Skip to main content

How to Authenticate WHMCS Admin Users with PHP

Over the past few days I've been working on a project that involved building an authentication mechanism for a new website which checks user logins against a WHMCS admin database. There are a variety of options for authenticating normal, non-admin WHMCS users: on the easy side of things, you can simply use the WHMCS API's validatelogin() call, or for a more advanced project its possible to implement OAuth within your WHMCS instance. For my project, neither LDAP nor Active Directory were options.

I was surprised to find that the WHMCS API did not contain a mechanism for authenticating admin users. I'm somewhat sympathetic given the security implications: WHMCS is a billing application and it should not be used to provide a sortof infrastructure authentication backbone, particularly given the many much more mature options available for this sort of thing. With that said, this project wasn't about looking to turn WHMCS into LDAP ... it was about allowing WHMCS admin to authenticate into a custom application that was directly and inextricably linked to WHMCS functionality.

When I came up empty on the API front I started Googling for a reasonable alternative, and I found a small number of other options. I became interested in the idea of building my own WHMCS API function to take care of this, but I still needed to take care of the authentication mechanism itself. WHMCS has a page in its documentation that describes in general terms how Admin passwords are hashed, and this page even contains PHP code samples that purport to allow you to auth admin user:password combinations. There are two samples; the first sample demonstrates how to use the WHMCS\Auth namespace and the comparePasswords() function, like so:

use WHMCS\Auth;
$authAdmin = new Auth;
if ($authAdmin->getInfobyUsername($username) && $authAdmin->comparePassword($password)) {
    $isValid = true;
} else {
    $isValid = false;

Pretty straightforward; and this sample works as far as it goes. However, WHMCS provides a second, more thorough example demonstrating how to use the function within a form. You can download a ZIP fie containing this sample here. Unfortunately, this second snippet is broken in a number of places. This second example provides a single file that contains an HTML form with some javascript to display a popup notification when an authentication failure occurs, and a PHP script that takes care of the password comparison. It is the PHP that has problems. I found a variety of fatal errors which made the example unusual: the WHMCS\Auth namespace was called in the wrong scope, the include for the WHMCS init Autoloader is called within a function in such a way that it remains unavailable for other functions, the example uses a class - WHMCS_Auth - which does not exist ... it took a little while for me to sort them out.

Anyway, I found the experience irksome enough that I posted a corrected version of the WHMCS Admin authentication script in a Github repo so that no one else will have to deal with this in the future. I've tested my new version in WHMCS 6.3.1; no guarantees for the latest version 7 at this time, but I can guarantee that WHMCS' example won't work in 7.

I hope it helps!


Popular posts from this blog

Fixing Event ID 10154 - The WinRM service failed to create the following SPN

The Problem The configuration of the system when this error was encountered is as follows: A. Windows Server 2008 R2 Redundant Domain Controllers - we will call these and B. Windows Server 2003 Web Server with Windows Remote Management enabled / part of the Active directory deployment - we will call this C. For the sake of our example, let's say I have configured an OU named "Web Servers" on those domain controllers Whenever the Windows 2003 Web server reboots, or WinRM.exe service on the Windows 2003 Web server restarts, the following error was logged into the Event Viewer: Event ID: 10154 Source: Microsoft-Windows-WinRM Version: 6.1 Symbolic Name: LOG_WSMAN_SPN_CREATION Message: The WinRM service failed to create the following SPN: %1. Additional Data The error received was 8344: Insufficient access rights to perform the operation. User Action The SPN can be created by an administrator using sets

Email server using amavisd-new fails with (!)DENIED ACCESS from IP, policy bank ''

I have used ClamAV and Spamassassin for many years. I've had a less experience with Amavis (now amavisd-new), but I've decided to give it a try with a new mail server deployment I've been working on. As a reference for my install, I relied on the documentation provided by Amavis for integration with Postfix  as well as a somewhat-outdated but still-relevant walkthrough published by CentOS . Prior to integration with amavisd, Postfix worked fine. Similarly, I had no issues with Spamassassin on its own. But once I finished my install of amavisd-new, things quickly went wrong. Attempting to send messages to accounts hosted on my email server resulted in the following chaing of errors in my maillog: Jan 13 18:17:34 hostname amavis[31578]: Net::Server: 2016/01/13-18:17:34 CONNECT TCP Peer: "[]:40209" Local: "[]:10024" Jan 13 18:17:34 hostname amavis[31578]: loaded base policy bank Jan 13 18:17:34 hostname amavis[31578]: lookup_ip_

Wikileaks Global Intelligence File Dump is Loaded With Malicious Software

Click here for the second post on this topic, which includes more detailed technical information. Hector Monsegur, formerly sabu of Lulzsec, has offered his point of view on this post. Get his opinion by reading my third post on the topic. In my fourth post on this topic, I explain how malware is not limited to the Stratfor leak torrent - curated links throughout the Wikileaks.Org website allow users to download individual infected files . This series of posts is beginning to receive coverage from several newspapers around the world. German speakers should check out the story in Neue Zürcher Zeitung / New Zurich Times . For English speakers, I recommend The Register from the UK for an excellent summary of these findings . Beginning in  February 27, 2012 , the controversial news organization Wikileaks has been publishing a large and growing trove of emails from the private intelligence firm  Strategic Forecasting, Inc (more widely known as  Stratfor). The leak publication bega