New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Ohh definitely! I was not a complaining, what i meant was I hope they continue doing this in the future.
Who would put their WHMCS behind cloudflare? Would you give them your SSL cert too?
They would be able to sniff all your data then. Customer's details, customer's passwords, everything.
@fapvps ah yes then I agree
If they rewrite WHMCS completely will safe the hassle.
I think "audit" is suitable word than "rewrite" :P
Are you being fucking serious?
@rds100 What are you even going on about?
@Fliphost i'm afraid i don't understand your question?
@awson yes, fucking serious. Do you know who (company and individuals) is behind cloudflare? Do you trust them enough?
They issued a patch for the latest exploit but a fix would entail having a 3rd party audit their code and WHMCS firing their current programmers and hiring programmers who didn't write crappy code and who placed a premium on security.
An external firewall implies CloudFlare would have to have access to the plain text transmissions.
@awson
@Fliphost
Cloudflare acts as an ssl endpoint so they can see and inject anything they want into an ssl session because they are between your WHMCS and your customer. This is what @rds100 was talking about.
@fapvps I understand that part however
This is a bit excessive. They don't even do that. Not even going to argue though.
"Kill it with fire" is the phrase you're looking for. With holes like that I would get rid of it as quickly as possible and wouldn't use it even if someone paid me to do so. Customers' details are worth more than that. Also, a complete rewrite wouldn't help if it were done by the same people – the result would be along the lines of "different code, same holes".
email just received from a LEB host...
Chances are there were probably some hosts who were compromised today and don't even know they were hacked because their technical knowledge is limited to pushing buttons in Solus/WHMCS.
It does not matter what they do and don't do. From the purely technical point they can see the ssl data that passes trough them.
@Fliphost the truth is, we don't know if they do it or don't. Or if they would start doing it some day.
They spend a lot of money for expensive hardware, colocation in multiple expensive data centers around the world, staff, development, etc. Then they offer it to the world for free. Could it be a PRISM-like project? Hey, they don't even need to tap-splice the fiber cables, we send them all the data for free, they play it "the man in the middle" for us. And for free.
Official patch has been issued by WHMCS: http://blog.whmcs.com/?t=79427
@fapvps I never disagreed with that part
And you guys think zPanel has security issues...
Would, have, do. I doubt you've had dinner with your upstream providers. Every single company has to place some faith in someone else at some point. You make the most informed decisions you can, they aren't always infallible. It is what it is. I mean for that matter how do I know every cpanel update is legit? It's about trust. Limit it best you can, but you still have to have it. That or 100% in house programming and guards at every routing point. Good luck explaining that cost to customers
@Fliphost
@rds100 Simply pointed out that CF is cable of seeing everything inside of an ssl session. You and @awson asked him what he was talking about and it seemed like you were not aware that CF is able of doing that at first. A simple misunderstanding.
I completely agree with you.
That is a completely different story.
@fapvps Then just keep fapping..
Upstream providers still wouldn't be able to grab client usernames and passwords and other sensitive data, unless they use telnet or you don't have HTTPS. On the other hand, Cloud Flare would be able to.
Meh, they get caught sniffing SSL one time they throw away all that income. Would have to be one heck of a payout, or suicide.
Why don't just add the proper escaping instead of shutting down the whole billing system? Providers doesnpt even know PHP?
The source code is ioncodified?? And running decoded version is probably against their terms of service, even if it's not nulled (and you purchase a license). So... providers have to rely on them for security, even when there's a simple fix. That's part of one of the big problems with proprietary software.
@jarland specifically considering all the big name sites that use them.