF-10886)
can I know what is the issue.
Thanks
Solution 2
I decided to delete all the customers and scan again. No issue. I think the issue is complaining about pre existing customers have passwords that are less than a certain length
OTHER TIPS
Having the same issue, pretty annoying seeing these alerts in my inbox. What can be done? Site in question has all updates validated on magereport, is this a false positive like in the past?
I have had several false positives that after a week they simply go away, as in Magento made a fix in the scanning for that particular patch.
Our server is pretty tight, is the problem that they can not check to see if all the files have been updated?
--update--
I wanted to follow up with my solution as it may help others.
One of the changes the SUPEE-11314 introduces is the customer password strength enforcement: After the patch is applied - the new customer registration form password field at '/customer/account/create/' should have 'min-pass-length-#' class (# - is a number). Since almost all stores use some custom theme and it is obviously not get modified by the patch - the template changes should be applied manually.
I changed my custom theme register.phtml and the one register.phtml the ReCaptcha plugin is using. This resolved my issue. You will want to use the following on both of those.
<li class="fields">
<div class="field">
<label for="password" class="required"><em>*</em><?php echo $this->__('Password') ?></label>
<div class="input-box">
<?php $minPasswordLength = $this->getMinPasswordLength(); ?>
<input type="password"
name="password"
id="password"
title="<?php echo $this->quoteEscape($this->__('Password')) ?>"
class="input-text required-entry validate-password min-pass-length-<?php echo $minPasswordLength ?>" />
<p class="form-instructions">
<?php echo Mage::helper('customer')->__('The minimum password length is %s', $minPasswordLength) ?>
</p>
</div>
</div>
<div class="field">
<label for="confirmation" class="required"><em>*</em><?php echo $this->__('Confirm Password') ?></label>
<div class="input-box">
<input type="password" name="confirmation" title="<?php echo Mage::helper('core')->quoteEscape($this->__('Confirm Password')) ?>" id="confirmation" class="input-text required-entry validate-cpassword" />
</div>
</div>
</li>
There is another validation function at js/prototype/validate.js
I have seen that it validates both the password creation in new account and in an existing account.
If you change number (7) with another higher number all the passwords that have 7 characters (regardless of what they are) are automatically not valid.
['validate-password', 'Please enter 8 or more characters. No clean leading or trailing spaces. Password should contain at least one digit, one lower case, one upper case and at least 8 from the mentioned characters', function(v, elm) {
var pass=v.strip(); /*strip leading and trailing spaces*/
var reMin = new RegExp(/^min-pass-length-[0-9]+$/);
var minLength = 7;
$w(elm.className).each(function(name, index) {
if (name.match(reMin)) {
minLength = name.split('-')[3];
}
});
return (!(v.length > 0 && v.length < minLength) && v.length == pass.length);
}],
['validate-admin-password', 'Please enter 7 or more characters. Password should contain both numeric and alphabetic characters.', function(v, elm) {
var pass=v.strip();
if (0 == pass.length) {
return true;
}
if (!(/[a-z]/i.test(v)) || !(/[0-9]/.test(v))) {
return false;
}
var reMin = new RegExp(/^min-admin-pass-length-[0-9]+$/);
var minLength = 7;
$w(elm.className).each(function(name, index) {
if (name.match(reMin)) {
minLength = name.split('-')[4];
}
});
return !(pass.length < minLength);
}],
['validate-cpassword', 'Please make sure your passwords match.', function(v) {
var conf = $('confirmation') ? $('confirmation') : $$('.validate-cpassword')[0];
var pass = false;
if ($('password')) {
pass = $('password');
}
var passwordElements = $$('.validate-password');
for (var i = 0; i < passwordElements.size(); i++) {
var passwordElement = passwordElements[i];
if (passwordElement.up('form').id == conf.up('form').id) {
pass = passwordElement;
}
}
if ($$('.validate-admin-password').size()) {
pass = $$('.validate-admin-password')[0];
}
return (pass.value == conf.value);
}],
['validate-both-passwords', 'Please make sure your passwords match.', function(v, input) {
var dependentInput = $(input.form[input.name == 'password' ? 'confirmation' : 'password']),
isEqualValues = input.value == dependentInput.value;
if (isEqualValues && dependentInput.hasClassName('validation-failed')) {
Validation.test(this.className, dependentInput);
}
return dependentInput.value == '' || isEqualValues;
}],
