WHMCS Security Advisory TSR-2013-010
WHMCS has released a new update for all supported versions of WHMCS. This update
contains a change that addresses a specific security concern within the WHMCS
We strongly encourage you to update your WHMCS installations as soon as
WHMCS has rated this update as having an important security impact. Information
on security ratings can be found at http://docs.whmcs.com/Security_Levels
Please update your installation to the following version:
== Patches ==
Incremental patches can be downloaded by following the provided links below.
These patch sets contain only the files that have changed between the previous
release and this update. The previous release version that these patch sets are
designed for is clearly indicated as the first and smaller number.
Do not attempt to apply an incremental patch set to an installation that is
running a different version than the indicated version. Doing so will result in
a "Down for Maintenance" message and require you to use the full
release to complete the upgrade.
Incremental patches do not require any update process. Simply apply the changed
files to the existing WHMCS installation.
The following incremental patches are available for direct download:
5.2.14 --> 5.2.15 Patch
MD5 Checksum: 709126303a0296ea41e6984c84aa42fa *
To apply a patch set release, download the files as indicated above. Then follow
the upgrade instructions for a "Patch Set" which can be found at
== Full Release ==
A full release distribution contains all the files of a WHMCS product
installation. It can be used to perform a new install or update an existing
installation (regardless of previous version).
The latest full release can always be downloaded from our members area at
5.2.15 Full Version - Downloadable from the WHMCS Members Area
MD5 Checksum: d990f802db28c28d6d2fc003c8f339eb
To apply a full release, download the files as indicated above. Then follow the
upgrade instructions for a "Full Release Version" which can be found
Important Maintenance Issue Information
This release also provides resolution for the following maintenance issues:
Case #3706 - Some graphs failing after recent Google Graph API Update
Case #3711 - CSV Export content should not contain HTML entities
Case #3726 - PDF Line Items failing to output some specific characters
Case #3727 - Admin password reset process failing to send new password email
Case #3738 - Sub-account password field's default text must be removed on
Security Issue Information
This Advisory provides resolution for a single security issue which was publicly
disclosed. Specific information regarding that issue can be found below.
== Case #3785 ==
SQL Injection via Admin Credit Routines
=== Severity Level ===
=== Description ===
An attacker who can function as an authenticated admin user with the ability to
apply credits to an invoice can, using specially crafted input, cause the credit
routines to execute arbitrary SQL commands if the target user has a credit
balance known to the attacker.
Due to the many prerequisites necessary to successfully navigate this vector, a
security impact level has been assessed as "Important". Information on
security ratings can be found at http://docs.whmcs.com/Security_Levels
=== Resolution ===
Download and apply the appropriate software updates to protect against these
vulnerabilities; information about software update releases is provided in the
"Releases" section of this Advisory.
All published and supported versions of WHMCS prior to 5.2.15 are affected by
one or more of these maintenance and security issues.
For information regarding our Long Term Support Policy, read our documentation