WHMCS Silent Exploit?

Spirit

@GetKVM_Ash said:
I looked at it, but it doesn't mean much to me since I'm not a PHP coder by any stretch of the imagination, i mean i know bits but nothing major.

After all the recent problems, i just thought to myself i either lock it down and get a good nights sleep, or leave it open for somebody to attempt whilst I'm not around (If its a legitimate problem) and end up too late to the show as we've seen happen over the last few weeks..

I actually like this response. I really do. Too many people who run hosting business try to act like experts about everything at any cost. Like everyone is security expert by profession or something like that.
If you're not sure about something it's better to prevent than cure. If I would be your client I would appreciate your fast reacting to secure your business and my private data more than waiting what will happen... And if then nothing happens even better.
Plenty competent people who run decent business here aren't programmers and security experts by profession. It's nothing bad with that. Bad is when they try to act like they know everything but in their arrogance jeopardize own business and their clients data.

Droidzone

@Spencer said:
GetKVM_Ash

Did you look at the exploit or just go into lockdown mode without thinking?

In my profession, we often run across something known as the Iceberg phenomenon, which seems to be true for security exploits too. It states that for every few exploits made public, there is a bigger fraction out there unpublicised, and waiting to be released.

Maounique

@joelgm said:
that for every few exploits made public, there is a bigger fraction out there unpublicised, and waiting to be released.

You can be sure of that. Any secure code is a code which no serious hacker "audited".

The reason for that is that is not popular enough, is not available to decompile/decrypt yet, nobody wants to harm the people using it, etc.

Sooner or later, it will be "audited" and exploited.

sman

Just assume nothing is ever 100% secure because it isn't and plan accordingly. That is how I sleep at night.

Droidzone

@sman said:
Just assume nothing is ever 100% secure because it isn't and plan accordingly. That is how I sleep at night.

Does that help?

sman

@joelgm said:
Does that help?

Being realistic in business is always helpful. Been hacked before on things I though were secure. Luckily not WHMCS or Solus.

Banks and credit card companies are still being hacked on occasion. If you somehow expect WHMCS and Solus to do an even better job you are not being realistic imho.

Rallias

For the love of god, why're y'all freaking about a bloody XSS?

perennate

@Rallias said:
For the love of god, why're y'all freaking about a bloody XSS?

XSS vulnerability can do a lot of damage; of course, what the post describes isn't an actual vulnerability.

perennate

Great, he made another post, now it's "password protected" http://zoned.pw/?p=27

Edit: nevermind already posted

sman

@perennate said:
XSS vulnerability can do a lot of damage; of course, what the post describes isn't an actual vulnerability.

A lot of self described 'security guru's love hyperbole and are addicted to constant paranoia.