Vedovelli

Yesterday a product I have developed stoped working. Users were not able to login anymore. I’m using WHMCS as my billing system and the login process is managed by WHMCS API.

After several hours researching, me and my client (the one who owns the product) found the solution which I’m going to show you below.

The problem is: until the last update of WHMCS API, all passwords were stored on the database in plain text. I know it is a very bad practice, but… well, I think they finally realized it should bring some trouble and changed the way password are stored, by appying an MD5 encryption, but using a template: md5(salt.password):salt. It means: concatenate the salt keyword with your password and add the salt keyword at the end of the generated MD5 hash.

No problem and seems to be a good way to encrypt passwords, but I think people from WHMCS were waiting for us to guess it!

So, here comes my own solution to compare the inputed password against the encrypted password returned by the method getclientsdatafromemail() (http://wiki.whmcs.com/API:Get_Clients_Data_by_Email)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

 
// $result['password'] is a key from the array returned by the
// method getclientsdatafromemail()
// The encrypted password should be something like this:
// d9728352f699f58e390f0c74640f94e0:R(IDy
// where R(IDy is the salt keyword
 
// At first, we need to retrieve the salt keyword,
// that is made of the 5 last characters of the password
$salt = substr($result['password'], -5, 5); 
 
// $login->password is the password typed by the user
// here we are using the template md5(salt.password):salt
$encrytedInputedPassword = md5($salt.$login->password).":$salt"; 
 
// Now we can compare both passwords, because they are the same