All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
RSTheme - Critical Update
Is this genuine?
CRITICAL! Security Update for the Lagom WHMCS Client Theme
We regret to inform you of a critical vulnerability discovered in the Lagom WHMCS Client Theme, posing a potential security risk to your WHMCS system. We apologize for any inconvenience and prioritize your system's security.
Immediate Action Required
To address this issue, we have developed patches for all product versions. These patches will be also included in the Lagom WHMCS Client Theme packages, starting from version 1.5.0.
Prompt installation of these patches is essential for your system's protection. Follow the steps below for guidance:
Download the Patch
1. Access the RS Studio Client Portal and log in to your account.
2. Navigate to the management page of your Lagom WHMCS Client Theme product.
3. Select "Patches" from the left sidebar.
4. Download the patch corresponding to your version (e.g., for Lagom Client Theme v2.1.4, download the v2.1.4 - security fix).
Install the Patch
1. Unzip the downloaded folder.
2. Upload the contents of the /php71+/ folder via FTP to your WHMCS installation directory.
3. Ensure all files are uploaded correctly without errors.
Checking for Infection
To validate if your installation has been infected, follow these steps:
1. On your server, navigate to /templates/lagom2/assets/img/clients/. Note that the absence of the /clients/ folder indicates that no PHP files have been uploaded, so your installation should be secure.
2. Inspect the directory for any PHP files. Be aware that the presence of any PHP file could potentially pose a security risk to your system, so you should follow steps described below.
Immediate Action for Unauthorized Files
If unauthorized PHP files are found, please act immediately:
1. Download the suspicious PHP file from your server.
2. Remove this suspicious file from your server.
3. Zip the file and prepare it for analysis.
4. Submit the file to our team for further investigation - report code.
About the Security Issue
The issue pertains to a specific function that allowed customers to upload image files (PNG, JPG, SVG, and GIF) when logged into the WHMCS client area. This function used PHP MIME type checks to ensure only these image formats could be uploaded. However, we have discovered that the MIME function’s security measures are not entirely foolproof.
It has come to our attention that skilled hackers could exploit this function. They could bypass the intended restrictions by executing a particular URL, allowing them to upload a PHP file. This vulnerability poses a significant security risk.
We want to assure you that this function was never utilized in the Lagom Client Theme. As a precautionary measure, we have completely removed this function from the addon files to eliminate any potential risk.
Our team has conducted a thorough investigation of all addon files to search for any other vulnerabilities. We are pleased to report that no additional significant security issues have been found. However, as part of our commitment to continually enhance the security and integrity of our products, we plan to release further security improvements in the upcoming 2.2.4 version of our product, scheduled for release in February.
Your security and trust in our products are of utmost importance to us. We are committed to providing you with the safest and most reliable experience possible. Should you have any questions or concerns, please do not hesitate to reach out to our support team via our contact form.
Thank you for your attention to this matter and for your continued support.
Comments
It should be, but be careful.
decided to remove theme / addons / checkout and roll basic WHMCS for now...
Ditto! We have taken off theme / addons / orderforms until this is confirmed or fixed.
@JamesF Hello,
I can confirm that this patch is legitimate. The issue it addresses was reported by a customer yesterday, and we have swiftly developed a fix. Given the potential security threats posed by hackers, we have proactively decided to inform all our customers about this issue via email. Please feel free to apply the patch to ensure the security and smooth operation of your system.
Regards,
Paweł Bis RS Studio CEO.
Patch should be made publicaly accessible without any registration or login.
Thank you for your suggestion, if you have purchased our product via our website, then you can simply login to your account and download the files.
We use 2.2.2 and we've not even been notified yet. There's also nothing clear within your portal to say there's a requirement to apply a patch.
This patch has been just released, our system is sending emails to our customers, so it may take few hours, till all customers will receive this information. If you'd like to confirm this information, you can open a ticket in our system, or contact with me via email: [email protected]
Given recent events with malicious module updates and hosts being compromised it's slightly perturbing...
You may want to look at signing your downloads or something as if you've been compromised it isn't hard for someone to push out a malicious patch file on your portal.
Thank you for your feedback, so what kind of confirmation are you looking for? Please open a ticket, or contact with me via email.
It's good, thanks @rspaul for quickly confirming here as well. Appreciate your effort.
Thank you for your understanding and kind words. We sincerely apologize for the security issues that were introduced in our products. If you have any questions or require assistance, please feel free to contact us through our support center.
In the remediation email, you said that if the
clients
folder didn't exist, it wasn't exploited. However, if someone had PHP access, couldn't they delete the file and put their code in another directory or remove their backdoor after dumping the database?Also, would Cloudflare WAF stop this attack?
@Advin You are correct in your understanding that the absence of a specific file or folder on your server does not categorically rule out the possibility of unauthorized modifications or exploitation. Indeed, if an individual had PHP access, they might have the capability to delete files, move their code to different directories, or remove traces of their backdoor after executing operations such as database dumps.
However, it is pertinent to mention that this specific issue was reported by one of our customers. In that instance, the perpetrator of the breach indeed left the PHP code in the clients' folder.
just had notification from Lagom / RSS Studio to perform a critical update to a security risk which could pose a threat , are they another company who has been hacked / comprimised anyone got any set in stone info?
https://prnt.sc/2Id8vBO-_ZDH
https://prnt.sc/_pZVmUAEvKbI
rspaul, I may sound like an Idiot, but is it possible for you guys to release the patch publicly without locking it behind a paywall?
I don't encourage nulled plugins/themes, but I know several people on the internet use it, and i think it's not okay to leave em vulnerable.
Your choice at the end though, your company.
Yes, got posted here also : https://lowendtalk.com/discussion/192300/rstheme-critical-update
Posting this here, copy pasted from a discord server:
The vulnerability allows for the uploading of a PHP file masquerading as an image. Essentially, this involves embedding a backdoor within a PHP file, which is then renamed to appear as a standard image file (such as with a .jpg extension) before being uploaded. Additionally, there's the potential to modify the MIME type of a PHP file to imitate that of an image file, thereby bypassing security checks during the upload process.
Once on the server, if the environment is configured to execute PHP files in the upload directory, this malicious script can be executed either automatically or by the attacker accessing it through a web request. Execution of this script could grant the attacker various levels of unauthorized access to the server, depending on the nature of the backdoor code. This access could be used for a range of harmful activities, including performing database dumps, accessing sensitive information, or gaining control over the server itself. It's a significant security vulnerability because it allows the attacker to execute arbitrary code and compromise the entire system.
In other words, it's really easy to exploit this. Almost anyone can do it and I'm sure a lot of people have already done so
It's not like everyone running whmcs + lagom knows about this vulnerability either. The hackers sure do, and have probably known about it for weeks or even months before this announcement
If they're using nulled plugins they're not exactly taking security first. The majority of nulled plugins already contain backdoors.
🤔
I wouldn’t go out of my way to support people who stole my work/product. Paying customers pay the bills to get security updates, patches, and feature updates.
Love you @FatGrizzly but that’s a pretty horrible take and attempt at framing the convo.
Ethically wrong yes, morally maybe?
The hosts that we've been monitoring in the TG channel are all Turkish ones, primarily nulled.
most hosting providers didn't know that they were on a nulled theme, instead they bought it for a cheap price with some GPL license provider(which is again nulled, and they're getting scammed).
Why are you storing user uploads in a directory that allows for the execution of code? That's one of the basic security features that all file upload systems should handle... User-supplied files should not be stored anywhere near where executable code is stored.
The real question is why does a template ever call any functions related to uploading a file.
I think it was related to profile photos. Why they don't just force gravatar I have no idea.
Francisco
Why a hosting company needs profile photos is beyond me.
To allow people using the nulled version the benefit of the security update without having paid for the original work? Not a good idea, use nulled pay the price.
You're asking to many questions. Reason number 200 why making your own hosting panel is way better.
Can we get a profile page too with a personal blog or status feed? That way we can have a MySpace/Facebook like experience all within our hosting providers platform.
Perhaps we can send friend requests to other customers too. Imagine the possibilities!
To be honest, I really liked the layout of the RSTheme but with the recent issues across so many developer products, it is better to do our own theme without a module. I get the module helps licensing control but it is such a big risk now and is not worth it.
I actually like the idea of profile photos at least for staff. I have one