Get Paid to Participate - up to $1 per post!     Twitter     Facebook     Google+
Hosting Discussion
 

Hosting Discussion > Web Hosting Forums > Web Hosting Discussion > WHMCS zero-day vulnerability issue
forgot password?



Reply


Old
  Post #1 (permalink)   10-03-2013, 03:38 PM
HD Addict
 
Join Date: Jun 2010
Location: Portland, Oregon
Posts: 117

Status: technut is offline
A critical zero-day vulnerability was published today affecting any hosting provider using WHMCS.

WHMCS quickly published a patch here: http://blog.whmcs.com/?t=79427

See below email from WHMCS today.



========================================
WHMCS Security Advisory for 5.x
http://blog.whmcs.com/?t=79427
========================================

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates
provide targeted changes to address security concerns with the WHMCS product.
You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical security impacts. Information
on security ratings is available at http://docs.whmcs.com/Security_Levels


== Releases ==
The following patch release versions of WHMCS have been published to address a
specific SQL Injection vulnerability:
v5.2.8
v5.1.10

== Security Issue Information ==

The resolved security issue was publicly disclosed by "localhost" on
October 3rd, 2013.
The vulnerability allows an attacker, who has valid login to the installed
product, to craft a SQL Injection Attack via a specific URL query parameter
against any product page that updates database information.


== Mitigation ==

=== WHMCS Version 5.2 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS
site as itemized below.

v5.2.8 (full version) - Downloadable from the WHMCS Members Area
v5.2.8 (patch only; for 5.2.7) - http://go.whmcs.com/218/v528_Incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.

=== WHMCS Version 5.1 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS
site as itemized below.

v5.1.10 (patch only; for 5.1.9) - http://go.whmcs.com/226/v5110_Incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.

========================================

WHMCS Limited
www.whmcs.com

- Members Area: https://www.whmcs.com/members/
- Support: http://www.whmcs.com/support/
- Documentation: http://docs.whmcs.com/
- Community Forums: http://forums.whmcs.com/
__________________
Hostmy1stweb.com - Affordable Web Hosting
HOSTING l SSL l DOMAINS l MODULES l SUBMISSIONS l AFFILIATES
Providing low cost "Value" Web Hosting since 1999.
 
 
 


Old
  Post #2 (permalink)   10-03-2013, 04:38 PM
HD Addict
 
Join Date: Jan 2013
Posts: 159

Status: dedideals is offline
Was watching this on WHT the saw the patch within an hour if that, all patched up!
__________________
BoxSrv - SHOUTcast, Shared hosting, Domain names and more

WebmasterAlcove - Friendly webmaster / hosting forums
 
 
 


Old
  Post #3 (permalink)   10-05-2013, 03:35 PM
HD Newbie
 
Join Date: Sep 2013
Posts: 37

Status: komodovpn is offline
Patched up as soon as it was released. Updating WHMCS is so painless these days
__________________
KomodoSites.com - Premium ☁ Cloud Based ☁ Web Hosting
Affordable & Feature Packed Cloud Based Web Hosting For Your Websites!
RAID-10 Pure SSD Storage + R1Soft Automated Backups + Website Transfers Included
Get Your Websites Hosted on a REAL Cloud. (Canada and US Locations Available)
 
 
 


Old
  Post #4 (permalink)   10-05-2013, 04:23 PM
HD Newbie
 
Join Date: Dec 2006
Posts: 17

Status: Inventive is offline
We disabled our WHMCS until the patch was released - I heard about the issue at about 4pm and the patch was released just after 7pm.
 
 
 


Old
  Post #5 (permalink)   10-06-2013, 06:09 AM
HD Guru
 
Join Date: Mar 2013
Posts: 811

Status: Alex HubRocket is offline
Quote:
Originally Posted by Inventive View Post
We disabled our WHMCS until the patch was released - I heard about the issue at about 4pm and the patch was released just after 7pm.
We to disabled our client area until the patch was out. Hopefully we won't see anymore rebounds on this or like this.
 
 
 


Old
  Post #6 (permalink)   10-06-2013, 02:38 PM
HD Newbie
 
Join Date: Sep 2013
Posts: 37

Status: komodovpn is offline
Agreed. Considering how widely used WHMCS is in not just the web hosting business but also many other service based providers these things can cause major damage. I am just glad they released a fix in a reasonable timeframe. If it took more than a day or two I would've heavily considered moving to another billing platform.
__________________
KomodoSites.com - Premium ☁ Cloud Based ☁ Web Hosting
Affordable & Feature Packed Cloud Based Web Hosting For Your Websites!
RAID-10 Pure SSD Storage + R1Soft Automated Backups + Website Transfers Included
Get Your Websites Hosted on a REAL Cloud. (Canada and US Locations Available)
 
 
 


Old
  Post #7 (permalink)   10-06-2013, 10:11 PM
HD Newbie
 
Join Date: Jul 2013
Posts: 19

Status: HeartHost_CO is offline
Unfortunately the biggest problem with the software, is that it gets attacked because it's so popular... which also makes it the best part about it.. it's widely recognized.

Regardless, they really should get their auto-update feature perfectly working. However, somehow, that would be exploited too.

So, WHMCS is now becoming the Java of the billing portal industry. But we are all glad that they are patching things as soon as they can, from the time they hear about it.
 
 
 


Old
  Post #8 (permalink)   10-15-2013, 02:25 PM
HD Newbie
 
Join Date: May 2013
Posts: 47

Status: 02Hosting is offline
I didnt get affected by this but i disabled my whmcs too for the moment to apply the patch , we dont have to change to another billing system this is a problem every big company have . You need to stay tuned for latest update everytime.
 
 
 


Old
  Post #9 (permalink)   10-15-2013, 02:35 PM
HD Amateur
 
Join Date: Sep 2013
Posts: 59

Status: SkylarM is offline
Quote:
Originally Posted by 02Hosting View Post
I didnt get affected by this but i disabled my whmcs too for the moment to apply the patch , we dont have to change to another billing system this is a problem every big company have . You need to stay tuned for latest update everytime.
Was easy to avoid. Just disable editing of client fields after signup.
 
 
 


Old
  Post #10 (permalink)   10-16-2013, 05:24 AM
HD Addict
 
Join Date: Jul 2010
Location: Grand Rapids, Mi
Posts: 107

Status: Stream101 is offline
Quote:
Originally Posted by HeartHost_CO View Post
Unfortunately the biggest problem with the software, is that it gets attacked because it's so popular... which also makes it the best part about it.. it's widely recognized.

Regardless, they really should get their auto-update feature perfectly working. However, somehow, that would be exploited too.

So, WHMCS is now becoming the Java of the billing portal industry. But we are all glad that they are patching things as soon as they can, from the time they hear about it.
They are large which means there is a lot of support for it. This, as you stated, is good and bad. Good, they'll most likely keep developing the product and community members will too. Bad, hackers will keep finding exploits!
__________________
Stream101 | Affordable Media Solutions
Shared/Reseller cPanel® Web Hosting | SHOUTcast Hosting | ICEcast Hosting
TOLL-FREE: (877) 240-7767 | 30 Day Money-Back Guarantee | DDoS Protection - STANDARD
100% Cogent Free Network | CloudLinux OS | Tier 1 Bandwidth | USA Based
 
 
 


Old
  Post #11 (permalink)   10-17-2013, 05:00 PM
HD Newbie
 
Join Date: Oct 2008
Location: Oklahoma
Posts: 46

Status: jcarney1987 is offline
Yea I to applaud WHMCS fixing this so fast. They were at a Cpanel seminar in Louisiana U.S.A. so great job to them.
__________________
Inode Hosting - Reliable Web Hosting for the right price.
Shared & Reseller hosting featuring the industry leading cpanel
99.9% Uptime Guarantee ,30 Day Money Back Guarantee ,24/7 Support
Founded in 2011
 
 
 


Old
  Post #12 (permalink)   10-18-2013, 09:25 AM
HD Amateur
 
Join Date: Sep 2013
Location: leeds
Posts: 66

Status: nigelb is offline
Its good to know that we are using a product that is well supported.
 
 
 


Old
  Post #13 (permalink)   10-18-2013, 11:03 AM
HD Newbie
 
Join Date: Aug 2013
Posts: 31
Send a message via Yahoo to ServerSub Send a message via Skype™ to ServerSub

Status: ServerSub is offline
follow their twitter to be update about critical updates,and recommend to update very fast when a bug found!there are large wide of people which want to test bugs on your sites,after update more than 25 people tried to run this on our website
__________________
ServerSub.com
Dedicated Servers • XenServer Windows & Linux VPS • Reseller & Shared Hosting
cPanel| InterWorx | ISPmanager | PayPal, Credit Card, Bitcoin, Skrill, Payza, WebMoney, PerfectMoney Accepted!
 
 
 


Old
  Post #14 (permalink)   10-20-2013, 07:47 AM
HD Newbie
 
Join Date: Sep 2013
Posts: 34

Status: HN-Alejo is offline
WHMCS needs to have their code externally audited. They need to pay Rack911 to get someone to look at their code and ensure that these silly little things won't happen anymore.

It's ridiculous, especially since this business is owned by cPanel!
__________________
Alejo B. - alejo@hostnucleus.com - ¡Hablo español!
HostNucleus - We have hosting down to a science.
http://www.hostnucleus.com/ - Shared & Reseller Specialists
PM Me For Hosting Discounts
 
 
 


Old
  Post #15 (permalink)   10-20-2013, 07:57 AM
HD Wizard
 
easyhostmedia's Avatar
 
Join Date: Mar 2011
Location: Northumberland, UK
Posts: 5,011
Send a message via MSN to easyhostmedia

Status: easyhostmedia is offline
Quote:
Originally Posted by RHE-Al View Post
this business is owned by cPanel!
WRONG, it is still owned by WHMCS Limited. cPanel is just a major partner/shareholder. They DONT Own WHMCS
__________________
Terry Robertson - CEO The Easyhost Media Group
Niceday Hosting - Affordable Hosting
PowerSSL - - We Secure your World
The Scamlist Forum - Fighting against scammers
 
 
 
Reply
Previous Thread Next Thread


Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Sponsored By: