Jump to content

OpenSRS/Resellone API Security

milosvbl

By milosvbl
in Troubleshooting Issues

 Share

Recommended Posts

milosvbl Junior Member

milosvbl

Posted
Posted

After short thinking of administration approach used in WHMCS for OpenSrs and ResellOne registrars, I have found that it could be relatively easy to compromise the domains of WHMCS users and gain administrative control over them.

 

Having in mind that WHMCS registers domains through these registrars and create username/password combination based on domain name and domain id in WHMCS panel, it would be possible for external parties to guess the domain id used in control panel and successfully login to administrative interface of respective registrar.

 

My proposal for solution of this problem is simple: WHMCS should add additional field in the administration area where admins could define additional keyword, which should be used for creating hash based on domain id. Eg, if this hash/password is currently created only using md5 on domain id in the panel, in this proposal it could be used on a such what that predefined keyword is concatenated to the domain id and such way the new unique and harder-to-guess password could be combined.

 

It is strange for me that such naive approach has been selected and that no known security breaches have been made.

0
Link to comment
Share on other sites
efisher Member

efisher

Posted
Posted
After short thinking of administration approach used in WHMCS for OpenSrs and ResellOne registrars, I have found that it could be relatively easy to compromise the domains of WHMCS users and gain administrative control over them.

 

Having in mind that WHMCS registers domains through these registrars and create username/password combination based on domain name and domain id in WHMCS panel, it would be possible for external parties to guess the domain id used in control panel and successfully login to administrative interface of respective registrar.

 

My proposal for solution of this problem is simple: WHMCS should add additional field in the administration area where admins could define additional keyword, which should be used for creating hash based on domain id. Eg, if this hash/password is currently created only using md5 on domain id in the panel, in this proposal it could be used on a such what that predefined keyword is concatenated to the domain id and such way the new unique and harder-to-guess password could be combined.

 

It is strange for me that such naive approach has been selected and that no known security breaches have been made.

 

+1 for me. I agree, the way that WHMCS authenticates with OpenSRS is a little odd. I would hope for some site-specific key or prefix that could make our instance unique and harder to guess those passwords.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept