New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Providers, please update your WHMCS - severe security risk.
Hi guys,
WHMCS got hit again. It causes me not to be able to recover my admin password and password was change unexpectedly.
Please refer to WHMCS forum - http://forum.whmcs.com/showthread.php?p=206522
do update your WHMCS quickly as this is a serious threat.
Comments
Thank you, I've just updated my test WHMCS
Heh, turns out sometimes it's benificial to use providers with their own custom control panel.
What did you mean mate? I think WHMCS is a billing system, not control panel?
At one time, I created a huge hosting control panel using CakePHP Framework, but I replaced it with WHMCS because it was AWESOME
I dont trust whmcs or any other software that hides the code. Could have anything hidden in there. Fortantely tho i have some software that removes ioncube
True, but cant you decode it. The people that null the scripts must be able to do so.
Would you please share it? :P
Thank you for pointing this out as it seems our hosting/license provider failed to mention it
Every WHMCS client should have received a mailing about it. This issue seems to be known for a while, there were already people exploiting this in October. Worries me.
Yep, every direct WHMCS client does, its down to our provider who issues our WHMCS license (MDD Hosting) to tell us, which they have not.. still.
Subscribe to the WHMCS twitter feed.
@miTgib
You get my point though right, i shouldnt have to? If a host is providing the license/software they should be informing customers of potential security threats.
Or am i expecting too much :P
They should, but it's your responsibility to keep on top of things too. Relying on someone else is adding one unnecessary point of failure to things.
Sure it is, thats why i have done it myself :P I also popped a ticket into MDD telling them i think it would be a good idea to let clients know. Cos im nice
Fixed
Actually we don't use whmcs so I wouldn't know.
Nope. You just explained my entire line of work.
I do wonder about the October bit up there. I know some of the scripts that we use, once a problem is made public, some times some one will pop out of the woodwork and announce that "Wait, I let you now about that months ago!" and point to a ticket or forum posting or something else.
That's what concerns me. Seen it with Gallery, wordpress, firefox, windows, etc....
Just for readings sake... There response.
We are aware, and was going to announce it but we discovered a huge issue with the patch that broke our WHMCS and we have a pending ticket with WHMCS about it. Once they resolve the issue we'll announce the patch.
Thank you,
Michael Denney
MDDHosting - Professional Hosting
http://www.mddhosting.com/
Follow us on Twitter! http://twitter.com/MDDHosting
Please don't say you use Platypus still
Abacus
MDDHosting - Professional Hosting
http://www.mddhosting.com/
Follow us on Twitter! http://twitter.com/MDDHosting
From their twitter
MDDHosting Forums: [Critical] WHMCS Security Update Affecting All Versions http://bit.ly/sycoEx
@DanielM
That's basicly like running nulled software, You don't trust a company that many produces software that many million dollar companys use on a day to day basis.
Your post is just stupid.
Just like Apple tracking their users with secret software, and billions of users...
@giang
That's understandable If they do, They reserve the right to keep there software out of the eyes of the world. If i had spent billions of dollars developing a Operating system and a range of mini portable device(s) I would not want my software to be very easy to decode.
Every company that develops software should have some callback lines in the code.
That's not from this bug, but rather one related to templates/etc back in October.
Francisco
It seems somewhat harmless but I don't see what it's trying to do:
I'm guessing the form was to upload config files to somewhere listed in downloads/b0x.php?
The code would run on the server side, so since /downloads/ is normally 777, the b0x script, likely a phpshell, would dump in there.
Francisco
I'm guessing WHMCS 5 should have had it included, but I could be wrong.
Worth logging a ticket with Matt and see what's up. The latest exploit just allows dumping of file contents. If you're on shared hosting this could be a serious problem, but i'd hope you have your billing on a VPS of sorts?
Francisco
You should get a 256MB KVM from us if anything. If you use lighttpd instead of apache you should have no issues keeping up with even huge rushes.
Francisco
AFAIK. Stock is coming next year, so about a month or maybe more :P.
We'll have some in a week or so depending on how the .32 trials finish off. We just pushed pony7.2 to 99 so we'll see how it goes.
The kernels have been good without any real issues even under serious load.
Francisco