New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Anyone know what the latest WHMCS update is?
moonmartin
Member
Looked all over and cannot find a changelog.
Always a bit leary of these seemingly quicky patches they come out with. Usually ends up causing problems that require more patches. Also not crazy about doing any patches around the holidays where support tends to be lacking.
Don't want to ignore these either. They must have come out with this quicky patch for a reason.
Looking in the patch file, it looks like it is updating phpmailer.
Comments
related to PHPMailer, I believe
The actual exploit hasn't been publicly demonstrated (yet)
It's probably the PHPMailer vulnerability but we already upgraded the class files same day from source.
I believe it's standard for WHMCS not to disclose changelogs/release notes for security updates until it's been out for a few days.
Guess you're not subscribed to any seclists? There's 3 variants of the exploit running around, fully working, and one PHPMailer exploit patch bypass (still unfixed) being tossed around in the public. It was posted on r/netsec a while ago (few days back iirc?)
Ahh ok. A quick google search did the trick. All the info is already out there so no reason not to include a change log. At least something about the severity and what scenarios are necessary for this to be exploitable.
As far as I can tell, this only affects people who have WHMCS mail type set to PHP Mail() correct? Not people who use SMTP.
Same here we manually updated PHPMailer but just as a heads up a new patch for PHPMailer was released yesterday since the initial one didn't fix the vulnerability so everything needs to be re-patched
The update to WHMCS includes the latest patch released yesterday
PHPMailer still used for SMTP.
This.
Also, it did show "phpmailer() fix) in changelog, just before updating.
I found the details of the updates posted in the usual places:
http://blog.whmcs.com/?t=123166
http://docs.whmcs.com/Release_Notes