# WHMCS Security Advisory



## Coastercraze (Nov 21, 2013)

http://blog.whmcs.com/?t=81890

Better update your WHMCS installations.


----------



## peterw (Nov 21, 2013)

```
Case 3492
Remove dependency on unserialize() for admin table sorting

=== Severity Level ===
Important

=== Description ===
Object Injection Attack.
An attacker, once authenticated into the admin area of the product, could leverage user input passed to unserialize() to execute arbitrary PHP.
```


----------



## Jack (Nov 21, 2013)

Anyone else getting invalid token on replying to tickets?


----------



## MartinD (Nov 21, 2013)

Do a hard refresh or clear your cache.

Currency symbol issue too... that's resolved with some patches from WHMCS.


----------



## InertiaNetworks-John (Nov 21, 2013)

Oh gosh.... here we go yet again!!


----------



## XFS_Duke (Nov 21, 2013)

InertiaNetworks-John said:


> Oh gosh.... here we go yet again!!


Yea, atleast they're fixing things.


----------



## InertiaNetworks-John (Nov 21, 2013)

XFS_Duke said:


> Yea, atleast they're fixing things.


Very true. I believe that they came out with this bug and not some third party?


----------



## ComputerTrophy (Nov 21, 2013)

In my opinion WHMCS should be contacting CloudFlare as well with vulnerability details so CloudFlare can develop their Web Application Firewall. Such a partnership could be great, since CloudFlare could block the vulnerabilities in the first hour before they're even patched.


----------



## KuJoe (Nov 21, 2013)

So the only security exploit that was patched was one that allows admin to run PHP code on my server? Considering all of the admins in my WHMCS have root access to the server already this is not a huge concern.


----------



## InertiaNetworks-John (Nov 21, 2013)

KuJoe said:


> So the only security exploit that was patched was one that allows admin to run PHP code on my server? Considering all of the admins in my WHMCS have root access to the server already this is not a huge concern.


Very true, but you have to realize for bigger companies, this may not be the case.


----------



## Aldryic C'boas (Nov 21, 2013)

InertiaNetworks-John said:


> Very true, but you have to realize for bigger companies, this may not be the case.


Hell, we have a small staff, and it's not the case with us, either.  I'm the only one with full WHMCS privs (Fran doesn't even have a login, although he and I are the only two with keys on that box).  Though granted, we don't bring anyone onboard as staff unless we're willing to put a LOT of trust into them anyways.


----------



## Coastercraze (Nov 21, 2013)

KuJoe said:


> So the only security exploit that was patched was one that allows admin to run PHP code on my server? Considering all of the admins in my WHMCS have root access to the server already this is not a huge concern.


No there is more... Read the blog post.


----------



## Hannan (Nov 21, 2013)

Hopefully this one is the last one.. fixes the issues!


----------



## InertiaNetworks-John (Nov 21, 2013)

Hannan said:


> Hopefully this one is the last one.. fixes the issues!


Hopefully...


----------



## hostthebest (Nov 27, 2013)

they new update http://blog.whmcs.com/?t=82298


----------



## nunim (Nov 27, 2013)

I keep getting invalid token errors, mainly in Intelligent Search but I see them from time to time elsewhere.


----------



## InertiaNetworks-John (Nov 28, 2013)

hostthebest said:


> they new update http://blog.whmcs.com/?t=82298


I love the comments to this blog post!


----------



## fapvps (Nov 28, 2013)

I'm very happy to see that they are working on the product they are selling. It was very frustrating to deal with the 0day exploits that came out recently. It is really a good thing that they are releasing the updates often. I'll gladly apply a weekly incremental patch to keep the billing system secure and as bug free as possible. I don't understand why people would complain about WHMCS releasing updates...People should complain if they don't release updates...


----------



## ExonHost (Nov 28, 2013)

They released another patch for 5.2.13 and 5.1.14 and patched our installation.


----------

