Tuesday 7th July, 2009
Quick demo of authentication against WHMCS 4.0 ("Loginshare"): In WHCMS 4.0 the authentication scheme changed to use MD5 passwords, which promptly broke software that authenticates against it. Now, when you query client details using the getclientdetails call, you get a password hash which looks something like+----------------------------------------+
| password |
+----------------------------------------+
| fa91985ac8a79a2b0a308fc816353867:!BJK! |
+----------------------------------------+
This is a two-part hash; the part before the colon is an MD5 hash, the part after the colon is a salt. To verify a user's password, take the password they have given in the login form, prepend the salt to it, and then take the MD5 of the result. If the MD5 hashes match, then authentication is successful.
Remember that different users have different salts!
Example code:
// This actually needs to come from getclientdetails from the WHMCS API
$hash_from_whmcs = "fa91985ac8a79a2b0a308fc816353867:!BJK!";
$password = $_POST["password"];
// Split on the colon, concatenate and hash:
$parts = explode(":", $hash_from_whmcs);
$newhash = md5($parts[1] . $password);
if ($newhash == $parts[0]) {
print "Well done, you can remember your password.";
} else {
print "You are either amnesiac or an impostor, go away.";
}
$hash_from_whmcs = "fa91985ac8a79a2b0a308fc816353867:!BJK!";
$password = $_POST["password"];
// Split on the colon, concatenate and hash:
$parts = explode(":", $hash_from_whmcs);
$newhash = md5($parts[1] . $password);
if ($newhash == $parts[0]) {
print "Well done, you can remember your password.";
} else {
print "You are either amnesiac or an impostor, go away.";
}
