The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Verifying user's password in PHP script?

Discussion in 'General Discussion' started by philpem, Nov 4, 2005.

  1. philpem

    philpem Member

    Joined:
    Aug 12, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Hi,
    I'm currently working on a central "member's page" to integrate links to cPanel, webmail and Cerberus Helpdesk. Ideally, I want this to tailor itself to individual members - display their username, only display stuff they have access to, and so forth.

    The problem is, I can't see any easy way to check the username/password for validity. So far the best way I've come up with is to use cURL to send a HTTP request to cPanel on port 2083 and try and access a page on the user's cPanel. If cP returns "401 Unauthorized", the password is obviously invalid. I'm just worried about how much load this is going to place on the server...
    Does anyone have any better ideas?

    I'm also looking for some information on the output format for the listaccts() and listpkgs() functions in Accounting.inc.php, i.e. what each of the fields actually contains. The cPanel documentation for the accounting engine is remarkably vague...

    Thanks.
    Phil @ Castlecore.com
     
  2. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    your probably not going to be able to use straight php to handle this as the shadow file for the passwords on the main cpanel users is root read only and php will be running as user nobody or if your using phpsuexec the php will be running as the web root username

    you can modify the /scripts/realchpass to authenicate the /etc/passwd and /etc/shadow files using php to call this file

    the e-mail auth files are located in /home/<username>/etc/<domainname>passwd,group and can be called the same way with a modified realchpass called by php

    the modifed chpass file will have to have root access to read the files so there is a possibility of a security hole doing this.
     
    #2 dave9000, Nov 5, 2005
    Last edited: Nov 5, 2005
  3. webignition

    webignition Well-Known Member

    Joined:
    Jan 22, 2005
    Messages:
    1,880
    Likes Received:
    0
    Trophy Points:
    36
    Actually scripts placed in any of cPanel's or WHM's executable directories can be run as root with a bit of fiddling.

    I have a number of PHP scripts in /usr/local/cpanel/whostmgr/docroot/3rdparty/directory/ that happily run as root. These scripts are then called 'remotely' (that is from a normal account under phpsuexec) via the remote access features - only possible though if you have root's remote access key.

    From taking a look at the supplied remote access PHP functions, it's not too tricky to make your own functions to call your own rootable scripts, allowing you to achieve what you need.
     
  4. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator
    i had forgot about the remote access functions. that would be the best way to go.
    however as i said before be really careful to sanitize the data or else you could be opening up a big security hole with the scripts operating with root capabilities
     
  5. philpem

    philpem Member

    Joined:
    Aug 12, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    OK, so I'm probably going to need to pick WHM apart and try and find out what script needs calling and what params to feed it? Eww.
    I've got authentication working (authenticating against the POP3 mailserver), but the problem is that no longer works once an account is suspended (which the billing system does automatically when an account goes too far overdue). The only way to get unsuspended is to pay some money into the account to get the account balance up, but the only way to get into the Account Panel is to log in, but you can't do that if you're suspended.

    So really what I need to do is meddle with the cPanel change-password script and see if I can make it check the password but not change it, and also tweak it to ignore the fact that an account is suspended... :confused:

    Thanks.
    Phil @ Castlecore.com
     
Loading...

Share This Page