New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I got an e-mail from them prior to my post (I guess I am one of the lucky ones, I use Google Apps also).
I got the email before coming here and seeing this.
Just got this in an email:
www.whmcs.com
module included in WHMCS releases. This can potentially be used to exploit a
WHMCS installation.
to simply delete the /modules/gateways/boleto/ folder entirely after which you
will not be at risk.
your installation here: http://www.whmcs.com/members/dl.php?type=d&id=138
contact us. We apologize for the inconvenience.
The WHMCS Team
www.whmcs.com
Just got the email a few hours ago
I received an email about an hour ago
Anyone actually seen the exploit yet? Another SQL injection?
@MartinD You make solid points. Honestly I don't mind this, there's going to be an exploit every now and then that people miss, it happens to the best of us. With cpanel taking an interest I'm not worried about whmcs. Cpanel isn't known for being without exploits either, but when you're on top it's impossible to employ a workforce that matches the man power of those with malicious intent against you that act collectively and individually.
@jarland Very nicely said.
I got an email to my personal email at 12.07AM (GMT) and to my business email at 2.40AM (GMT) so quite a difference.
Also received an email from WHMCS last night at 11:30 PM (UTC)
Even worse, a RFI according to this post
This has very little to do with manpower.
This is an RFI, for crying out loud. And a stupidly simple one at that - one that could have easily been prevented with proper developers and source review.
This is the kind of vuln you find in the code of someone that just started writing PHP 2 months ago.
For what it's worth, the Boleto addon was written by Boleto (not WHMCS) and is not encoded. While WHMCS is at fault for not reviewing the code, the same fault can be placed on the admins putting the files on their system.
honestly I'm not sure how all of these SQL injections pop up...when I write stuff I always make sure to escape it (or now that I'm using MySQL PEDO I always prepare it) - client input should NEVER be trusted....
@KuJoe agreed, they should definitely be checking their stuff
The software has a bug, someone finds it, it is fixed. What's bad here? This is what we should expect from WHMCS IMO, it's not as if they ignored it. All software has bugs...
How would you know anything about the size of their custo.. oh wait. Never mind... ;-)
Then you can rename and edit each file/directory in order to be more secure from attack
I think WHMCS is great.
It works just fine, it has many options and nice API.
In addition, they fixed the bug on time and they did sent an email to let their customers know about it.
What we do after upgrading is just delete all modules we don't need.
Never heard about Boleto but seems somebody else did.
Typing "boleto" into google doesn't turn up a payment processor for me. Is this even in existence anymore?
Grabbed this from the module files:
http://boletophp.com.br/
Anyone know what the hell this thing is? I recognise a few banks such as HSBC and Santander.
http://en.wikipedia.org/wiki/Boleto
Santander... The spanish with english branches? :L
I received an email on my yahoo mail, that nice.
Not entirely sure what you're alluding to here however if it's the WHMCS DB leak, I'd like to see what evidence you have to suggest I know anything about the data contain therein.
joepie91, OK.
MartinD, their customer base is huge.
:-)