# WHMCS - finally a positive move



## MartinD (Oct 27, 2013)

http://localhost.re/p/whmcs


This should produce interesting results.


----------



## lbft (Oct 27, 2013)

Haha, sounds more like they want to have him arrested. Lure him into providing contact details or meeting in person.


----------



## matt[scrdspd] (Oct 27, 2013)

lbft said:


> Haha, sounds more like they want to have him arrested. Lure him into providing contact details or meeting in person.


That was my first initial thought as well. However, It makes on wonder why have they not chosen and hired a company/team to do this already. One would have thought this would have happened months (if not weeks) ago by now.


----------



## lifetalk (Oct 27, 2013)

So they're reaching out to one guy instead of a reputable audit firm? Sounds very suspicious, and that would be to say the least.


----------



## MartinD (Oct 27, 2013)

Uh, no lol. They're reaching out to the person who has been causing them so much (warranted) grief. It makes perfect sense.


----------



## Jack (Oct 27, 2013)

Who is Aaron?

I thought Joseph was CEO and Matt was just a _'coder'?_


----------



## Amitz (Oct 27, 2013)

That is (afaik) cPanel Aaron.


http://www.linkedin.com/in/aaronphillips


----------



## Francisco (Oct 27, 2013)

Jack said:


> Who is Aaron?
> 
> I thought Joseph was CEO and Matt was just a _'coder'?_


Remember, WHMCS sold a fairly large part of their business to cpanel.

Francisco


----------



## drmike (Oct 27, 2013)

Only way to approach this as the person with the exploits is with a real contract up front that clearly says this isn't a setup and they won't attempt prosecution or civil action.

Going naively to help them --- in pursuit of money --- usually ends up with legal action.

They need to farm the project out to a real firm and get to improving the codebase.


----------



## RiotSecurity (Oct 27, 2013)

I guess it wouldn't help the fact that their database has been leaked over the internet (as of yesterday) and that the admin login hashes were cracked.


----------



## dcdan (Oct 27, 2013)

RiotSecurity said:


> I guess it wouldn't help the fact that their database has been leaked over the internet (as of yesterday) and that the admin login hashes were cracked.


Wait, there was a new DB leak?


----------



## drmike (Oct 27, 2013)

RiotSecurity said:


> I guess it wouldn't help the fact that their database has been leaked over the internet (as of yesterday) and that the admin login hashes were cracked.


Ahh who was hacked exactly?


----------



## RiotSecurity (Oct 27, 2013)

drmike said:


> Ahh who was hacked exactly?


WHMCS.


----------



## WebSearchingPro (Oct 27, 2013)

RiotSecurity said:


> I guess it wouldn't help the fact that their database has been leaked over the internet (as of yesterday) and that the admin login hashes were cracked.


Ahh, I assume its because WHMCS, uses WHMCS. They are very high priority for these types of things. IIRC they use cloudflare now, I assume for the WAF features. 

However, I am glad to see they are acknowledging their issue. Though, it is unfortunate it has taken them this long to realize that there is a problem. Many, many companies were hurt by automated whmcs exploit scripts,* something in the several thousands of whmcs installations have hidden accounts*.


----------



## RiotSecurity (Oct 27, 2013)

Alright, so I have to touch on a few things here, which they claim a "positive move" towards security.

As per this image here:







"Meeting face to face"

More like lawsuit face to face.

"Matt (CEO)"

Let's just stop right there, I've sent in countless bug reports, hell even talked to Matt via skype, he really doesn't give a damn about security.

So let's look at what that email really says:

"Is there any way I could lie to you to get your address?

I really want to sent you a lawsuit.

Matt (CEO) and I are eally pissed off right now.

We will be your worse nightmare if you're this stupid

--

Aaron

"

I couldn't honestly stop laughing for a while. In all seriousness, if they do get a security audit done, then I will applaud them.


----------



## perennate (Oct 27, 2013)

"Matt (CEO) and I will fly to wherever you are in the world" really makes the email a lot more suspicious.


----------



## MartinD (Oct 27, 2013)

Topics merged.


----------



## wlanboy (Oct 27, 2013)

WebSearchingPro said:


> However, I am glad to see they are acknowledging their issue. Though, it is unfortunate it has taken them this long to realize that there is a problem. Many, many companies were hurt by automated whmcs exploit scripts*.*


I was wondering why noone was using the exploits against WHMCS.

Maybe they are now seeing that they have to do something.


----------



## lifetalk (Oct 27, 2013)

MartinD said:


> Uh, no lol. They're reaching out to the person who has been causing them so much (warranted) grief. It makes perfect sense.


Exactly, and so therefore, very suspicious. It would be less suspicious if Aaron didn't word that email the way he did - 'can fly anywhere in the world' and 'we are friendly and good people'. Lol. I mean, c'mon, who writes a proposal email that way?


----------



## MartinD (Oct 27, 2013)

Because the tin-foil-hat donning people in this arena react just as you did.


----------



## Aldryic C'boas (Oct 27, 2013)

Regardless of original intentions, I highly doubt they'll attempt to contact the guy again, now knowing that any correspondence won't be taken seriously.


----------



## RiotSecurity (Oct 27, 2013)

MartinD said:


> http://localhost.re/p/whmcs
> 
> 
> This should produce interesting results.


(coughs)

X-Originating-IP: 91.138.253.244

TOR - Hol.gr


----------



## Damian (Oct 27, 2013)

TOR is the modern version of Schroedinger's cat...


----------



## Epidrive (Oct 28, 2013)

Ive always ticketed them (the whmcs team) that they should do an external security audit, matt always reply back w 'we are taking care of this'


Good move on this though indeed.


----------



## lifetalk (Oct 28, 2013)

MartinD said:


> Because the tin-foil-hat donning people in this arena react just as you did.


You don't reach out to one single guy for an audit of a software as expansive and non-exhaustive as WHMCS, if you're serious about said audit. Granted the guy is causing you grief, but a single guy against a (possible) team of security professionals won't work.


----------



## zim (Oct 28, 2013)

yea that email reeks of a setup.. Hire a professional company with a team, insurance, and a reputation. LOL WE NEED A LOAN WOLF TO SEC AUDIT  K THX


----------



## KuJoe (Oct 28, 2013)

lifetalk said:


> You don't reach out to one single guy for an audit of a software as expansive and non-exhaustive as WHMCS, if you're serious about said audit. Granted the guy is causing you grief, but a single guy against a (possible) team of security professionals won't work.


If they can pay that single guy any amount of money to sign an NDA, even if he doesn't find any exploits during that time it's still worth the money for them. Their goal is most likely preventing public disclosure more than obtaining an actual audit since, like you said, they would better off going to a reputable team.


----------



## nunim (Oct 28, 2013)

RiotSecurity said:


> (coughs)
> 
> X-Originating-IP: 91.138.253.244
> 
> TOR - Hol.gr


?


----------



## Rob T (Oct 28, 2013)

With the resources cPanel has at their disposal, if they wanted a to file lawsuit against this guy for disclosing security vulnerabilities, they could easily do it.  I doubt they were trying to "lure" him in to file suit - what are they going to sue him for?  What damages could they collect?

Now, hiring him as a consultant to get him to sign an NDA, that is just smart business...


----------



## KuJoe (Oct 29, 2013)

It's also worth noting that the screenshot shows "- Show quoted text -" meaning there is more to the conversation than was posted so looking at it in that context, I'm not sure what to think because at first glance it looks like "We want to find you." but since there was an on-going conversation prior to that it could be a response to a previous reply in which case it would look like a genuine offer.

Either way, this was WHMCS's first positive move in restoring some faith in them.


----------



## perennate (Oct 29, 2013)

KuJoe said:


> Either way, this was WHMCS's first positive move in restoring some faith in them.


Seems like they just fixed a few bugs that were reported / discovered. (Doesn't PHP processor already take care of HTTP split attacks?) A real positive move would be to get rid of register globals and replace their custom SQL processing with PDO stored procedures.


----------



## KuJoe (Oct 29, 2013)

perennate said:


> Seems like they just fixed a few bugs that were reported / discovered. (Doesn't PHP processor already take care of HTTP split attacks?) A real positive move would be to get rid of register globals and replace their custom SQL processing with PDO stored procedures.


They fixed multiple bugs/exploits that their team and a software auditor found. This means that somebody else is looking at the code at least which is a step in the right direction.


----------



## Francisco (Oct 29, 2013)

KuJoe said:


> They fixed multiple bugs/exploits that their team and a software auditor found. This means that somebody else is looking at the code at least which is a step in the right direction.


You'd think that being part of cpanel they would have a preferred team. Honest question, when was the last time cPanel had a 0 day exploit?

I've seen some XSS stuff but nothing granting root in ages.

Francisco


----------



## RiotSecurity (Oct 29, 2013)

Francisco said:


> You'd think that being part of cpanel they would have a preferred team. Honest question, when was the last time cPanel had a 0 day exploit?
> 
> 
> I've seen some XSS stuff but nothing granting root in ages.
> ...


Personally, this is the last one I can find regarding cPanel 0day: http://www.exploit-db.com/wp-content/themes/exploit/docs/14864.pdf


----------



## Francisco (Oct 29, 2013)

RiotSecurity said:


> Personally, this is the last one I can find regarding cPanel 0day: http://www.exploit-db.com/wp-content/themes/exploit/docs/14864.pdf


Christ don't give them any ideas about rewriting WHMCS into PERL.

Francisco


----------



## Aldryic C'boas (Oct 29, 2013)

But that would solve almost all the issues I have with it >_>

Besides, you know cPanel took a look at that source after buying in, and though "Bloody hell what have we done".


----------



## KuJoe (Oct 29, 2013)

WHMCS has until November 31st to restore my confidence,if not then I'll cut my losses and pull the trigger on Blesta which we've already done a successful import to and could make it live now but I'm giving WHMCS another chance in hopes of salvaging all of the work I've already done.


----------



## Aldryic C'boas (Oct 30, 2013)

KuJoe said:


> WHMCS has until November 31st to restore my confidence


So what you're saying is, they have an indefinite amount of time? 

Semantics aside;  this mess is getting a bit old.  Both the kid dicking them around and WHMCS themselves for expecting us to believe that a couple of incremental patches will fix poor coding.  Realistically, you can expect the same poor coding practices throughout the entire platform - leaving it to just be a matter of time before very similar exploits are found.  I wouldn't count on confidence unless they suddenly announce that not only have they brought in a new group of experienced coders, but the next release would be WHMCS 6 rather than these silly band-aid patches.


----------



## KuJoe (Oct 30, 2013)

Aldryic C said:


> So what you're saying is, they have an indefinite amount of time?
> 
> Semantics aside;  this mess is getting a bit old.  Both the kid dicking them around and WHMCS themselves for expecting us to believe that a couple of incremental patches will fix poor coding.  Realistically, you can expect the same poor coding practices throughout the entire platform - leaving it to just be a matter of time before very similar exploits are found.  I wouldn't count on confidence unless they suddenly announce that not only have they brought in a new group of experienced coders, but the next release would be WHMCS 6 rather than these silly band-aid patches.


This year of course. That's when 5.1.x is EOL and I'm not confident enough to upgrade to 5.2.x with the recent craziness. 

I'm not expecting a complete re-write in the next month but if they can provide me something that would make me believe they are serious about providing a critical piece of software then I'll be willing to wait it out until they can get 6.0 out but if they force me to upgrade to a version I'm not comfortable with (5.2.x) then I can just as easily migrate to Blesta which has given me little reason to doubt their coding even though it's probably due to them being so new they aren't as big of a target as WHMCS.


----------



## George_Fusioned (Oct 30, 2013)

KuJoe said:


> WHMCS has until November 31st to restore my confidence.





Aldryic C said:


> So what you're saying is, they have an indefinite amount of time?





KuJoe said:


> This year of course.


I think what Aldryic want's to say here is that November only has 30 days


----------



## kaniini (Oct 30, 2013)

lbft said:


> Haha, sounds more like they want to have him arrested. Lure him into providing contact details or meeting in person.


Arrested for what, exactly?  Posting 0day, while anti-social, isn't illegal.


----------



## KuJoe (Oct 30, 2013)

George_Fusioned said:


> I think what Aldryic want's to say here is that November only has 30 days


Good catch. I wonder if I can use that excuse when they try to EOL 5.1.x next month.


----------



## RiotSecurity (Oct 30, 2013)

KuJoe said:


> WHMCS has until November 31st to restore my confidence,if not then I'll cut my losses and pull the trigger on Blesta which we've already done a successful import to and could make it live now but I'm giving WHMCS another chance in hopes of salvaging all of the work I've already done.


I enjoy Blesta 3, due to the multiple company support personally.

Also due to the fact, they actually care(or do a very good act of caring) about the software, unlike WHMCS.


----------



## RiotSecurity (Oct 30, 2013)

kaniini said:


> Arrested for what, exactly?  Posting 0day, while anti-social, isn't illegal.


However copyright infringement is.


----------



## KuJoe (Oct 30, 2013)

RiotSecurity said:


> I enjoy Blesta 3, due to the multiple company support personally.
> 
> Also due to the fact, they actually care(or do a very good act of caring) about the software, unlike WHMCS.


I like it a lot based on the demo we have installed but there are a lot of factors involved and it would be a lot better for us financially to stick with WHMCS.


----------



## ShardHost (Oct 30, 2013)

KuJoe said:


> WHMCS has until November 31st to restore my confidence,if not then I'll cut my losses and pull the trigger on Blesta which we've already done a successful import to and could make it live now but I'm giving WHMCS another chance in hopes of salvaging all of the work I've already done.


How long did your Blesta import take?


----------



## KuJoe (Oct 30, 2013)

ShardHost said:


> How long did your Blesta import take?


Less than 2 minutes, it probably would have been faster but we run our dev stuff on a shared hosting server for simplicity.


----------



## ShardHost (Oct 30, 2013)

Thanks for the info.  We'll be planning a Blesta test run migration shortly.


----------



## ToXIQuE (Nov 13, 2013)

Hahahaha MartinD


----------

