Jump to content

Storing client passwords through the External API v.5.2.12


Recommended Posts

Our portal passes the new client password as a plain text string to WHMCS through the external API.

 

In the WHMCS process it appears to be using the PHP htmlspecialchars() function on the string and performing some additional processing on the htmlencoded sting.

 

The issue is that the string breaks on the ";". and the password is not "completely" saved. The value up to the ";" is stored in the database.

 

Html encoded characters:

'&' (ampersand) becomes '&'

'"' (double quote) becomes '"'

"'" (single quote) becomes ''' ( or ' )

'<' (less than) becomes '<'

'>' (greater than) becomes '>

 

The user can not change the password after this has happened because the stored password does not match the password text entered as the "current password" in the update form. This was working fine until updating to v. 5.2.12.

Link to comment
Share on other sites

Hello,

 

I've been unable to reproduce the error with a combination of those characters, using many different versions or our software (v5.2.12 included). Would you be able to provide a specific password that is creating the issue? We already decode the password before the hash is created.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated