I may not be qualified to answer this, but looking at the JS code on the client side, it seems both are being used:
var shaObj = new jsSHA(hex_md5(password)+'********************************',"ASCII");
It looks to me as if the plaintext password is being hashed using hex_md5(), and then salted with what seems to be the session ID (the **** here…). The resulting string is then being fed to jsSHA(), which generates a unique, session-specific (salted..) SHA-256 hash.
So I’d say both are needed and the initial call to hex_md5() is just there to further harden the final hash.
I’m not really into the details of cryptography, so that’s just me guessing.
But maybe the developer could switch over to SHA-512? That’d be nice.