WHMCS : Passwords removal from welcome emails

WHMCS (Web Host Manager Complete Solution) is a popular customer management and provisioning system for cPanel/WHM – get yourself a dedicated server, install WHMCS and bingo, a hosting company is born (well, almost).

It’s fair to say that WHMCS has a few security problems in recent times. This is due in part to WHMCS being such a rapid success that the development of the product’s core has lagged behind somewhat.

WHMCS stores unencrypted passwords?

Now clearly, if an attacker has got far enough to look at your database then it’s pretty much game over for your WHMCS installation, but keeping a copy of every cPanel password you ever sent to a customer in plain text is just making it easy for the bad guys. What was that? Plain text? Passwords are indeed encrypted (not hashed – they are easily decrypted by PHP) in the tblhosting table, but in the tblemails table they are in the clear.

Tblemails contains amongst other things, all of the activation/welcome emails to customers containing all of the technical connection details they will need to log into their cPanel account and get started – including their initial passwords – which of course they always change straight away, right <facepalm>wrong</facepalm>.

This whole scenario is a very good argument for allowing cPanel users from being able to change their own passwords via cPanel directly. Because once they do, the link with WHMCS is broken and WHMCS can no longer log directly into a customer’s cPanel account. Personally, I’m not confident enough in WHMCS to consider using it as a customer’s sole method of cPanel password management.

If you are a host that DOES allow users to change their own cPanel passwords in cPanel, then good for you! Maybe you also clear the password field in WHMCS to ensure that a pwned WHMCS installation can’t log straight into your customer’s cPanel accounts. Even better. But if you leave setup passwords lying around in the tblemails then you are allowing an attacker the opportunity to gain access to a customers’ cPanel accounts without having to reset their password first. Remember, the worst security breaches are those you don’t detect!

Without this data the attacker would have to create themselves an administrative account (easy to do) and change cPanel passwords using the WHMCS web interface, or by leveraging the API to automate mass password resetting – That’s fine if the attacker wants to inflict maximum disruption, but the incursion would be very noisy and it would soon become apparent something was wrong.

Even if WHMCS passwords are removed from these emails in future, it’s likely that you will still have thousands of passwords stored away in your database, just waiting to give up their juice. So why not remove them?

Perl script to strip passwords from WHMCS client emails

The following script will firstly go through the WHMCS MySQL table tblemails and find any records for which an email contains the string assword: but feel free to change this pattern for something else. This simple LIKE is much faster than using REGEXP to look for [Pp]assword.

Then, it searches using normal PCRE to find the characters [Pp]assword: and anything following up to and including a closing paragraph or line break tag. It then replaces this selection with Password: redacted</p> before updating the row in the database.

You will need to add your database connection details as shown before using this script. As always, BACKUP the tblemails table before running this script. You could run this script from a cron to regularly clean passwords from your database.

Additionally, if you wish to wipe all cPanel passwords from the product details screen in WHMCS, then you can uncomment the three lines at the end of the script as marked.


, , , , ,

No comments yet.

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.