WHMCS WebHost License Bypass Loophole

MonsteR

Links been removed but guessing its where you add the whmcs.com and localhost.whmcs.com to the /etc/hosts file or something I seen ages ago for research purposes.

GreenVine

hotsnow said: I think WHMCS don't care about this, I've seen some similar posts which talking about this bug at least 1 year ago, but the bug still existing until now, lol

Maybe I need to re-post the link to gain WHMCS's attention lol

drserver

AnthonySmith said: "Excuse me madam, does this tissue smell like chloroform to you?"

Hahaha You just made my day

retry

Should have posted in hakz fawrum

runs

GoodHosting

Seriously though,

This same method works on just about all software; no null required. Five seconds with a .js webserver, or a python webapp + hosts entries can get you WHMCS, cPanel/WHM, RVSkin, Softaculous, SolusVM .....

Yet, you can save yourself (as a consumer) against these here:

http://www.whmcs.com/members/verifydomain.php

http://verify.cpanel.net/

These are important links.

GreenVine

@HardCloud said:
Seriously though,

This same method works on just about all software; no null required. Five seconds with a .js webserver, or a python webapp + hosts entries can get you WHMCS, cPanel/WHM, RVSkin, Softaculous, SolusVM .....

Yet, you can save yourself (as a consumer) against these here:

http://www.whmcs.com/members/verifydomain.php

http://verify.cpanel.net/

These are important links.

This bug can bypass whmcs license verification and shows 'this domain is authorized to use WHMCS' on the page you provided

GoodHosting

@GreenVine said:
This bug can bypass whmcs license verification and shows 'this domain is authorized to use WHMCS' on the page you provided

Good for you. Philip doesn't care.

Or whoops, this isn't SolusVM.

Still, they won't fix it for years.

GreenVine

@HardCloud

So I will re-post the link and article as WHMCS not respond: http://go.green-vine.net/yc2ik.

Not null its software therefore is legal.

GoodHosting

@GreenVine said:

Not really, no. The reverse engineering required, etc etc; it's a thin line of legality, and you're just trying to get a rise out of people posting it on LET.

GreenVine

@HardCloud said:
Not really, no. The reverse engineering required, etc etc; it's a thin line of legality, and you're just trying to get a rise out of people posting it on LET.

WHMCS's source code is downloadable in China.

GoodHosting

@GreenVine said:
WHMCS's source code is downloadable in China.

WHMCS source code is downloadable from WHMCS, what's your point?

It's only ioncube, five seconds on Google will show you an online decode, etc etc.

skagerrak

@GreenVine said:
WHMCS's source code is downloadable in China.

But LET/LEB is on US soil.

ZweiTiger

Also i could use one valid license then install it to unlimited server. And its not nulled. You could use the other domains and whmcs well , without license issue. Bad thing: only one domain will be valid if they check it at whmcs website. But you could use the license withut nulled.. without any issue . Trick the license eaaasyyy . Using the latest 5.2.16 version , installed by softcalous. Without license error. Easy steps. >Reissue license > Install whmcs with softcalous > reissue license > insall :P , now you have 2 legal WHMCS what is not nulled and up to date. Just one of them will be "valid by whmcs". Goof trick? Course. Will whmcs solve this problem? Never...

vRozenSch00n

哎呀，你都是调皮 :P

Wow, you are naughty.

TekStorm_James

@ZweiTiger :: The number of times you can reissue your license is limited. Also, the installations will periodically perform a remote check with the WHMCS licensing server. When that happens, whichever one isn't authorized will be invalidated. While the client area will continue to function, you won't be able to access the admin area until it's re-validated.

ZweiTiger

@TekStorm_James said:
ZweiTiger :: The number of times you can reissue your license is limited. Also, the installations will periodically perform a remote check with the WHMCS licensing server. When that happens, whichever one isn't authorized will be invalidated. While the client area will continue to function, you won't be able to access the admin area until it's re-validated.

I can.. acces it. . Maybe its a mistake or not.. who know. I am able to acces the admin.

TekStorm_James

You will be able to use both, initially, until one decides to performs its remote check.

GreenVine

TekStorm_James said: You will be able to use both, initially, until one decides to performs its remote check.

I ever saw somebody put licensing28.whmcs.com into /etc/hosts and fake a Active license response. Working fine in older version but not test it in 5.2.16.

mpkossen

@GreenVine said:
I ever saw somebody put licensing28.whmcs.com into /etc/hosts and fake a Active license response. Working fine in older version but not test it in 5.2.16.

When it comes from your server and goes to theirs, can't you inspect the packets, see what response it gets, and just fake that from then on?

GreenVine

@mpkossen said:
When it comes from your server and goes to theirs, can't you inspect the packets, see what response it gets, and just fake that from then on?

Certainly that's possible.

luissousa

@mpkossen said:
When it comes from your server and goes to theirs, can't you inspect the packets, see what response it gets, and just fake that from then on?

Why would anyone do it instead of nulling it? It is not hard at all.

fileMEDIA

mpkossen said: When it comes from your server and goes to theirs, can't you inspect the packets, see what response it gets, and just fake that from then on?

As long as they not using SSL and encryption which encrypted the session timer token in an encrypted memory range. But where should it use without any license? When you cannot pay the money (15$..) for a license your business model is crap und you should close it..

mpkossen

@fileMEDIA said:
As long as they not using SSL and encryption which encrypted the session timer token in an encrypted memory range. But where should it use without any license? When you cannot pay the money (15$..) for a license your business model is crap und you should close it..

Sure. It was purely theoretical what I was suggesting.

fhneric

@xcubehost said:
WHMCS is cheap enough as it is, if you cant afford a few dollars a month on a billing system, then you realy should not be in the business to begin with!

Better yet, get an owned license if you don't like paying monthly, it's only $249.95, and only $45/yr to get the support and updates.

GreenVine

fhneric said: Better yet, get an owned license if you don't like paying monthly, it's only $249.95, and only $45/yr to get the support and updates.

lol Eric you survived?

Evo

http://blog.whmcs.com/?t=80970

You could get up to $5000 for reporting such a bug.

skagerrak

@Evo said:
http://blog.whmcs.com/?t=80970

You could get up to $5000 for reporting such a bug.

GoodHosting

If you can't afford 15$ , get out of business now.... (much cheaper with hosting from many companies, free from SingleHOP with a reseller service...)

netomx

@HardCloud said:
If you can't afford 15$ , get out of business now.... (much cheaper with hosting from many companies, free from SingleHOP with a reseller service...)

Funny reading that from you

GreenVine

@HardCloud said:
If you can't afford 15$ , get out of business now.... (much cheaper with hosting from many companies, free from SingleHOP with a reseller service...)

I must say again that this is for RESEARCH purpose.