Jump to content

Login to WhmCs with phone number instead of Email


Nasouh

Recommended Posts

Hi there,
By using the hooks on earlier posts, clients can log in successfully with their email address and any password.
To fix this security issue, use the hooks on the bellow( Tested on WHMCS 7.10.2 )

 

add_hook('ClientLoginShare', 1, function ($vars) {

    // Define username and password. Username is whatever the user enters in the 'email address' field.
    $username = $vars['username'];
    $password = $vars['password'];

    // Let's see if the user is logging in using an email address. If not, let's see if we can find the user's phone number in the database and allow them to login this way.
    if (!filter_var($username, FILTER_VALIDATE_EMAIL)) {
        $users = Capsule::table('tblclients')
            ->select('email')
            ->where('phonenumber', $username)
            ->get();

        // If there's multiple users with the same phone number, allow _none_ of them to login by using their phone numbers.
        // They will only be able to login using email address in that case
        if (sizeof($users) > 1) {
            return false;
        }

        // Set the user's email address
        foreach ($users as $user) {
            $email = $user->email;
        }

        // Documentation: https://developers.whmcs.com/api-reference/validatelogin/
        $command = 'ValidateLogin';
        $postData = array(
            'email' => $email,
            'password2' => $password,
        );

        // Check if login is valid - if it is, log them in using email address
        $isValid = localAPI($command, $postData);
        if ($isValid['result'] == "success") {
            return array(
                'email' => $email,
            );
        }else{
            return false;
          }

    }

      $command = 'ValidateLogin';
      $postData = array(
          'email' => $username,
          'password2' => $password,
      );

      // Check if login is valid - if it is, log them in using email address
      $isValid = localAPI($command, $postData);
      if ($isValid['result'] == "success") {
          return array(
              'email' => $username,
          );
      }

return false;

});


// Change login input field to allow any text
add_hook('ClientAreaFooterOutput', 1, function ($vars) {
    $changeLoginInput = '<script>$( document ).ready(function() {
        $("#inputEmail").prop({type:"text"});
    });</script>';
    return $changeLoginInput;
});

 

Edited by aliyousefian
Link to comment
Share on other sites

13 hours ago, aliyousefian said:

By using the hooks on earlier posts, clients can log in successfully with their email address and any password.

I've just tested, and I'm not able to login using any password.
This hook doesn't even work if you input an email address. It's only running if the username field doesn't contain an email address:

if (!filter_var($username, FILTER_VALIDATE_EMAIL)){
...
}

Edit:
By the looks of your code, it seems that whenever a client would try to login with their email address, you would always return false, meaning that the client won't be able to login.

Edited by DennisHermannsen
Link to comment
Share on other sites

On 04/09/2020 at 17:45, DennisHermannsen said:

Maybe @brian! can see if I did anything wrong - although I did try without doing anything but return the email of a contact and it wouldn't log me in. As soon as I changed it to a client, it worked just fine.

I would be inclined to agree with Dennis - as written, you probably couldn't use that hook for sub-accounts - the ValidateLogin API shouldn't be the issue as, although undocumented, it can detect if the email address it's validating is a client or a contact, but I assume ClientLoginShare only works for clients.

possibly you might have to go down the AutoAuth or CreateSsoToken route to login using the validated returns of the earlier API... now AutoAuth is deprecated, but I think virtual is only using v7.9 so it should still be an option; I don't think CreateSsoToken came in until v7.10... or you wait until you upgrade to v8 and deal with the login issue then.

Link to comment
Share on other sites

  • 2 weeks later...
  • 3 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated