Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


WHMCS 5.2.16 Update (security)
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WHMCS 5.2.16 Update (security)

AnthonySmithAnthonySmith Member, Patron Provider

http://blog.whmcs.com/?t=84387

Get patched up :)

Thanks @mikho for the heads up.

Ant.

Thanked by 2rds100 DalComp

Comments

  • qpsqps Member, Host Rep

    http://www.hostingseclist.com/

    Subscribe to their free mailing list if you want to get notifications faster than you get them from WHMCS.

  • Ok, so who will upgrade first and tell us what broke? :)

  • AlexanderMAlexanderM Member, Top Host, Host Rep

    @qps said:
    http://www.hostingseclist.com/

    Subscribe to their free mailing list if you want to get notifications faster than you get them from WHMCS.

    It's also a good idea to pipe the email into your whmcs. This means who ever staff member is on your whmcs, they can patch it :)

  • said: http://blog.whmcs.com/?t=84387

    Get patched up :)

    Thanks @mikho for the heads up.

    Ant.

    Thanks for the heads up. I haven't got the email yet, it always takes ages to appear.

  • rds100 said: Ok, so who will upgrade first and tell us what broke? :)

    Looks like no bugs in this release..but it's to early to say that :)

  • +1 for HostingSecList, always kept up to date with notifications

  • fileMEDIA said: rds100 said: Ok, so who will upgrade first and tell us what broke? :)

    i updated ... :)

  • mikhomikho Member, Host Rep
    edited January 2014

    I thank Steven @ rack911 for keeping me updated on this one. Noticed it right before I left the office.

    Yeah, I updated to.

  • Updated and everything is working without any issues so far.

  • jbilohjbiloh Administrator, Veteran

    One day Whmcs will be secure... Ish. Hopefully.

  • edited January 2014

    Updated...

  • We're making our own, this is getting ridiculous.

    Might make it opensource, just finishing the basic required functionality now before publishing a Proof of Concept / working example model.

  • perennateperennate Member, Host Rep

    HardCloud said: We're making our own, this is getting ridiculous.

    None of these are severe vulnerabilities, and this is a patch, not another zero-day disclosure...

    At least they're fixing the vulnerabilities. Sure, they probably haven't stopped using register globals and such, but you can't take this patch as an indication that it's still "getting ridiculous".

    Thanked by 1MCHPhil
  • @perennate said:
    None of these are severe vulnerabilities

    Not severe... and you know that how exactly? whmcs is ioncube-encoded, and as such, normal people running the software don't have any insight of what they are actually running on their servers. The only people who can look closer are those who know how to decrypt ioncube, and those are usually the same people who are all very eager to exploit the software and your servers.

    No, there is absolutely no excuse for using register globals. This is 2014; register globals have been disabled by default in PHP since April 2002!

    It is in fact very ridiculous.

  • HardCloud said: We're making our own, this is getting ridiculous.

    Might make it opensource, just finishing the basic required functionality now before publishing a Proof of Concept / working example model.

    There already is one opensource, built by a host.

  • @Chumbi said:
    It is in fact very ridiculous.

    This, and many other really bad things (such as in db.functions.php) which anyone with half a brain can decode online with a few quick Googles, you can see for yourself just how pitiful the coding is.

    Who wants an elseif chain to select the type of query being run? What about edge cases (like those that cause 5.2.09 - 5.2.14 ?)

  • perennateperennate Member, Host Rep
    edited January 2014

    Chumbi said: It is in fact very ridiculous.

    Yes, that's what I'm saying, what is ridiculous is that they are still using their own custom register globals, and continue to have bad coding practices. These security fixes with their bug bounty problem is a step in resolving the issue, and while it doesn't make the overall architecture better, this patch is a good sign, not a bad one which @HardCloud somehow sees it as. I guess @HardCloud wants them to keep the bugs and not release a security patch?

  • @perennate said:
    Yes, that's what I'm saying, what is ridiculous is that they are still using their own custom register globals, and continue to have bad coding practices. These security fixes with their bug bounty problem is a step in resolving the issue, and while it doesn't make the overall architecture better, this patch is a good sign, not a bad one which HardCloud somehow sees it as. I guess HardCloud wants them to keep the bugs and not release a security patch?

    This individual patch isn't what made it ridiculous, but 5.2.9-5.2.14 definitely was.

  • perennateperennate Member, Host Rep
    edited January 2014

    srvrpro said: There already is one opensource, built by a host.

    We also make free software one at https://pbobp.lunanode.com/ but no one is actually interested in switching from WHMCS. I think it is mostly usable now, but only two payment gateways and two service plugins. The import script is pretty good though. Missing product addons and stuff. But the architecture is plugin-based so new features are mostly implemented as plugins, I think that's nice too.

    We have github now (https://github.com/uakfdotb/pbobp) so if you're interested in working on it then you can pull request or something. If someone has recommendation of better free software panel maybe we switch and work on that one instead (like @HardCloud you said you were developing one, any GitHub so we can fork and help?).

    HardCloud said: This individual patch isn't what made it ridiculous, but 5.2.9-5.2.14 definitely was.

    And since then at least they have started bug bounty program.

  • perennateperennate Member, Host Rep

    Chumbi said: and you know that how exactly?

    Look at the patch details...

  • @perennate said:
    Yes, that's what I'm saying, what is ridiculous is that they are still using their own custom register globals, and continue to have bad coding practices.

    Ahh, ok. The way I see it those patches are only little drops in a bucket. Can you imagine how much money they must have made with WHMCS? With all that money, wouldn't you expect, especially given the horrendous security track record, that they'd sit down and rewrite the code? Instead, they ask others to fix the security holes of which there are apparently plenty in an outdated and messy code base. It's like sticking to Windows 95 and trying to make it 64-bit compatible.

    When WHMCS 5.0 was released in November 2011 they called it a milestone release. Quote:

    Version 5.0 sees the introduction of a brand new client area design, introducing a fresh, modern and clean new look, completely rewritten to take full advantage of all the developments and improvements made to WHMCS in recent releases.

    A lot of stress has been on design and how modern the software now is thanks to their adoption of Twitter bootstrap. Wow. And what do we learn in terms of security improvements?

    Security is always a priority with the code we produce. And V5 sees a number of a security related options that have been added: - Google reCAPTCHA support for preventing form spam, - Added the ability to disable admin password resets in Setup > General Settings >

    Security, - Custom FTP port support for Daily FTP Backups

    Seriously? That's how they made the latest milestone release more secure?

    As long as they don't invest their resources in rewriting the code, and instead focus on visual gimmicks and bug bounty sessions, I fear nothing good will come out of it.

  • @perennate said:
    Look at the patch details...

    All the details reveal is that they found a bunch of new vulnerabilities (XSS and SQL related), which, according to their knowledge, are not known to the public. It doesn't say anything about the severity of these vulnerabilities.

  • @Chumbi said:
    All the details reveal is that they found a bunch of new vulnerabilities (XSS and SQL related), which, according to their knowledge, are not known to the public. It doesn't say anything about the severity of these vulnerabilities.

    These SQLi' are pretty public, many people were hit with them during these last few months before WHMCS finally bucked up and released a patch.

  • Sec risk again and again. We looked at whmcs a long time ago but security holes kept on piling up and we decided to just drop the idea of using it. So far it was a good decision and we have no regrets. Just an FYI.

  • oneilonlineoneilonline Member, Host Rep

    At least they're correcting the issues they find! LOL

  • shovenoseshovenose Member, Host Rep

    "whmcs sucks blah blah" "i'm making something better" "this is riduclous!" yet how many actual options are there still? 3! WHMCS, HostBill, Blesta! Same with SolusVM.

  • @shovenose said:
    "whmcs sucks blah blah" "i'm making something better" "this is riduclous!" yet how many actual options are there still? 3! WHMCS, HostBill, Blesta! Same with SolusVM.

    ClientExec, HostBill, WHMCS, Blesta, BoxBilling, ......

    SolusVM, OpenPanel, OpenNebula, CloudStack, OpenStack, ......

    There are a lot of options if only you look hard enough.

Sign In or Register to comment.