vTiger Customizations – Part 1: Hashing passwords in the vTiger Customer Portal

By On August 25, 2010 · 1 Comment · In CRM, Development, General, Information Security, vtiger CRM

UPDATE 9/8/2010: I submitted the updates to the Trac site for vTiger as diff updates to the 5.2.0 RC code, which might be easier to use to update the code.

I preface this post with the title Part 1 in the subject, because I plan to post more information on customizations to vTiger as I find things that I feel are useful to more people than just myself. NOTE: This modification was done on vTiger CRM 5.2.0 RC. The final release version 5.2.0 is due out by the end of August, 2010.

I’ve been playing with the Customer Portal extension for vTiger. One thing I noticed, it stores customer passwords in cleartext in the vtiger_portalinfo table. I’m not keen on the idea of not implementing password hashing for an internet-facing deployment of a “Customer Portal” extension on a production CRM system. Hash algorithms have been around for a VERY long time and are easy to use. Furthermore, the regular users table utilized password hashing with salts, which could easily be mimicked for the Customer Portal module.

Now, this is NOT a new find. This information was reported about a month ago by someone else on the Trac site for vTiger. But, vTiger is open source so I decided to just make the change myself. From an architecture stand point, I see a couple of different ways this change could be implemented. I chose a course that I felt would be easy to modify and still offer an appropriate level of security of the passwords in the database. To implement this, there are 3 “actions” in the code that need to be modified:

1.) Creation of portal users in vTiger CRM
2.) Changing portal user passwords in the Customer Portal
3.) Authentication of portal users to the Customer Portal

We’re going to use MD5, because it’s quick and easy, and I see that vTiger uses it for the vtiger_users table. Unfortunately, the vtiger_portalinfo.user_password is only 30 characters, so we’ll need to make it larger. Log into your mysql database for vtigercrm and run this statement: ALTER TABLE vtiger_portalinfo MODIFY user_password VARCHAR(32);

Now, we need to update the code:

1.) Update the Create Customer Portal Users code in vtigercrm/modules/Contacts/Save.php (add this line: $user_hash = strtolower(md5($password)); # AND update $params – As seen below):
 Line: 188

-if($insert == ‘true’)
-{
-$password = makeRandomPassword();
$user_hash = strtolower(md5($password)); // ADD THIS LINE
-$sql = “insert into vtiger_portalinfo values(?,?,?,?,?,?,?,?)”;
$params = array($focus->id, $username, $user_hash, ‘C’, ’0000-00-00 00:00:00′, ’0000-00-00 00:00:00′, ’0000-00-00 00:00:00′, 1); // UPDATE THIS LINE
-$adb->pquery($sql, $params);
-}
-

2.) Update the Change Password functions
a.) Update the change_password function in vtigercrm/soap/customerportal.php (add this line: $password = strtolower(md5($password)); –> As seen below):
Start Line: 1030

-if(!empty($list[0]['id'])){
-return array(‘MORE_THAN_ONE_USER’);
-}
$password = strtolower(md5($password)); // ADD THIS LINE
-$sql = “update vtiger_portalinfo set user_password=? where id=? and user_name=?”;
-$result = $adb->pquery($sql, array($password, $id, $username));

b.) Update the SavePassword function in vtigercrm/customerportal/HelpDesk/Utils.php
Line: 111

if(strtolower(md5($oldpw)) == $result[0]['user_password']) // UPDATE THIS LINE

c.) Add these lines to the send_mail_for_password function in vtigercrm/soap/customerportal.php
Line: 1094

-$from = $adb->query_result($from_res,0,’email1′);

$password = makeRandomPassword(); // ADD THIS LINE
$user_hash = strtolower(md5($password)); // ADD THIS LINE
$sql = “update vtiger_portalinfo set user_password=? where user_name=?”; // ADD THIS LINE
$adb->pquery($sql, array($user_hash, $user_name)); // ADD THIS LINE

-$contents = $mod_strings['LBL_LOGIN_DETAILS']

-

3.) Update the Authentication of user functions
a.) Update the authenticate_user function in vtigercrm/soap/customerportal.php (add this line: $password = strtolower(md5($password)); –> As seen below):
 Start Line: 962

$password = strtolower(md5($password)); // ADD THIS LINE
-$username = $adb->sql_escape_string($username);
-$password = $adb->sql_escape_string($password);

b.) Update the final user/password check in vtigercrm/customerportal/CustomerAuthenticate.php:
Start Line: 49

if(strtolower($result[0]['user_name']) == strtolower($username) && strtolower($result[0]['user_password']) == strtolower(md5($password))) // UPDATE THIS LINE


That’s it! Of course, if you have been using the Customer Portal prior to this update, you will need to hash all the passwords in the vtiger_portalinfo table. To do that, login to the mysql database for vtigercrm and run this query: UPDATE vtiger_portalinfo SET user_password = md5(user_password);

About 10 lines of code and 2 database updates later, you have your portal passwords hashed!

Tagged with:
 
If you enjoyed this article, please consider sharing it!
Reddit Facebook Twitter Delicious StumbleUpon Digg

One Response to vTiger Customizations – Part 1: Hashing passwords in the vTiger Customer Portal

  1. Twerk says:
    September 19, 2010 at 6:00 pm

    Great article! Thanks.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Set your Twitter account name in your settings to use the TwitterBar Section.