New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
IPAP.co not use WHMCS because they are in deadpool.
Putting the "social engineering" attack aside, WHMCS is a good software. And of course security is an issue most users and VPS providers consider top priority when dealing products and services online.
There are many alternatives that come close to WHMCS and quite a number of people have already abandoned ship and moved elsewhere. However for many, including me, who still believe that the problem with WHMCS is only temporary and can be resolved over time, still remain a user of their product.
Aside from WHMCS, what billing app or software works best for VPS and other web hosting services? I know of ClientExec, Hostbill, Blesta, BoxBilling (free), Account Lab Plus (old), Modernbill, etc.
Of course, coding your own billing system helps a lot too. However, if WHMCS decides to release 100% of their source code + full documentation, as a way of saying sorry for the events of the past few days, I'd be more happy.
You'd be happy? You should take your site offline if that were to happen, all the code would be reviewed, and any exploit taken advantage of very quickly. You would have to hope the good find it faster than the evil.
Paul, they're a business, you think they'll release their source code just like that? That's not how the world works sadly.
Just because a exploit is found in Windows doesn't make Microsoft release their source code.
I am afraid that all these attacks are not social engineering only :S
I think this statement strikes truer to lesson than any other. How many times has Windows (and other MS products) been compromised over the years? Even with numerous instances of leaks due not to the security holes, but an employee's carelessness? And yet, they're still holding a power position in the market.
Switching from WHMCS to another billing portal doesn't mean you'll suddenly be immune to future compromises or attacks. Going back to the Windows example... sure, when a particularly nasty virus was making the rounds everyone that took no action was at risk, and continued to be at risk. You didn't see hordes of people jumping over to GNU/Linux in response... the vast majority used the updates released from Microsoft to patch their system. If anything, this serves as strong motivation for the WHMCS team to go through their code (or, as I suspect, hire a third party to thoroughly pen-test for them) and release patches and fixes to their clients. I know of two 0-days that currently haven't made the public rounds yet. For one of them, simply applying an ACL to your admin directory nulls it. For the other, you can either use a smarty edit or remove access to the file in question. Neither of these exploits is a concern for us now, and I will also be bringing up hiring someone (and I already have who it will be in mind) to do further testing at our next staff meeting.
You can also take steps against the auto-exploit scripts that kids such as subigo are so happy to pass around. If you want to avoid them, simply update your license with a new IP (and possibly subdomain). Of course, that doesn't stop anyone after you explicitly from finding out the new information... but if that's the case then the exploit scripts would've made little to no difference anyways.
Everyone makes mistakes, doesn't matter who you are. WHMCS' biggest vulnerability was, and will be, their popularity. If most of their clients jump ship and go to Hostbill, you can well expect someone to start attacking their software. Of course, you could escape that loophole by simply writing your own portal... but unless you're very proficient at your chosen language, you'd best strongly consider hiring a professional to test its integrity.
And before the 'fanboy' crap starts, no, I am not defending WHMCS or their poor choice in hosting/security. Merely hoping that reading this might make a few of you actually stop and think for yourselves instead of just jumping up on someone else's hate wagon without even understanding why.
Is WHMCS LLC aware of them?
Yes they are. I'm not at liberty to disclose any more on that, though, sorry.
Interesting - all my interaction with them has been through biscuit. Maybe it just talks to WHMCS on the backend.
@Aldryic You're forgetting those of us that actually do jump ship from unstable and frequently attacked (with ease) platforms. Sure, if everyone went to Linux or Mac tomorrow, it'd be the most attacked platform in a week. That, however, doesn't mean I shouldn't switch today. In fact, that choice has been for the better for the last 7 years. Still not using the most popular to attack platform, hasn't changed. It isn't about the platform in this case though. It's about the people. I lost faith in management. I don't know how you rebuild that. Their biggest vulnerability was not popularity, it was a disregard for an amount of security that matched their income and popularity. Quite frankly, they were careless with several things. To look at a guy who clearly preferred maximum profits to hiring a security advisor a long time ago and say "I'm sure he learned his lesson and I'll never see any rookie mistakes come from this same person that could negatively effect me or my client base" is, in my opinion, naive. Maybe he did, maybe he didn't. In my opinion, restoring the server from backups is evidence of the latter.
Maybe HostBill isn't any better about it, but for me a smaller target means less chance. My clients won't hurt from me picking the less "popular" choice, I won't be missing out on vital functionality, so to me it's no contest. If the less popular platform does the job and has a much smaller target on its head right now, it seems naive and irresponsible to pay for a renewal, which we were due for.
Again, this is just my situation. Others have theirs. A large client base and an import workflow that is anything but optimal could offset all of that. For me though, that isn't an issue.
You're very correct, jarland. I'm a shipjumper myself; Linux has been my primary (and quite often only) platform since the early 90s.
Like I said, I wasn't trying to defend WHMCS or their choices. It merely irritates me to see people angry for reasons they don't comprehend... if they want to hate on WHMCS, that's all fine and dandy. But they need to do it because they actually understand the situation, not just because some drama queen is blowing the trumpet.
Haha true that. I've zero issues with any company that keeps them. Security has not been an issue for me with whmcs, it's just individual interpretation of the situation and going with your gut.
The one I downloaded has both. It treats the IP and url like two separate targets.
Whatever you want it to do. It's just a target loader for any other script that you would write.
Like I said, whatever you want. The file is just a loader, it doesn't contain any exploits. To use the loader, you download any old WHMCS exploit you want and have it go line-by-line through the loader for attacks.
The file serves no purpose other than to provide a list of every active WHMCS install.
@Aldyric you make it seem like Windows is incredibly insecure, which is a fun claim to make because it's fun to hate on Microsoft, but considering how large of a platform it is, it's pretty damn secure. Linux has a tiny fraction of the userbase Windows has, and most installs of linux are server based, so you don't have dumb users running around installing random crap off the internet. It's annoying to hear people think Windows is so insecure (or that OS X is so secure trololol), and that's coming from someone who uses desktop Linux on one of his computers...
Anyway, WHMCS' security is pretty similar to Windows vs Linux, WHMCS has such a vast userbase, there's going to be a lot more attempted attacks on it than say Hostbill, if a lot of users switch over, going to be a lot more attempts to hack it...
@Kairus It's not just fun to hate on Microsoft. Some of us remember the years where Microsoft treated us all like dirt because they didn't need us to "like" them. It's always been personal for me.
I've been using Windows since 95, and I never felt like they've treated me like dirt. I do think that some of their releases have been pretty crappy though. I like Windows 7 though, especially getting three copies for free from MSDNAA, I feel like they've got a good product now and their support is better.
@Kairus Little moves to force people to upgrade to new and unstable releases they dared to call "finished," outsourced telephone support that ALWAYS assumed you were a criminal until proven otherwise, repeatedly pushing bad products, ignoring industry input, taking years to patch known security holes. This was the reality from my particular line of vision from DOS 6.22 to Win 3.1, 95, 98, ME, 2000, and XP (where I called it quits). Admittedly I was a little behind as a kid on computers, so while I started with DOS and worked up to 3.1, don't think I was actually a hardcore 3.1 user on release day, at 7 years old. We weren't that well off, I had what I built from parts I could get ahold of. Started at about age 11. I caught up by Win 98. My perspective may be unique.
Really all depends on what you used them for. For me, I always felt that they didn't care about my business. I'd bet a corporate perspective was different.
@Kairus Windows is insecure, it took up to Vista to get a fairly decent user permission system.
Of course you can't defend against stupid ness, all current Linux and Mac virus's require sudo access, and uneducated users will give it
@Jarland Microsoft had planned Windows 8 before they released Windows 7. They purposely missed out features in Win 7 so they would put them in Win 8 and get then to upgrade.
Many dedicated server hosts do not use WHMCS (examples include Hetzner, Yesuphost, OVH, Limestone, DediDirect, and many more).