Uploaded image for project: 'Blesta Core'
  1. Blesta Core
  2. CORE-3325

Import Manager: Add support for modern WHMCS password hashes

        Details

        • Type: New Feature
        • Status: Closed
        • Priority: Major
        • Resolution: Fixed
        • Affects Version/s: None
        • Fix Version/s: 4.9.0-b1
        • Component/s: Plugins
        • Labels:
          None

          Description

          WHMCS changed their password hashing algorithm. We used to be able to support their password hashes so clients could login after import without resetting their password.

          This was done by updating /config/blesta.php and changing the following:

          Configure::set("Blesta.auth_legacy_passwords", true);
          Configure::set("Blesta.auth_legacy_passwords_algo", "whmcs-md5");

          So, if we add support then I imagine we would do a similar thing, except for Blesta.auth_legacy_passwords_algo instead of "whmcs-md5" to "whmcs-sha256hmac" or something.

          See https://docs.whmcs.com/Admin_Password_Hashing#Hash_Schema for docs on their password hashing algorithm. This states that it's for Admins, I could not find a similar article for Clients, but it may be the same.

          See also https://www.ndchost.com/wiki/software/whmcs/client-password-hash for an overview and example.

            Activity

            Ascending order - Click to sort in descending order
            admin Paul Phillips created issue -
            admin Paul Phillips made changes -
            Field Original Value New Value
            Rank Ranked higher
            admin Paul Phillips made changes -
            Rank Ranked lower
            admin Paul Phillips made changes -
            Description WHMCS changed their password hashing algorithm. We used to be able to support their password hashes so clients could login after import without resetting their password.

            This was done by updating /config/blesta.php and changing the following:

            Configure::set("Blesta.auth_legacy_passwords", true);
            Configure::set("Blesta.auth_legacy_passwords_algo", "whmcs-md5");

            So, if we add support then I imagine we would do a similar thing, except for Blesta.auth_legacy_passwords_algo instead of "whmcs-md5" to "whmcs-sha256hmac" or something.

            See https://docs.whmcs.com/Admin_Password_Hashing#Hash_Schema for docs on their password hashing algorithm. This states that it's for Admins, I could not find a similar article for Clients, but it may be the same.             		WHMCS changed their password hashing algorithm. We used to be able to support their password hashes so clients could login after import without resetting their password.

            This was done by updating /config/blesta.php and changing the following:

            Configure::set("Blesta.auth_legacy_passwords", true);
            Configure::set("Blesta.auth_legacy_passwords_algo", "whmcs-md5");

            So, if we add support then I imagine we would do a similar thing, except for Blesta.auth_legacy_passwords_algo instead of "whmcs-md5" to "whmcs-sha256hmac" or something.

            See https://docs.whmcs.com/Admin_Password_Hashing#Hash_Schema for docs on their password hashing algorithm. This states that it's for Admins, I could not find a similar article for Clients, but it may be the same.

            See also https://www.ndchost.com/wiki/software/whmcs/client-password-hash for an overview and example.
            tyson Tyson Phillips (Inactive) made changes -
            Story Points 3
            tyson Tyson Phillips (Inactive) made changes -
            Sprint 4.9.0 Sprint 1 [ 98 ]
            tyson Tyson Phillips (Inactive) made changes -
            Rank Ranked higher
            tyson Tyson Phillips (Inactive) made changes -
            Sprint 4.9.0 Sprint 1 [ 98 ] 4.9.0 Sprint 2 [ 99 ]
            tyson Tyson Phillips (Inactive) made changes -
            Rank Ranked lower
            tyson Tyson Phillips (Inactive) made changes -
            Fix Version/s 4.9.0-b1 [ 11301 ]
            jonathan Jonathan Reissmueller made changes -
            Remaining Estimate 0 minutes [ 0 ]
            Time Spent 41 minutes [ 2460 ]
            Worklog Id 13081 [ 13081 ]
            jonathan Jonathan Reissmueller made changes -
            Assignee Jonathan Reissmueller [ jonathan ]
            Automated transition triggered when Jonathan Reissmueller created a branch in Stash -
            Status Open [ 1 ] In Progress [ 3 ]
            jonathan Jonathan Reissmueller made changes -
            Time Spent 41 minutes [ 2460 ] 1 hour, 20 minutes [ 4800 ]
            Worklog Id 13082 [ 13082 ]
            Automated transition triggered when Jonathan Reissmueller created pull request #788 in Stash -
            Status In Progress [ 3 ] In Review [ 5 ]
            Resolution Fixed [ 1 ]
            Automated transition triggered when Tyson Phillips (Inactive) merged pull request #788 in Stash -
            Status In Review [ 5 ] Closed [ 6 ]
            admin Paul Phillips made changes -
            Resolution Fixed [ 1 ]
            Status Closed [ 6 ] Reopened [ 4 ]
            admin Paul Phillips made changes -
            Security Private [ 10000 ]
            Hide
            Permalink
            admin Paul Phillips added a comment -

            Re-opened to make the issue public.

            Show
            admin Paul Phillips added a comment - Re-opened to make the issue public.
            admin Paul Phillips made changes -
            Status Reopened [ 4 ] Closed [ 6 ]
            Resolution Fixed [ 1 ]

              People

              • Assignee:
                jonathan Jonathan Reissmueller
                Reporter:
                admin Paul Phillips
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  31/Mar/20

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour, 20 minutes
                  1h 20m

                    Agile