New on LowEndTalk? Please Register and read our Community Rules.
WHMCS 5.2.16 Update (security)
AnthonySmith
Member, Patron Provider
in General
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Categories
In this Discussion
- 2008-2021 © LowEndBox & LowEndTalk. Privacy Policy. Powered by Vanilla.
Back to Top | LowEndTalk | LowEndBox | Dark Theme Config | Advertise
Comments
http://www.hostingseclist.com/
Subscribe to their free mailing list if you want to get notifications faster than you get them from WHMCS.
Ok, so who will upgrade first and tell us what broke?
It's also a good idea to pipe the email into your whmcs. This means who ever staff member is on your whmcs, they can patch it
Thanks for the heads up. I haven't got the email yet, it always takes ages to appear.
Looks like no bugs in this release..but it's to early to say that
+1 for HostingSecList, always kept up to date with notifications
i updated ...
I thank Steven @ rack911 for keeping me updated on this one. Noticed it right before I left the office.
Yeah, I updated to.
Updated and everything is working without any issues so far.
One day Whmcs will be secure... Ish. Hopefully.
Updated...
We're making our own, this is getting ridiculous.
Might make it opensource, just finishing the basic required functionality now before publishing a Proof of Concept / working example model.
None of these are severe vulnerabilities, and this is a patch, not another zero-day disclosure...
At least they're fixing the vulnerabilities. Sure, they probably haven't stopped using register globals and such, but you can't take this patch as an indication that it's still "getting ridiculous".
Not severe... and you know that how exactly? whmcs is ioncube-encoded, and as such, normal people running the software don't have any insight of what they are actually running on their servers. The only people who can look closer are those who know how to decrypt ioncube, and those are usually the same people who are all very eager to exploit the software and your servers.
No, there is absolutely no excuse for using register globals. This is 2014; register globals have been disabled by default in PHP since April 2002!
It is in fact very ridiculous.
There already is one opensource, built by a host.
This, and many other really bad things (such as in db.functions.php) which anyone with half a brain can decode online with a few quick Googles, you can see for yourself just how pitiful the coding is.
Who wants an elseif chain to select the type of query being run? What about edge cases (like those that cause 5.2.09 - 5.2.14 ?)
Yes, that's what I'm saying, what is ridiculous is that they are still using their own custom register globals, and continue to have bad coding practices. These security fixes with their bug bounty problem is a step in resolving the issue, and while it doesn't make the overall architecture better, this patch is a good sign, not a bad one which @HardCloud somehow sees it as. I guess @HardCloud wants them to keep the bugs and not release a security patch?
This individual patch isn't what made it ridiculous, but 5.2.9-5.2.14 definitely was.
We also make free software one at https://pbobp.lunanode.com/ but no one is actually interested in switching from WHMCS. I think it is mostly usable now, but only two payment gateways and two service plugins. The import script is pretty good though. Missing product addons and stuff. But the architecture is plugin-based so new features are mostly implemented as plugins, I think that's nice too.
We have github now (https://github.com/uakfdotb/pbobp) so if you're interested in working on it then you can pull request or something. If someone has recommendation of better free software panel maybe we switch and work on that one instead (like @HardCloud you said you were developing one, any GitHub so we can fork and help?).
And since then at least they have started bug bounty program.
Look at the patch details...
Ahh, ok. The way I see it those patches are only little drops in a bucket. Can you imagine how much money they must have made with WHMCS? With all that money, wouldn't you expect, especially given the horrendous security track record, that they'd sit down and rewrite the code? Instead, they ask others to fix the security holes of which there are apparently plenty in an outdated and messy code base. It's like sticking to Windows 95 and trying to make it 64-bit compatible.
When WHMCS 5.0 was released in November 2011 they called it a milestone release. Quote:
A lot of stress has been on design and how modern the software now is thanks to their adoption of Twitter bootstrap. Wow. And what do we learn in terms of security improvements?
Security, - Custom FTP port support for Daily FTP Backups
Seriously? That's how they made the latest milestone release more secure?
As long as they don't invest their resources in rewriting the code, and instead focus on visual gimmicks and bug bounty sessions, I fear nothing good will come out of it.
All the details reveal is that they found a bunch of new vulnerabilities (XSS and SQL related), which, according to their knowledge, are not known to the public. It doesn't say anything about the severity of these vulnerabilities.
These SQLi' are pretty public, many people were hit with them during these last few months before WHMCS finally bucked up and released a patch.
Sec risk again and again. We looked at whmcs a long time ago but security holes kept on piling up and we decided to just drop the idea of using it. So far it was a good decision and we have no regrets. Just an FYI.
At least they're correcting the issues they find! LOL
"whmcs sucks blah blah" "i'm making something better" "this is riduclous!" yet how many actual options are there still? 3! WHMCS, HostBill, Blesta! Same with SolusVM.
ClientExec, HostBill, WHMCS, Blesta, BoxBilling, ......
SolusVM, OpenPanel, OpenNebula, CloudStack, OpenStack, ......
There are a lot of options if only you look hard enough.