[confirmed] Storing client passwords through the External API v.5.2.12

[mnorris]

Our portal passes the new client password as a plain text string to WHMCS through the external API.

 

In the WHMCS process it appears to be using the PHP htmlspecialchars() function on the string and performing some additional processing on the htmlencoded sting.

 

The issue is that the string breaks on the ";". and the password is not "completely" saved. The value up to the ";" is stored in the database.

 

Html encoded characters:

'&' (ampersand) becomes '&'

'"' (double quote) becomes '"'

"'" (single quote) becomes ''' ( or ' )

'<' (less than) becomes '<'

'>' (greater than) becomes '>

 

The user can not change the password after this has happened because the stored password does not match the password text entered as the "current password" in the update form. This was working fine until updating to v. 5.2.12.

[WHMCS Nate]

Hello,

 

Thanks for this report, I have opened a case for our developers to track the resolution of this issue: 3859.

 

Have a great day,

 

Nate C

[WHMCS Nicolas]

Hello,

 

I've been unable to reproduce the error with a combination of those characters, using many different versions or our software (v5.2.12 included). Would you be able to provide a specific password that is creating the issue? We already decode the password before the hash is created.