Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WHMCS Security Advisory 2020-01-28
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WHMCS Security Advisory 2020-01-28

Tr33nTr33n Member
edited January 2020 in General

Just received following mail:

https://www.whmcs.com/members/mailings/?k=security-advisory-2020-01-28

Hello,

We are writing to advise you of a potential security vulnerability when htaccess directives are not enforced appropriately for WHMCS. This most commonly occurs in web server environments such as nginx.

Affected Versions

WHMCS 6.0 and later

How to tell if you're affected

If the following file is readable from a web browser, then you need to investigate and apply appropriate configurations for your web server environment.

https://www.example.com/path/to/whmcs/vendor/composer/LICENSE

A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded here.

How to fix the vulnerability

Please follow the instructions provided in the detailed security advisory:

WHMCS Security Advisory 2020-01-28

WHMCS is here to help, if you are unsure if your system is enforcing .htaccess directives you can open a support ticket for assistance.

Kind regards,
WHMCS

Somehow the mail looks suspicious to me. Its somehow unclear why i should execute an ioncube encrypted script on the server just to check if public access to the mentioned directory is possible - reminds me on the hack of WHMCS Global Services :D

Comments

  • Commented on "the other place". ;)

  • RossGRossG Member, Host Rep

    The fact that the only thing between exploitable code and the world is an .htaccess file is insane.

  • NeoonNeoon Community Contributor, Veteran

    @RossG said:
    The fact that the only thing between exploitable code and the world is an .htaccess file is insane.

    People are running this on Shared Hosting, instead of a separate environment, which is equal worse.

  • Yeah got the same e-mail. The fix is easy, if you run NGINX just add this to your server configuration file where billing is the path of your WHMCS installation.

        location ~ /billing/vendor/ {
        deny all;
        return 403;
        }
    

    Then do a systemctl reload nginx.

  • @RossG said:
    The fact that the only thing between exploitable code and the world is an .htaccess file is insane.

    How is that insane? That would be the same as saying the only thing between my house and a burglar who wants to break in is a door.

  • @Neoon said:

    @RossG said:
    The fact that the only thing between exploitable code and the world is an .htaccess file is insane.

    People are running this on Shared Hosting, instead of a separate environment, which is equal worse.

    The issue is only with non-apache web servers. For Apache if you run a newer WHMCS version (which you should) the htaccess file is already in place. Unless you've set the global config to ignore it of course, you should be ok.

    This is mostly for NGINX which is a lot better than Apache, shame they still don't officially support it.

  • AlwaysSkintAlwaysSkint Member
    edited January 2020

    LMFTFY

    marvel said: That would be the same as saying the only thing between my house and a burglar who wants to break in is a cheaply locked door.

  • MikeAMikeA Member, Patron Provider

    @marvel said:

    @RossG said:
    The fact that the only thing between exploitable code and the world is an .htaccess file is insane.

    How is that insane? That would be the same as saying the only thing between my house and a burglar who wants to break in is a door.

    my house has guns and cameras. I suppose you can do that with a web server in a way, but most people don't.

  • MikeA said: my house has guns and cameras.

    I have a hamster that looks after the place when I am gone.

  • hostwebishostwebis Member, Host Rep

    I also have received that email and after doing the verification no vulnerability was found :)

  • Scary stuff, for something so simple, you'd think they'd cover this initially.

  • jarjar Patron Provider, Top Host, Veteran
    edited January 2020

    While I applaud them for making the statement, I have to say I'm not really sure that I would've put it out like that. Given how common it is for self-hosted applications, specifically PHP applications, to ship with necessary security measures on a default .htaccess file, they really shouldn't be taking a reputation hit for it. Tons of applications ship this way, and if you don't use Apache you have to secure them separately.

    Thanked by 2chickendippers ACAT
  • How is this issue exploitable? What can be gained if it is exploited? Is it High Risk?

  • angstromangstrom Moderator

    @Arion4384 said:
    How is this issue exploitable? What can be gained if it is exploited? Is it High Risk?

    No congrats on your first post

Sign In or Register to comment.