Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Anyone know what the latest WHMCS update is?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Anyone know what the latest WHMCS update is?

moonmartinmoonmartin Member
edited December 2016 in General

Looked all over and cannot find a changelog.

Always a bit leary of these seemingly quicky patches they come out with. Usually ends up causing problems that require more patches. Also not crazy about doing any patches around the holidays where support tends to be lacking.

Don't want to ignore these either. They must have come out with this quicky patch for a reason.

Looking in the patch file, it looks like it is updating phpmailer.

Comments

  • GCatGCat Member
    edited December 2016 
    // Verify Update Routine successful
if ($problem)
{
     ignore();
}
else {
     die();
}
  • jiggawattjiggawatt Member

    related to PHPMailer, I believe

    The actual exploit hasn't been publicly demonstrated (yet)

  • IshaqIshaq Member

    It's probably the PHPMailer vulnerability but we already upgraded the class files same day from source.

    I believe it's standard for WHMCS not to disclose changelogs/release notes for security updates until it's been out for a few days.

  • GCatGCat Member

    @jiggawattz said:
    related to PHPMailer, I believe

    The actual exploit hasn't been publicly demonstrated (yet)

    Guess you're not subscribed to any seclists? There's 3 variants of the exploit running around, fully working, and one PHPMailer exploit patch bypass (still unfixed) being tossed around in the public. It was posted on r/netsec a while ago (few days back iirc?)

  • moonmartinmoonmartin Member
    edited December 2016

    Ahh ok. A quick google search did the trick. All the info is already out there so no reason not to include a change log. At least something about the severity and what scenarios are necessary for this to be exploitable.

    As far as I can tell, this only affects people who have WHMCS mail type set to PHP Mail() correct? Not people who use SMTP.

  • zafouharzafouhar Veteran

    @Ishaq said:
    It's probably the PHPMailer vulnerability but we already upgraded the class files same day from source.

    I believe it's standard for WHMCS not to disclose changelogs/release notes for security updates until it's been out for a few days.

    Same here we manually updated PHPMailer but just as a heads up a new patch for PHPMailer was released yesterday since the initial one didn't fix the vulnerability so everything needs to be re-patched :)

    The update to WHMCS includes the latest patch released yesterday

  • IshaqIshaq Member

    @moonmartin said: As far as I can tell, this only affects people who have WHMCS mail type set to PHP Mail() correct? Not people who use SMTP.

    PHPMailer still used for SMTP.

  • JunklessJunkless Member

    @Ishaq said:

    @moonmartin said: As far as I can tell, this only affects people who have WHMCS mail type set to PHP Mail() correct? Not people who use SMTP.

    PHPMailer still used for SMTP.

    This.

    Also, it did show "phpmailer() fix) in changelog, just before updating.

  • chickendipperschickendippers Member
    edited January 2017

    I found the details of the updates posted in the usual places:

    http://blog.whmcs.com/?t=123166

    http://docs.whmcs.com/Release_Notes

Sign In or Register to comment.