All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WHMCS Security Update
http://blog.whmcs.com/?t=83303
Security Issue Information
This Advisory provides resolution for a single security issue which was publicly disclosed. Specific information regarding that issue can be found below.
Case #3785
SQL Injection via Admin Credit Routines
=== Severity Level ===
Important
=== Description ===
An attacker who can function as an authenticated admin user with the ability to apply credits to an invoice can, using specially crafted input, cause the credit routines to execute arbitrary SQL commands if the target user has a credit balance known to the attacker.
Due to the many prerequisites necessary to successfully navigate this vector, a security impact level has been assessed as "Important". Information on security ratings can be found at http://docs.whmcs.com/Security_Levels
=== Resolution ===
Download and apply the appropriate software updates to protect against these vulnerabilities; information about software update releases is provided in the "Releases" section of this Advisory.
Comments
Thanks, the contents of the patch are a little confusing though dont you think?
old files and then a separate 5.2.15 folder, guess it was a rushed release.
Yeah, it seems they might've released a messed up verison.
Indeed old files are from a 5.1.5 build 3 patch release, I can see quite a few broken 5.2.x install arising from this.
merry Christmas
Awesome. Where was it publicly disclosed? I notice Localhost is now down.
Let's wait for the fix of the fix then
Looks like the patch has been fixed.
Guess I'll do the update in the morning as a early christmas gift to myself. Oh joy.
Just updated and works fine.
How many exploits does this make for WHMCS just in 2013? It has to be past 10 now, right?
I wouldn't call this an exploit. If you can't trust your admins... fire them.
WHMCS deserves a Merry Xmas and Happy New Year? Wish could take a proper family break before charge back to the Internet Zoo 2014.