Get Paid to Participate - up to $1 per post!     Twitter     Facebook     Google+
Hosting Discussion
 

Hosting Discussion > Web Hosting Forums > Web Hosting Discussion > New WHMCS Security Advisory for 5.x
forgot password?



Reply


Old
  Post #1 (permalink)   10-25-2013, 05:15 AM
HD Amateur
 
Join Date: Sep 2013
Location: leeds
Posts: 66

Status: nigelb is offline
WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates
provide targeted changes to address security concerns with the WHMCS product.
You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical & important security
impacts. Information on security ratings is available at
http://docs.whmcs.com/Security_Levels

== Releases ==

The following patch release versions of WHMCS have been published to address all
known vulnerabilities:
v5.2.12
v5.1.13

== Security Issue Information ==

These updates resolve the following issues:

> Information disclosure via the client area as published by 'localhost'
> HTTP Split Attack discovered by the WHMCS Development Team
> SQL Injection Vulnerability discovered by the WHMCS Development Team
> Privilege boundaries not being enforced on addons reported by Vlad C of
NetSec Interative
> Download directory traversal reported privately by an individual
> Lack of input validation in data feeds input discovered by the WHMCS
Development Team
> Deficient Null Byte sanitization on input discovered by the WHMCS
Development Team

== Important Fix Information ==

These updates also include the following non-security related functional fixes:

> Improved validation of monetary amounts
> Moneris Vault Gateway compatibility update
> Credit cards not processing under certain conditions
> Correction to internal logic for testing Authorize.net payment gateway


== Mitigation ==

=== WHMCS Version 5.2 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS
site as itemized below.

v5.2.12 (full version) - Downloadable from the WHMCS Members Area

v5.2.12 (patch only; for 5.2.10 or 5.2.11 ) -
http://go.whmcs.com/254/5212_incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.

=== WHMCS Version 5.1 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS
site as itemized below.

v5.1.13 (patch only; for 5.1.12) - http://go.whmcs.com/250/5113_incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.


========================================


WHMCS Limited
www.whmcs.com

- Members Area: https://www.whmcs.com/members/
- Support: http://www.whmcs.com/support/
- Documentation: http://docs.whmcs.com/
- Community Forums: http://forums.whmcs.com/
 
 
 


Old
  Post #2 (permalink)   10-26-2013, 03:05 PM
HD Newbie
 
Join Date: Sep 2013
Posts: 34

Status: HN-Alejo is offline
Thanks for posting.

With all these recent security advisories, it makes me wonder when WHMCS will have their auto update script. Do they have plans for this?
__________________
Alejo B. - alejo@hostnucleus.com - ¡Hablo español!
HostNucleus - We have hosting down to a science.
http://www.hostnucleus.com/ - Shared & Reseller Specialists
PM Me For Hosting Discounts
 
 
 


Old
  Post #3 (permalink)   10-28-2013, 08:01 AM
HD Amateur
 
Join Date: Sep 2013
Location: leeds
Posts: 66

Status: nigelb is offline
Not sure if they have any plans for that.
 
 
 


Old
  Post #4 (permalink)   10-29-2013, 11:49 AM
HD Addict
 
Join Date: Dec 2009
Posts: 146

Status: Adler01 is offline
Thank you for the helpful post
__________________
Addora.com 10+ Years Of Hosting Experience
Shared, Reseller, VPS, and Dedicated Hosting.
You're Choice Of Windows Or Linux
www.addora.com - 24/7 Online Live Support
 
 
 


Old
  Post #5 (permalink)   10-30-2013, 04:51 AM
HD Guru
 
Join Date: Mar 2013
Posts: 811

Status: Alex HubRocket is offline
Quote:
Originally Posted by RHE-Al View Post
Thanks for posting.

With all these recent security advisories, it makes me wonder when WHMCS will have their auto update script. Do they have plans for this?
Quote:
Originally Posted by nigelb View Post
Not sure if they have any plans for that.
Hopefully if this comes around it won't bring anymore security issues .

It looks like they have plans to do a full security audit, so hopefully things will start to look up once that has been completed and everything that has been found gets patched.
 
 
 


Old
  Post #6 (permalink)   10-30-2013, 09:08 AM
HD Addict
 
Join Date: Apr 2013
Location: Byfleet, Surrey, UK
Posts: 107

Status: 4D Hosting is offline
Thanks for the post - very helpful!
 
 
 


Old
  Post #7 (permalink)   10-31-2013, 06:28 AM
HD Amateur
 
Join Date: Sep 2013
Location: leeds
Posts: 66

Status: nigelb is offline
We did the update straight away and within a couple of hours it stopped an issue.
Moral; keep up to date its worth it.
 
 
 


Old
  Post #8 (permalink)   10-31-2013, 10:30 AM
HD Addict
 
Join Date: May 2009
Posts: 172

Status: Host Pro is offline
Thank you for the post, we have upgraded today
__________________
█ HostedFX- 8 Years In Business Quality And Affordable
█ Shared, Reseller and VPS Hosting. Upto 77% Off.
www.hostedfx.com
 
 
 


Old
  Post #9 (permalink)   11-01-2013, 02:13 PM
HD Newbie
 
Join Date: Sep 2013
Posts: 37

Status: komodovpn is offline
I'm just fortunate that the upgrading process is easy enough and doesn't cause a major headache each time a new patch is released.
__________________
KomodoSites.com - Premium ☁ Cloud Based ☁ Web Hosting
Affordable & Feature Packed Cloud Based Web Hosting For Your Websites!
RAID-10 Pure SSD Storage + R1Soft Automated Backups + Website Transfers Included
Get Your Websites Hosted on a REAL Cloud. (Canada and US Locations Available)
 
 
 


Old
  Post #10 (permalink)   11-01-2013, 03:00 PM
HD Amateur
 
Join Date: Sep 2013
Location: leeds
Posts: 66

Status: nigelb is offline
Its well worth keep a check on the site if you dont get updates
http://docs.whmcs.com/Main_Page
 
 
 


Old
  Post #11 (permalink)   11-01-2013, 04:15 PM
HD Newbie
 
Join Date: Oct 2013
Posts: 35

Status: visiba is offline
Quote:
Originally Posted by nigelb View Post
Its well worth keep a check on the site if you dont get updates
http://docs.whmcs.com/Main_Page
Or subscribe to this mailing list:
http://www.hostingseclist.com/
__________________
Visiba | cPanel Web Hosting
Softaculous Script Installer | CloudFlare | SEO Tools | Ruby On Rails Support
99.9% Uptime Guarantee | 30 Days Money Back Guarantee | 24x7 Support
 
 
 


Old
  Post #12 (permalink)   11-06-2013, 01:39 AM
Account Disabled
 
Join Date: Jan 2011
Posts: 8

Status: blazews is offline
any auto update plugins for WHMCS ???
 
 
 


Old
  Post #13 (permalink)   11-06-2013, 07:01 AM
HD Guru
 
Join Date: Mar 2013
Posts: 811

Status: Alex HubRocket is offline
Quote:
Originally Posted by blazews View Post
any auto update plugins for WHMCS ???
Without WHMCS involvement there can not be any "auto-update" plugins. Your best option is via Softaculous and even then, it only automatically updates once they have pushed the patch through (usually fast, but not instant).

And in some cases if the upgrader needs to be run, Softaculous will just download it and forward you to the normal upgrade page of WHMCS so again, not instant.
 
 
 


Old
  Post #14 (permalink)   11-08-2013, 11:52 AM
HD Newbie
 
Join Date: Oct 2013
Posts: 35

Status: visiba is offline
WHMCS is not really built for auto-updates because some updates also require template changes. If you have based your own template on a default template, you might have to modify your template to include the default template changes.
__________________
Visiba | cPanel Web Hosting
Softaculous Script Installer | CloudFlare | SEO Tools | Ruby On Rails Support
99.9% Uptime Guarantee | 30 Days Money Back Guarantee | 24x7 Support
 
 
 


Old
  Post #15 (permalink)   11-18-2013, 04:42 AM
HD Newbie
 
Join Date: Oct 2013
Location: Chicago
Posts: 34

Status: Jump systems is offline
There has been alot of minor updates for whmcs of late. These are mostly security related. Is whmcs becoming more vulnerable by the day?
__________________
=>Jump systems - Reliability and affordability.
=>Shared, VPS, and dedicated servers
=>http://www.jump-systems.com
 
 
 
Reply
Previous Thread Next Thread


Thread Tools

New Post New Post   Old Post Old Post
Posting Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Sponsored By: