# WHMCS Security Advisory TSR-2014-0001



## XFS_Duke (Jan 21, 2014)

WHMCS released another security update...

http://blog.whmcs.com/?t=84387

Atleast they're fixing issues regularly now.

=========================================
  Important Maintenance Issue Information
=========================================

This Advisory provides resolution for the following important maintenance
issues:

  Case #2557 - 2Checkout Gateway: Update to currency variable
  Case #2623 - Fix calculations of promotions when more than 50% off
  Case #2739 - Add TLD Specific Fields required for .CN domain registrations
  Case #2874 - Authorize.net Echeck: Fix capture function behaving incorrectly
  Case #3019 - Refine internal criteria for bulk domain lookup
  Case #3030 - Resolve SQL error in Income by Product Report
  Case #3086 - Nominet Registrar: Update to Contact Registration Logic for
Individuals
  Case #3116 - Required Custom Fields not validating correctly when using API
  Case #3360 - Resolved issue where one time promotions could be treated as
recurring
  Case #3360 - Disable Recur For input box when Recurring is disabled
  Case #3361 - Fix time limited recurring promotions calculating incorrectly
  Case #3388 - Fix Invalid Token Error when applying credit in Original and
Portal Client Templates
  Case #3414 - Payflow Pro: Update to store PayFlow Reference in PayFlow Mode
  Case #3617 - Do not CC password reset emails to sub-accounts
  Case #3740 - ProtX VSP Form: Pass correct callback values to debug log
  Case #3801 - Resolved PDF Quotes missing clients name/address
  Case #3802 - Make a quantity of zero remove item from the cart
  Case #3809 - Regular Expression Custom Field Validation failing on single
quotes
  Case #3811 - Resolve Invalid Token error when deleting recurring calendar
entry
  Case #3814 - Improvements to IPv6 detection and validation logic
  Case #3862 - NameCheap Registrar: Fix incorrect function name call
  Case #3864 - Authorize.net Echeck: Fix storage of bank account details
  Case #3893 - Enom SSL Module: Fix Province is Required Error Message

=========================================
  Security Issue Information
=========================================

This Advisory provides resolution for several security issues, all of which were
either reported privately via the Security Bounty Program or found internally by
the WHMCS Development team as part of the regular on-going internal security
audits.

There is no reason to believe that any of these vulnerabilities are known to the
public. As such, WHMCS will only release limited information about the
vulnerabilities at this time.

Once sufficient time has passed, WHMCS will release additional information about
the nature of the security issues.

  Case #3637 - Improve Access Controls in Project Management Addon
  Case #3782 - Improve Access Controls in Tickets
  Case #3783 - Improve Access Controls in Invoices
  Case #3784 - Resolve Admin Area SQL Injection Vulnerability
  Case #3839 - Resolve Potential XSS Vulnerability
  Case #3841 - Resolve Potential XSS Vulnerability
  Case #3842 - Resolve Potential XSS Vulnerability
  Case #3843 - Resolve Potential XSS Vulnerability
  Case #3846 - Improve Access Controls in Tickets
  Case #3922 - PayPal Express Checkout Improve Validation
  Case #3931 - Potential header injection via whois lookups
  Case #3932 - Improve sanitization for whois query

All supported versions of WHMCS are affected by one or more of these maintenance
and security issues.


----------



## NodePacket (Jan 21, 2014)

Yet another one! Thanks


----------



## Jonathan (Jan 21, 2014)

Go figure!

Thanks for the heads up.  Guess it's too hard for them to email their licensees...


----------



## MannDude (Jan 21, 2014)

KnownHost-Jonathan said:


> Go figure!
> 
> Thanks for the heads up.  Guess it's too hard for them to email their licensees...


It's possible that they did, just taking time to get to everyone


----------



## Jonathan (Jan 21, 2014)

MannDude said:


> It's possible that they did, just taking time to get to everyone


They never do


----------



## mikho (Jan 21, 2014)

KnownHost-Jonathan said:


> They never do


They have but not everyone at once.


----------



## Patrick (Jan 21, 2014)

KnownHost-Jonathan said:


> They never do


They always do and I've received them every time, yes maybe few hours before someone posted on WHT but that's probably because they have a large list.

Also received the one relating to this few hours ago


----------



## joepie91 (Jan 22, 2014)

XFS_Duke said:


> Case #2623 - Fix calculations of promotions when more than 50% off
> 
> [...]
> 
> ...


I laughed.


----------



## VPSCorey (Jan 22, 2014)

Probably using the WHMCS mass mail tool with default settings.


----------



## JPC-Sabrina (Jan 27, 2014)

I agree, even if everyone didn't get a notification, although they should have, at least it was shored up quickly.


----------



## iWF-Jacob (Jan 27, 2014)

We definitely received a notification, actually before we received the HostingSecList email which usually we receive first. Who knows, maybe we were at the front of the list this time...


----------

