WHMCS vulnerability: Google Checkout module

GIANT_CRAB

WHMCS is safe.... safer than zpanel.

RootNerds

WHMCS does offer good support. Pretty sure they will release a security release soon.

fileMEDIA

Security fix is out: http://forum.whmcs.com/showthread.php?64778-Security-Advisory

GIANT_CRAB

@RootNerds said: WHMCS does offer good support.

What?

RootNerds

Fix is out.

WHMCS Security Advisory PayPal (v4.5) and Google Checkout (All Versions) >www.whmcs.com

>

WHMCS has released a new version of the 4.5 series and 5.1 series. These updates >provide targeted changes to address security concerns with the WHMCS product.
You are highly encouraged to update immediately.

>

== Releases ==

>

The following WHMCS versions address all known vulnerabilities:

>

4.5.3 for the 4.5 series
5.1.3 for the 5.1 series

>

The latest public releases of WHMCS are available inside our members area @ >www.whmcs.com/members/clientarea.php

>

== Security Issue Information ==

>

The 4.5 series update addresses a vulnerability that can permit a malicious user to decieve a WHMCS installation into crediting a payment that is sent to a PayPal account other than the account configured within that WHMCS installation.
The 5.x series is unaffected by this vulnerability. It is only possible to exploit this vulnerability if the paypal module has been activated.

The rating for this vulnerability is: important

The 4.5 and 5.1 series update addresses a vulnerability that can permit a malicious user to inject SQL via the Google Checkout module. This only becomes possible to exploit if the Google Checkout module has been activated within the WHMCS installation and so non Google Checkout users are not at risk from this.

The rating for this vulnerability is: critical

== Mitigation ==

Download and apply the appropriate patch file to protect against these vulnerabilities.

For the 4.5 series, please use the file: http://go.whmcs.com/42/v452patch For the 5.1 series, please use the file:

http://go.whmcs.com/46/v512googlecheckoutpatch

To apply the patch, simply download the appropriate patch file from above depending upon the WHMCS version you are running, extract the contents, and upload the files from the /whmcs/ folder to your installation.

No install or upgrade process is required.

joepie91

@fileMEDIA said: Security fix is out: http://forum.whmcs.com/showthread.php?64778-Security-Advisory

TWO vulnerabilities. Just wow.

Patrick

One is for v4.5 which is outdated and question why people would use outdated software or scripts, good to see quick fix for checkout

marcm

Fixed: http://blog.whmcs.com/?t=64778

Evixo

@StormVZ said: One is for v4.5 which is outdated and question why people would use outdated software or scripts, good to see quick fix for checkout

We're still running 5.0.3. Didn't like the 5.1 changes at all, it even introduced some odd layout bugs on the ordering page.

unused

@joepie91 - and yet they pull in 2mm+ gbp/year

miTgiB

@unused said: yet they pull in 2mm+ gbp/year

That is only a sign of success to the unethical and shallow

kbeezie

Hrm what if someone's running 5.0.* owned license and don't wana pay the for the support extension? Or is only 4.x and 5.1.x vulnerable? (last I checked, security patches were back-ported, you just had to upgrade if you wanted the new features, as some people were having issues with 5.1)

Patrick

@kbeezie said: Hrm what if someone's running 5.0.* owned license and don't wana pay the 50$ for the support extension?

It says only 5.1.x was effected and not 5.0.x

Either way anyone can download it from the link in the forum post:
http://go.whmcs.com/42/v452patch
http://go.whmcs.com/46/v512googlecheckoutpatch
No login required

http://forum.whmcs.com/showthread.php?64778-Security-Advisory

gameon

@kbeezie said: Hrm what if someone's running 5.0.* owned license and don't wana pay the 50$ for the support extension? Or is only 4.x and 5.1.x vulnerable?

Am on the same boat, from what i understand only 4.x & 5.1.x are hit.

kbeezie

Edit New Stuff in post below

kbeezie

@StormVZ said: It says only 5.1.x was effected and not 5.0.x

Either way anyone can download it from the link in the forum post:

http://go.whmcs.com/42/v452patch
http://go.whmcs.com/46/v512googlecheckoutpatch
No login required

http://forum.whmcs.com/showthread.php?64778-Security-Advisory

The way it was explained didn't sound like that, just that the patch addressed it on such and such versions, not that the vulnerability only affected those versions.

EDIT: That's incorrect @StormVZ Got this back from WHMCS

Hello

Yes 5.0.3 is effected also, however with 5.0.3 you can simply apply the 5.1 modules/gateways/callback/googlecheckout.php you don't need to apply the dbconnect from 5.1 (this will stop your install working)
If you have any further questions, just let us know.
Regards,
Liam
Developer

Patrick

@kbeezie said: EDIT: That's incorrect @StormVZ Got this back from WHMCS

Ah they probably need to explain this better in OP / email that they are "sending" which usually arrives 2-3 days later. At least it's publicly available to download for those out of support/upgrades option on owned

24khost

they are probably still running 5.0.3 also. the dbconnect file killing thier install, while testing it.

kbeezie

@24khost said: they are probably still running 5.0.3 also. the dbconnect file killing thier install, while testing it.

... or as developers they know the functions in dbconnect isn't compatible with the DB Structure on 5.0.

24khost

could be. But how crappy would it be for them to release a software with upgrades and decide not to upgrade thier software.

kbeezie

@24khost said: could be. But how crappy would it be for them to release a software with upgrades and decide not to upgrade thier software.

It'd only make sense if it's feature-based and not security/functionality based, meaning their main set up not needing the upgrade but I would assume they have test/development copies on other installations on their box (I should look into getting a development copy from them).

Nick_A

Nuts, some dude ordered to dedis at MCLayer with this exploit.

kbeezie

@Nick_A said: Nuts, some dude ordered to dedis at MCLayer with this exploit.

O_o though guess they figured they'd be caught eventually (notices sent etc), but not before they abused the crap out of it.

KuJoe

The only time software is 100% secure is when it's not installed.

klikli

Hello world FTW!
Just kiddin', if my WHMCS installation is of version 4.4.1, I do not need to apply any update, is that right?

Wintereise

Indeed, it is, @klikli

All in all, it's probably the best idea to update to 5.1 (which actually includes this patch now, but I redid it anyway)

marcm

@Wintereise said: All in all, it's probably the best idea to update to 5.1 (which actually includes this patch now, but I redid it anyway)

@Wintereise - They skipped updating 5.0, so folks that are on 5.0 and want to use the Google Checkout module will have no choice but to upgrade. Same goes for 4.4, folks will need to update at least to 4.5.

Wintereise

It hid my html lolsarcasm tag on the first line, now I'm sad

And I see, @marcm =/

KuJoe

@marcm said: They skipped updating 5.0, so folks that are on 5.0 and want to use the Google Checkout module will have no choice but to upgrade.

Not true. Just upload the patched callback file.

HalfEatenPie

@Nick_A: Give him an IP and a small VPS with horrible network. See where he logs in from.