vTiger Customizations – Part 1: Hashing passwords in the vTiger Customer Portal

UPDATE 9/8/2010: I submitted the updates to the Trac site for vTiger as diff updates to the 5.2.0 RC code, which might be easier to use to update the code.

I preface this post with the title Part 1 in the subject, because I plan to post more information on customizations to vTiger as I find things that I feel are useful to more people than just myself. NOTE: This modification was done on vTiger CRM 5.2.0 RC. The final release version 5.2.0 is due out by the end of August, 2010.

I’ve been playing with the Customer Portal extension for vTiger. One thing I noticed, it stores customer passwords in cleartext in the vtiger_portalinfo table. I’m not keen on the idea of not implementing password hashing for an internet-facing deployment of a “Customer Portal” extension on a production CRM system. Hash algorithms have been around for a VERY long time and are easy to use. Furthermore, the regular users table utilized password hashing with salts, which could easily be mimicked for the Customer Portal module.

Now, this is NOT a new find. This information was reported about a month ago by someone else on the Trac site for vTiger. But, vTiger is open source so I decided to just make the change myself. From an architecture stand point, I see a couple of different ways this change could be implemented. I chose a course that I felt would be easy to modify and still offer an appropriate level of security of the passwords in the database. To implement this, there are 3 “actions” in the code that need to be modified:

1.) Creation of portal users in vTiger CRM
2.) Changing portal user passwords in the Customer Portal
3.) Authentication of portal users to the Customer Portal

We’re going to use MD5, because it’s quick and easy, and I see that vTiger uses it for the vtiger_users table. Unfortunately, the vtiger_portalinfo.user_password is only 30 characters, so we’ll need to make it larger. Log into your mysql database for vtigercrm and run this statement: ALTER TABLE vtiger_portalinfo MODIFY user_password VARCHAR(32);

Now, we need to update the code:

1.) Update the Create Customer Portal Users code in vtigercrm/modules/Contacts/Save.php (add this line: $user_hash = strtolower(md5($password)); # AND update $params – As seen below):
Line: 188

-if($insert == ‘true’)
-{
-$password = makeRandomPassword();
$user_hash = strtolower(md5($password)); // ADD THIS LINE
-$sql = “insert into vtiger_portalinfo values(?,?,?,?,?,?,?,?)”;
$params = array($focus->id, $username, $user_hash, ‘C’, ‘0000-00-00 00:00:00’, ‘0000-00-00 00:00:00’, ‘0000-00-00 00:00:00’, 1); // UPDATE THIS LINE
-$adb->pquery($sql, $params);
-}

2.) Update the Change Password functions
a.) Update the change_password function
in vtigercrm/soap/customerportal.php (add this line: $password = strtolower(md5($password)); –> As seen below):
Start Line: 1030

-if(!empty($list[0][‘id’])){
-return array(‘MORE_THAN_ONE_USER’);
-}
$password = strtolower(md5($password)); // ADD THIS LINE
-$sql = “update vtiger_portalinfo set user_password=? where id=? and user_name=?”;
-$result = $adb->pquery($sql, array($password, $id, $username));

b.) Update the SavePassword function in vtigercrm/customerportal/HelpDesk/Utils.php
Line: 111

if(strtolower(md5($oldpw)) == $result[0][‘user_password’]) // UPDATE THIS LINE

c.) Add these lines to the send_mail_for_password function in vtigercrm/soap/customerportal.php
Line: 1094

-$from = $adb->query_result($from_res,0,’email1′);

$password = makeRandomPassword(); // ADD THIS LINE
$user_hash = strtolower(md5($password));
// ADD THIS LINE
$sql = “update vtiger_portalinfo set user_password=? where user_name=?”; // ADD THIS LINE
$adb->pquery($sql, array($user_hash, $user_name)); // ADD THIS LINE

-$contents = $mod_strings[‘LBL_LOGIN_DETAILS’]

3.) Update the Authentication of user functions
a.) Update the authenticate_user function in vtigercrm/soap/customerportal.php (add this line: $password = strtolower(md5($password)); –> As seen below):
Start Line: 962

$password = strtolower(md5($password)); // ADD THIS LINE
-$username = $adb->sql_escape_string($username);
-$password = $adb->sql_escape_string($password);

b.) Update the final user/password check in vtigercrm/customerportal/CustomerAuthenticate.php:
Start Line: 49

if(strtolower($result[0][‘user_name’]) == strtolower($username) && strtolower($result[0][‘user_password’]) == strtolower(md5($password))) // UPDATE THIS LINE


That’s it! Of course, if you have been using the Customer Portal prior to this update, you will need to hash all the passwords in the vtiger_portalinfo table. To do that, login to the mysql database for vtigercrm and run this query: UPDATE vtiger_portalinfo SET user_password = md5(user_password);

About 10 lines of code and 2 database updates later, you have your portal passwords hashed!

5 thoughts on “vTiger Customizations – Part 1: Hashing passwords in the vTiger Customer Portal

  1. Great article! Thanks.

    Like

  2. Hi there,

    Thank you for sharing this… very valuable info.

    Q-1, have you implemented this for vTiger CP 5.4
    Q-2, Would this fix problems with accented characters

    Thanks again

    Like

  3. Have you taken this further to allow customers to reset their own passwords on the customer portal if they forgot their password?

    Like

  4. isn’t that going to break the workflow functions that email the user their password on portal activation?

    Like

  5. ah, no it won’t. Never mind. Nice work!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close