yggdrasil Posted April 21, 2017 Share Posted April 21, 2017 I just found out this: https://developers.whmcs.com/api-reference/decryptpassword/ Is this for server passwords or customers password or both? I'm a bit shocked to be honest, in a bad way Encryption is not the same as hashing and passwords should never be encrypted but hashed. I had the impression WHMCS is hashing and then salting passwords. If you can decrypt passwords, it means they are not hashed and neither salted. Passwords are supposed to be irreversible in the database. While I can understand some may require this for a customer login verification, this is unacceptable for storing server logins, in particular when most modules require root logins in order to provision services and a company would have all their server passwords stored in WHMCS since every module, like cPanel, Plesk, etc, requires to set the root logins. Maybe someone can clarify this. 0 Quote Link to comment Share on other sites More sharing options...
markhughes Posted April 26, 2017 Share Posted April 26, 2017 Yes. Passwords for servers are reversible, if you use them. cPanel and some other software offers an access hash which you can restrict to IPs (aka, the WHMCS server) - so you would just use the username + access hash. You don't have to use the root password in this case! Actually, never use the root password or root account. Create a reseller account with root reseller privileges. If we don't have a password or access hash for the server you can not use automatic setup. Your password is encrypted with the hash set in your configuration file (do not change this) so other installations of WHMCS can not decrypt your passwords or hashes. See "Add a cPanel Server": http://docs.whmcs.com/CPanel/WHM#Adding_a_cPanel_Server I am fairly sure you can create a new Plesk reseller account with a different username and also restrict its IP to the WHMCS installation. 0 Quote Link to comment Share on other sites More sharing options...
yggdrasil Posted April 27, 2017 Author Share Posted April 27, 2017 Well, they don't specify what passwords they are talking about with the feature. I assumed passwords for servers are not hashed, as WHMCS needs to use them for automation. But users passwords accounts should be hashed and salted. As for the other thing you mentioned, I think you are a bit mistaken here when it comes to security. The WHM hash key acts just like a long password and nothing more. There is no difference between using that and setting up a password. They grant you the same access. (hash = key = long password) As for not using the root hash key and using a Reseller account instead, you may be right except (account with fewer privileges) not everything works with a regular cPanel Reseller account. I tested this in the past, and the Reseller in WHM requires to have the option Super Privileges set to on for WHMCS. I can't remember what features didn't work with WHMCS or if it was some module that didn't work, but that option had to be turned on. So if you use a Reseller account with that option ON, that is similar to using a root account. No difference, it's like just giving root privileges to an account with another name on Linux or giving administrators right to someone on Windows. So it doesn't matter if you call it "root" or "joe", if that account is super admin, someone with access to those logins has the same access as someone with root. If someone steals your HASH you are in almost the same troubles as someone stealing a server password, and if the Reseller account you are using has Super Privileges set to ON, that is like using root anyway. Other modules (not cPanel) don't have that Hash option either or don't work with accounts with fewer privileges. They require root password for most stuff. Ouch !!! 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.