Jump to content

How to mass reset client password using PhpMyAdmin (BUG or not a BUG)


Recommended Posts

Hello there

Is it possible to reset all clients password using PhpMyAdmin send a query to tblclients?

I am looking if I could generate random password for all clients, to ensure if there any client login with no password, I will automatically create one...
When you create clients on admin side, it will allow you not set a password (perhaps it is bug), but WHMCS works like this 😪. So if I reset all password when some client tries to login he will be enforce to request one password reset from client area page.

In general all my clients do not login to their client area, so no problem with that. As for the future months they will start logged-in more frequently, that is why I want to MASS RESET, and ensure more safety.

PS: I do not need to send new password reset to client at this moment by email , it is just a silent reset from admin side.

Edited by zitu4life
edit title
Link to comment
Share on other sites

Let me show steps reproduced to see if it is a BUG (actually only WHMCS will definitely decide if it is or not)

1- Add a client and leave email address empty.
We receive Validation Error, that is OK

image.thumb.png.1b572456e7c79aa01515f777715223dc.png

 

2- Add a client and insert email, but leave password empty
image.thumb.png.48cb2624b65da20116fe47748bfa7f14.png

3 - After click save, client add with success, with no password 🤪

image.thumb.png.514aeb6b62ebfb67740de4c4342f0277.png
 

4 - go to client area and try to login just inserting email address

image.thumb.png.28602e97f38b0386b0e15aa95c617780.png

 5 - Congratulations, we are in 😬

image.thumb.png.3366424c6ac24fbd71d97e918c24bf9c.png

Link to comment
Share on other sites

If you are masquerade as admin, you can login to any account just using the email. It doesn't matter what tblclients.password says, the login always works. You can double-check it by performing the same action when you are NOT logged as admin.

As for customers having an empty tblclients.password, you could use an hook like this one but read the notes below.

<?php

use WHMCS\Database\Capsule;

add_hook('DailyCronJob', 1, function($vars)
{
    $Data = Capsule::select(Capsule::raw('SELECT id FROM tblclients WHERE password = ""'));

    foreach ($Data as $v)
    {
        localAPI('ResetPassword', array('id' => $v->id), $adminUsername);
    }

});

With daily cron of WHMCS I select all clients with an empty password and perform the ResetPassword API command. The funny thing is that I have no idea of what ResetPassword actually does. I mean it returns "successful" but nothing changes in tblclients.password 🤨

Link to comment
Share on other sites

1 hour ago, zitu4life said:

I am looking if I could generate random password for all clients, to ensure if there any client login with no password, I will automatically create one...

but if a client has no password, and assuming they know their email address, they can reset it themselves can't they ?

if you create a new password (or get WHMCS to do it for you), then you will have to tell the client - so you are going to email their password to them openly??

1 hour ago, zitu4life said:

When you create clients on admin side, it will allow you not set a password (perhaps it is bug), but WHMCS works like this 😪

I wouldn't consider that a bug - by your own admission, most of your clients don't need passwords as they won't login.

1 hour ago, zitu4life said:

In general all my clients do not login to their client area, so no problem with that. As for the future months they will start logged-in more frequently, that is why I want to MASS RESET, and ensure more safety.

somewhere in the back of my mind, someone from WHMCS posted something about bulk resetting passwords - though can't remember if it was service or client passwords... I would suspect sometime in 2018 or 2017... possibly after a hack or a security issue.

20 minutes ago, Kian said:

As for customers having an empty tblclients.password, you could use an hook like this one but read the notes below.

I don't think that will work in the sense that I have client accounts in the devs that definitely don't have any passwords (I don't add them when creating new accounts), but that password field in the database isn't empty... it is for one or two, but not the rest.

24 minutes ago, Kian said:

The funny thing is that I have no idea of what ResetPassword actually does. I mean it returns "successful" but nothing changes in tblclients.password 🤨

it doesn't enter a password into the table, I think it just tries to send the password reset email to the client.

Link to comment
Share on other sites

Thinking better, it should not be a BUG, as @Kian said I was login somehow  masquerade as admin, that is why I could not need to insert password.

I have tried log out from admin and try login again just inserting email and it not allowed me (for same client without password created)...Perhaps somehow WHMCS is setting an random password to client even if as admin I do not set it a password, if it is true it is good for security reason, and that is what I would expect this behavior by  the system, or if not prompt with a validation password missing before create an account.

I can not confirm, but I think now that WHMCS setts random password to a client if added by admin and if password not provided. 

image.thumb.png.40055fda32dbad7d2d9cd7e0c7fc8a8b.png

 

 

Edited by zitu4life
add a picture and answer Brian question. Yes and NO
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated