Closed KaiSchwarz-cnic closed 3 years ago
h9k
commented
3 years ago Are you sure this is an issue? The $oldConfig values come from the database (line 79), so it's safe to assume they are already encrypted. The code is just copying the values over without modification.
KaiSchwarz-cnic
commented
3 years ago öh.. no, you're right. looks like I've been a bit too surprised about the encryption and had my own source code dangling in my head. sorry for having this bumped up to your hands for nothing.
https://github.com/rrpproxy/whmcs-rrpproxy-registrar/blob/0d73694452056122d65613422269744d8a3e8eb3/modules/registrars/keysystems/keysystems.php#L88-L93
compare the result of
after saving registrar configuration over the form.
Looks like WHMCS started to encrypt registrar configuration data somewhere with v8. So updating configuration settings by SQL commdands obviously bypasses the encryption mechanism and has to be seen as security issue imho.
I guess finding out how they encrypt/decrypt is hard. Looks like a base64 encoding, but maybe I am wrong. If it is just about base64_encode/decode, I ask myself about the sense of this encryption as it is none.