New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Government agencies like the NSA undoubtedly have access to their SSL certificates. If you trust every such agency as well, then fine.
Big government will always sniff, you would have to unplug your ethernet cable to avoid that one.
Feel free to leave Earth if you're going to be this paranoid
According to a user on WHT, this exploit can still be executed even after the 5.2.8 patch. He didn't provide much information on it and no other users have reported it, so take it as you wish.
www.webhostingtalk.com/showpost.php?p=8863086&postcount=174
I don't think dropping CloudFlare will opt you out of that. Your only option, as far as we can currently reasonably expect, is to not use the internet right now.
Attempt could take place, but it does not mean it will work!
It would be pretty cool if an open source alternative to WHCMS that actually worked effectively, came out.
@darknyan
Ohh how I wish... Are there any completely Open Source billing systems out there?
Obviously it isn't going to happen for some time. Why would people make one if they couldn't make money?
Is the mindset of most close minded individual in the world.
Incorrect. Time = money. Food = money. No money, no food. No one has found it beneficial enough that has the time to code it. Unfortunate reality? Absolutely. Closed minded? Nope, gotta eat brother.
I can predict the future.... someone's going to develop a new "Billing System".. I'll await the hype that's expected to pop up with the next best thing.
There are open source billing systems, but if you want them to provision your services you have to write plugins for them to handle things.
Short: no money no honey
I want to move to Hostbillapp but they don't have a specific pricing, who is going to fill a big form and also I don't know what is "super theme client area bundle", "admin bundle"
WHMCS = useless, release patch only for latest version.(seems localhost is owned by whmcs so they can force users to buy a latest version updates.)
That is why gents, i use hostbill =p
Using hostbill or any software for that matter does not guarantee that a 0 day will not be discovered and published tomorrow or 2 years from now...
Exactly, we use both so the scare is double, when is not one, can be the other...
However, building one in house is no solution either, it is likely that a company will have better programmers and more eyes will look at the code.
We received same attack with you, With good luck we manage to found it and deleted the client within 10sec and put the WHMCS into maintenance mode. After upgrade we released the WHMCS for more than 3 hours and it's seem all look fine now.
I've started using Blesta, which albeit needs a few more features as it's pretty new, seems like it could be great once everythings added in. Plus the point that only two files are encoded - I moved from WHMCS as soon as the beta of Blesta came out.
I'm worried that some hosts may not be aware that they were breached. I know this may be teaching some people to such eggs; however having a good hard look at the logs would be a wise idea.
literally one day after I installed and leased this software. Great.
Its patched now.
Nice.
Only 5.1 and 5.2 version is patched not 5.0 and some other version is patched.
@DewlanceVPS anyone still running 5.0 has been probably already hacked long ago. It's EOL, not supported, etc.
I thought Dewlance is retired
Do providers not update/renew older copies then?![:\](https://lowendtalk.com/resources/emoji/confused.png ":\")
With some basic security precautions, this isn't much of an issue. Our standard set of mod_security rules blocked this exploit as well as a few other variations I tried out.
Of those of you out there running mod_security, I highly recommend the rules published by Atomic Corp (http://www.atomicorp.com/products/modsecurity.html).
Good point.
This is really stupid for 2 reasons:
1) provider shouldn't trust third parties for billing software
2) encoding is a really dumb thing, exactly like DRM. It doesn't stop bad people but limits customers.
Having to "fix" severe security issues of a service by blocking malicious requests with an application firewall definitely seems like an issue to me, especially if that service holds sensitive customers' data. The potential loss of customers' trust and a big fine for leaking personal info after a successful exploit are not worth it for me.