New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How secure is email piping (whmcs)?
Hello,
I was eager to know how vulnerable or secure is email piping and since whmcs is one of softwares offering it, I did setup one.
I sent spoofed email from online available tools using email of one of accounts and it was perfectly shown in admin area. System had spam assassin score of 5 (mxroute). So, couldn't anyone just send password reset or any email using it? will appreciate thoughts as I've seen quite some providers using this. Or am I missing something?
Comments
You can spoof an email to someone but if they reply then it's going to the original person you spoofed. I don't see how a password reset works that way, that's something you receive.
This is why, when doing support tickets, you always ask for confirmation of any action. Reply to the email address and ask that they reply back to confirm. Anything less, unless you're always examining the raw headers manually, makes email a vulnerability for support tickets.
lots of whmcs installs were hacked circa 2013 due to email piping, disabled it then, never looked back.
In that case "Require all tickets to be opened from the client area" seems helpful but for production, would you recommend it to someone (and if mxroute also use that)?
Any source, please?
It's really a matter of preference I would say. There's nothing wrong with allowing yourself to receive a fake ticket, there can only be something wrong with how you treat the ticket.
Definitely POP3 import over email piping. It works very well and is IMHO much safer.
Yup, that's more satisfying. Thanks ^^
Was able to reproduce same with pop import. Including replying to ticket!
check the WHMCS security releases, I am also a source, i had to help 2 hosts get their stuff sorted back then, I dont know why anyone would allow unauthenticated info to be processed on their system when its not needed.
My tickets now just say "You have a new response to your support ticket, click HERE to view and respond" forcing authentication.
I am confused with your issue. Its possible to spoof the sender id, however when you respond to it, it goes to the real address / mx records.
Sorry, I didn't meant that. What am I referring to is being able to add additional replies to ticket by sending spoofed email having subject "[Ticket: xyz]"
Ah I see what you mean. Yeah it only checks the sender id and ticket id sadly. No DKIM verification/spf etc.
That won't help an attack angle much if you're handling tickets properly. For all the hell people give me for not considering an email to be instant verification of identity to justify and authorize any and all account changes, this is exactly why. What you're talking about here is a "vulnerability" in almost every support ticket system out there, with companies small and large. You have to take away convenience somewhere to resolve the vulnerability, and that is either in how you handle the communication or in not doing tickets by email. Either way you're pissing someone off eventually, but this is nothing new and undiscovered.
Oh and you can also reduce some occurrences by setting the SPF failure SpamAssassin rule to a higher score (you can do this in cPanel on mxroute), then creating a filter to remove email that meets a certain spam score.
If you're so concerned about someone spoofing you, use DKIM. They were designed to prevent this exact thing. To add this, contact your mail provider. Most will support it, if they don't move, they're being retarded and have no sense of security.
Learn more here https://support.dnsimple.com/articles/dkim-record/
No major email provider gives any kind of penalty to someone who is not signing an email with a DKIM signature.
That viewpoint ignores all of the realities of DKIM in favor of the persistent rumors. If the major email providers do not provide a penalty for sending an unsigned email, then providing a service that does will mean providing a service that does not work as Gmail, which means not having customers, which means not providing increased security for anyone.
Oh wait I read the post again. I thought the issue was he spoofed an email from his domain and it went through on WHMCS. But I see now the issue is WHMCS not verifying email origins correctly.
Thanks @jarland, this isn't an important function for me. I was, however, curious about its usage. A lot of people (80 and counting until now) reply to mails instead of tickets which made me atleast give a try to solutions. Anyways, I've got my answers now ^^