Jump to content

is this a Auto Auth API security flaw or am i missing something?


stoogle1

Recommended Posts

So i setup auto auth between my current system and whmcs.

 

I wanted to test the security on this and the what ifs as you should always do.

 

It logs in fine when a user on my program has a matching email on whmcs side also. As it should.

 

So i thought what if the session didnt pass the email address and it was blank.

So I put a stop in place in case the email address in the session on my side was blank to echo out to contact support and then kill. That works fine.

 

BUT

 

If a email address IS in the session but DOESNT match one in WHMCS users, it will login as another user. Am i missing another check in the autoauth to make sure the email address matches?

 

Below is what im using:

 

<?php include(BASE_URL . 'includes/globals.php'); ?>
<?php
$username = ($_SESSION["Username"]);
$password = ($_SESSION["password"]);
$email = ($_SESSION["EmailAddress"]);
/*
WHMCS AutoAuth script
*/

# Define WHMCS URL & AutoAuth Key
$whmcsurl = "http://*********/support/clientarea.php";
$autoauthkey = "**********";

$timestamp = time(); # Get current timestamp
$goto = "clientarea.php";

$hash = sha1($email.$timestamp.$autoauthkey); # Generate Hash
if(!isset($email))
{
echo "Error, Please contact I.T. Department to get access to this area $email</p>";
echo "Call ****** or email ******";
exit;
}
else{
# Generate AutoAuth URL & Redirect
$url = $whmcsurl."?email=$email&timestamp=$timestamp&hash=$hash&goto=".urlencode($goto);
echo "<meta http-equiv='refresh' content='0;$url' />";
exit;
}
?>

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated