Problem with authorization to API after 5.3.9

[Miskoff]

Hi,

 

After patch 5.3.9 (incremental from 5.3. our custom services have problems connecting to API.

 

All tries gets the exception 403 - Forbidden and in Activity Logs we can see that user login attempt failed:

 

Failed Admin Login Attempt - Username: XXX

 

We have no problem getting access to admin area using the same credentials.

 

We found that article:

 

http://docs.whmcs.com/Admin_Password_Hashing

 

And 2 changes in it that could be the source of the problem:

 

Only 3rd-Party Integration Developers that read/write admin authentication details directly from the database will be affected by this change.

 

But our services are not reading details directly from the database.

 

Then at the very bottom of that article there is another change:

 

Hash Schema

 

WHMCS 5.3.9 introduces application-level support and usage of two hash algorithms using cryptographically secure hashing routines.

 

Both the Bcrypt and SHA256-HMAC algorithms and hashing routines are supported. If the PHP version of the web server is 5.3.7 or greater, then Bcrypt will be used. Otherwise, if the web server is using a version of PHP that is less than 5.3.7, SHA256-HMAC will be used.

 

Till now we used MD5 hashing for the credentials, is the above meaning that it is no longer supported?

 

Has anyone had similar problem and fixed it through hashing method change?

 

--

Miskoff

[Miskoff]

We fixed that, there is a problem and solution that we got from our developers, maybe it will be usefull for someone:

 

After update to 5.3.9 WHMCS started reacting to uppercase letters in MD5 hashed password we were sending.

 

The solution that worked for us is that now while we are sending MD5 hashed password we change uppercase letters for lowercase ones.

 

--

Miskoff