Tuesday 7th July, 2009
Quick demo of authentication against WHMCS 4.0 ("Loginshare"): In WHCMS 4.0 the authentication scheme changed to use MD5 passwords, which promptly broke software that authenticates against it. Now, when you query client details using the getclientdetails call, you get a password hash which looks something like

+----------------------------------------+
| password |
+----------------------------------------+
| fa91985ac8a79a2b0a308fc816353867:!BJK! |
+----------------------------------------+

This is a two-part hash; the part before the colon is an MD5 hash, the part after the colon is a salt. To verify a user's password, take the password they have given in the login form, prepend the salt to it, and then take the MD5 of the result. If the MD5 hashes match, then authentication is successful.

Remember that different users have different salts!

Example code:

// This actually needs to come from getclientdetails from the WHMCS API
$hash_from_whmcs = "fa91985ac8a79a2b0a308fc816353867:!BJK!";

$password = $_POST["password"];

// Split on the colon, concatenate and hash:
$parts = explode(":", $hash_from_whmcs);
$newhash = md5($parts[1] . $password);

if ($newhash == $parts[0]) {
        print "Well done, you can remember your password.";
} else {
        print "You are either amnesiac or an impostor, go away.";
}

posted by Rob Mitchelmore, 10:42 (anchor)
June 2015May 2015April 2015June 2014
January 2014November 2013October 2013July 2013
April 2013March 2013January 2013November 2012
older posts