# WHMCS Security Advisory



## George_Fusioned (May 17, 2013)

This just came in the mail:



> ========================================
> WHMCS Security Advisory for 4.5, 5.0, 5.1, 5.2
> http://blog.whmcs.com/?t=73290
> ========================================
> ...


----------



## George_Fusioned (May 17, 2013)

From what I've been reading, the guys at WHMCS managed to release an update that breaks things, again.



> this fix breaks the ability for customers to order domains.


----------



## Patrick (May 17, 2013)

George_Fusioned said:


> From what I've been reading, the guys at WHMCS managed to release an update that breaks things, again.


Just tried and I couldn't add domain to cart either, page just reloads.

Well more bugs, nothing new here


----------



## serverian (May 17, 2013)

Why I don't get these mails?


----------



## Daniel (May 17, 2013)

serverian said:


> Why I don't get these mails?


Because you have a decoded version of WHMCS so you can fix it yourself?


----------



## George_Fusioned (May 17, 2013)

serverian said:


> Why I don't get these mails?


It's a known fact that it takes hours for WHMCS to send out security advisory emails - that's why I posted it here


----------



## TruvisT (May 17, 2013)

George_Fusioned said:


> From what I've been reading, the guys at WHMCS managed to release an update that breaks things, again.


AGAIN!? 

They broke domains last time, didn't they?


----------



## Jono20201 (May 17, 2013)

TruvisT said:


> AGAIN!?
> 
> They broke domains last time, didn't they?


Yup, they did a while back.


----------



## TruvisT (May 17, 2013)

Jono20201 said:


> Yup, they did a while back.


You would think they would learn by now, and I would get domains orders right after the updates.

Seriously, considering leaving WHMCS now.


----------



## weservit (May 17, 2013)

I hope that there will be an official WHMCS -> Hostbill migration script sometime so we can move to Hostbill. We are using Hostbill for some other services and I have to say that I like Hostbill over WHMCS.


----------



## shovenose (May 17, 2013)

Can domain orders still be created from the admin side?


----------



## Jono20201 (May 17, 2013)

TruvisT said:


> You would think they would learn by now, and I would get domains orders right after the updates.
> 
> Seriously, considering leaving WHMCS now.


Everyone says that every time they release a security update, however there isn't any good alternative that offers a good migration script and is not silly priced. If there was good competition WHMCS would quickly loose market share.


----------



## xBytez (May 17, 2013)

Thanks for notifying


----------



## TommehM (May 17, 2013)

They emailed me about this ~3 days ago


----------



## George_Fusioned (May 17, 2013)

btw the domain ordering issue has been fixed. You need to re-download the patch, which now has the fixed class.init.php file.

(I really don't understand why it's so difficult to call this v5.2.5.1 so that people know whether they've got the fixed version or not...)


----------



## mitgib (May 17, 2013)

George_Fusioned said:


> btw the domain ordering issue has been fixed. You need to re-download the patch, which now has the fixed class.init.php file.
> 
> (I really don't understand why it's so difficult to call this v5.2.5.1 so that people know whether they've got the fixed version or not...)


Awesome, was unable to accept orders all day, and no response to my ticket, what a bunch of slackers


----------



## SPINIKR-RO (May 17, 2013)

Haven't got this one yet, I know the last one broken trasaction acks iirc.


----------



## coreyman (May 17, 2013)

I got the email and I did a facepalm wondering when the auto update feature will come out. I swear it seems like I've been updating WHMCS every few weeks.


----------



## George_Fusioned (May 17, 2013)

coreyman said:


> I got the email and I did a facepalm wondering when the auto update feature will come out. I swear it seems like I've been updating WHMCS every few weeks.


To be honest, I prefer replacing files over FTP on my own 

I'm sure the time will come were their auto update feature will have a dot or a backslash too much, which will completely screw the WHMCS installation.


----------



## DamienSB (May 17, 2013)

George_Fusioned said:


> To be honest, I prefer replacing files over FTP on my own
> 
> I'm sure the time will come were their auto update feature will have a dot or a backslash too much, which will completely screw the WHMCS installation.


I wouldn't trust anything to automatically overwrite any software that is billing or production related. What if WHMCS gets hit again and someone pushes a bad update to every WHMCS user?


----------



## TruvisT (May 17, 2013)

George_Fusioned said:


> btw the domain ordering issue has been fixed. You need to re-download the patch, which now has the fixed class.init.php file.
> 
> (I really don't understand why it's so difficult to call this v5.2.5.1 so that people know whether they've got the fixed version or not...)


THIS. I checked for a new patch today, and still saw the old one. Why can't they do minor patches for crying out loud?


----------



## George_Fusioned (May 17, 2013)

DamienSB said:


> I wouldn't trust anything to automatically overwrite any software that is billing or production related. What if WHMCS gets hit again and someone pushes a bad update to every WHMCS user?


My point exactly


----------



## coreyman (May 17, 2013)

DamienSB said:


> I wouldn't trust anything to automatically overwrite any software that is billing or production related. What if WHMCS gets hit again and someone pushes a bad update to every WHMCS user?





George_Fusioned said:


> My point exactly


So I guess noone here uses Cpanel? What happens if Cpanel gets hit again and a bad update gets pushed to every cpanel user? A lot more than just 'WHMCS' could be compromised. If you remember, WHMCS was bought out by Cpanel recently.


----------



## DamienSB (May 17, 2013)

coreyman said:


> So I guess noone here uses Cpanel?


You can turn off auto updates on cpanel.


----------



## coreyman (May 17, 2013)

DamienSB said:


> You can turn off auto updates on cpanel.


I'm sure you would be able to do the same on WHMCS if they implemented the feature... same company and all. Not everyone turns it off though... so then we are still left with a bunch of 'compromise able' systems I guess.


----------



## DamienSB (May 17, 2013)

coreyman said:


> 'm sure you would be able to do the same on WHMCS if they implemented the feature... same company and all. Not everyone turns it off though... so then we are still left with a bunch of 'compromise able' systems I guess.


No system is perfect, but i do hope they allow us to disable the system.


----------



## coreyman (May 17, 2013)

DamienSB said:


> No system is perfect, but i do hope they allow us to disable the system.


On another note, even though you turn off automatic updating from cpanel.... Do you download cpanel from them again and use rsync to replace files or something? Surely you aren't replacing every file one by one. Everything is encoded as well - so how are you to know if there is an exploit in the software or not. Do you have some policy to wait a certain amount of time to let everyone else test the waters and see if there is an exploit or not?


----------



## DamienSB (May 17, 2013)

cpanel has a better track record than WHMCS in this regard.


----------



## coreyman (May 17, 2013)

DamienSB said:


> cpanel has a better track record than WHMCS in this regard.


That's true but do you feel as if they are cleaning up with the new merger?


----------



## DamienSB (May 17, 2013)

coreyman said:


> That's true but do you feel as if they are cleaning up with the new merger?


I don't think WHMCS will change at all. Honestly, i think they've gotten worse with it.


----------



## Licensecart (May 22, 2013)

TruvisT said:


> You would think they would learn by now, and I would get domains orders right after the updates.
> 
> Seriously, considering leaving WHMCS now.


I already am preparing to move. WHMCS is just not good enough anymore.


----------



## VPSDATABASE (May 26, 2013)

They broke the auto tick on select all option too.


----------



## jhadley (May 26, 2013)

CubicWebs said:


> I already am preparing to move. WHMCS is just not good enough anymore.


What are you moving to?


----------



## rsk (May 26, 2013)

jhadley said:


> What are you moving to?


 

Definitely not hostbill I hope haha


----------



## InertiaNetworks-John (May 26, 2013)

Sometimes I wonder about WHMCS. We are currently using HostBill, but plan to move over to Blesta when it comes out. It looks very good so far!


----------

