# WHMCS 24/10/2013 Vuln



## DamienSB (Oct 24, 2013)

http://localhost.re/p/whmcs-v5210-vulnerability

FOUR..

This isnt a really big issue, but it does give people the ability to get name/address/phone number from other customers.


----------



## Magiobiwan (Oct 24, 2013)

http://localhost.re/p/whmcs-v5210-vulnerability

You've got to be kidding me. ANOTHER ONE.

EDIT: On a related note, http://pastie.org/8428341


----------



## trewq (Oct 24, 2013)

Ridiculous.


----------



## serverian (Oct 24, 2013)

Put this in configuration.php to patch it:

if(isset($_REQUEST['invoiceids']) && is_array($_REQUEST['invoiceids'])) { die('no'); }


----------



## Magiobiwan (Oct 24, 2013)

On a related note, http://pastie.org/8428341. This is freaking RIDICULOUS.


----------



## HostVenom - Brandon (Oct 24, 2013)

I would hope a security audit is already in progress with these constant problems.


----------



## perennate (Oct 24, 2013)

Edit: nevermind


----------



## XLvps (Oct 24, 2013)

I may just go back to old school paypal "buy it now" buttons.


----------



## scv (Oct 24, 2013)

Yeah, desire to build a WHMCS replacement rising.


----------



## DragonDF (Oct 24, 2013)

Everyday a new one?
heeheheh



Some providers are working on it now. WHM is down!


----------



## MannDude (Oct 24, 2013)

Merged the 3 threads into one.


----------



## WSWD (Oct 24, 2013)

http://blog.whmcs.com/?t=80587


----------



## jarland (Oct 24, 2013)

Excel spreadsheets and email addresses for your company like [email protected] or [email protected] That'll secure it.


----------



## Kakashi (Oct 24, 2013)

Another day another vulnerability -_-


----------



## WebSearchingPro (Oct 24, 2013)

Just a little note, this post was posted at 01:01:01 AM +0000 October 25th 2013 - So there may be something more sinister in the making.


----------



## rds100 (Oct 25, 2013)

Fuck this shit. Anyone moved to Blesta? Does it work well? I'm considering it...


----------



## Raymii (Oct 25, 2013)

Maybe they're going to do a 12 days of christmas, 12 days of WHCMS exploits later on in december


----------



## tallship (Oct 25, 2013)

scv said:


> Yeah, desire to build a WHMCS replacement rising.


There remains the promise of http://WHSuite.com but no word on progress at all. And then there's Blesta, which has promise w/the participation of 3rd party developers, yet w/o that is still pretty much just a billing platform for webhosting.

HostBill works nicely, when it works at all, and if you're really daring you can even take a chance on destroying your entire business each week by performing updates, which usually break something else that was previously working, but only a fool would consider that app now.

I'm actually considering going back to a simple script based system much like http://prgmr.com/ - or at least re-deploying under a different brand for those services.


----------



## peterw (Oct 25, 2013)

Kakashi said:


> Another day another vulnerability -_-


Sad bad true.


----------



## GIANT_CRAB (Oct 25, 2013)

New patch was released but the version number doesn't change after updating.

I guess they're paying "so much attention" to fixing the issue that they "accidentally forgot" about the version number.

Even minor issues like this (version number) are overlooked, its really unsafe to continue using WHMCS.


----------



## rds100 (Oct 25, 2013)

Well, at least this time they published MD5 checksums of all the archives. So they can't just fix this "version not increased" thing silently. They will release a new patch (5.2.12) shortly.


----------



## ServerBros (Oct 25, 2013)

5.2.12 is now out, updated and correct version showing

http://go.whmcs.com/254/5212_incremental


----------



## lbft (Oct 25, 2013)

DamienSB said:


> This isnt a really big issue, but it does give people the ability to get name/address/phone number from other customers.


Leaking personally identifiable information is serious and could cause legal problems for providers in parts of the world with sensible laws on data breaches.


----------



## DamienSB (Oct 25, 2013)

lbft said:


> Leaking personally identifiable information is serious and could cause legal problems for providers in parts of the world with sensible laws on data breaches.


It isnt as big as SQLI, and can be avoided with the disable of mass pay. So no, it's not as big of an issue as the first few were this month.


----------



## bizzard (Oct 25, 2013)

Well, yet another vulnerability. Feels like its a good time to give a demo of the panel my team was developing for our internal billing. It now can handle individual invoices, recurring invoices, customer login, shopping cart and basic support tickets. If anyone is interested in developing it, as a community project, under GPL compatible license, it will be great. 

Will try to setup a demo today night itself. Not completely sure of it, as I have a friend of mine in hospital who had an accident today.


----------



## KuJoe (Oct 25, 2013)

Last patch/e-mail has restored some confidence in WHMCS, not a lot, but some.


----------



## Damian (Oct 25, 2013)

I find it somewhat entertaining that there's plenty of sentiment like *OH NOT AGAIN FUCK THIS IM GOING TO <xyz> PANEL INSTEAD*, when every single one of us are using other software that's had heinous security issues, usually due to poor coding practices.

The blog post I looked had five other security issues fixed also. They're working on it. Yes, "localhost"'s method of "LOZL THESE GUYS R DUM HERES THE HACK" is unethical, but i'm pretty sure all of us are keeping on top of things otherwise.

Let's all chill out and relax: they're fixing it.

For those considering moving to Blesta, there's various issues with a 1:1 migration. Don't think you're going to run a script and just turn off WHMCS and turn on Blesta and go about your day. Read http://www.blesta.com/forums/index.php?/topic/960-whmcs-migrator-beta-updated-2013-10-24/?p=10488 onward. Also consider that Blesta is missing some payment gateways and doesn't do product addons at all.

Now, the difference here is that the Blesta team is actively working on everything. They're participating in forums. They're making changes that you can see. 

Blesta might not be the _immediate_ replacement, but it's coming along nicely otherwise.


----------



## datarealm (Oct 25, 2013)

Damian said:


> Let's all chill out and relax: they're fixing it.
> 
> Now, the difference here is that the Blesta team is actively working on everything. They're participating in forums. They're making changes that you can see.
> 
> Blesta might not be the _immediate_ replacement, but it's coming along nicely otherwise.


Free market at work...  

Thankfully whmcs is not just rolling over and is instead making patches.

Meanwhile others are smelling opportunity to dethrone the king and coming up with viable alternatives.  Once whmcs has shored up their code, they will need to continue to innovate if they wish to remain in business.

Either way, hosting companies should win....


----------



## jarland (Oct 25, 2013)

rds100 said:


> Fuck this shit. Anyone moved to Blesta? Does it work well? I'm considering it...


The flow of setting up products is so different coming from whmcs. On top of that, adding a product that it can't push a signal somewhere to provision seems stupid difficult. There's no "none" module but instead "universal" that seems to freak out at having nothing to do. I may need to read more but first impression based on that was bad. If it doesn't have a module you're really expected to write one or make it fit the universal one, not just manually provision your products.


----------



## Damian (Oct 25, 2013)

jarland said:


> The flow of setting up products is so different coming from whmcs. On top of that, adding a product that it can't push a signal somewhere to provision seems stupid difficult. There's no "none" module but instead "universal" that seems to freak out at having nothing to do. I may need to read more but first impression based on that was bad. If it doesn't have a module you're really expected to write one or make it fit the universal one, not just manually provision your products.


I'll give you a dollar if you can figure out how to add an addon to an existing product. :X


----------



## KuJoe (Oct 25, 2013)

I coded a SolusVM replacement for WHMCS that was 95% done and am in the process of porting it over to Blesta. In terms of documentation, Blesta blows WHMCS out of the water. In terms of ease of implementation, WHMCS wins hands down. WHMCS makes it extremely simple to code a custom module while Blesta basically wants you to code a completely separate script that kind of integrates with Blesta. While I like the idea, it will require a complete rewrite of my module for it to work with Blesta and even after reading the documentation I am still very lost in how to proceed. 

At this point, I am debating on whether to just turn the module into a WHMCS replacement also since it would probably take the same amount of time just to convert what I have.


----------



## lifetalk (Oct 25, 2013)

I'm beginning to wonder how many more times localhost will need to publicly release exploits on WHMCS before they actually consider an external audit and programmers that are not a complete joke.


----------



## shovenose (Oct 25, 2013)

lifetalk said:


> I'm beginning to wonder how many more times localhost will need to publicly release exploits on WHMCS before they actually consider an external audit and programmers that are not a complete joke.


If they ever actually fix their problems.


----------



## Lee (Oct 25, 2013)

Whilst it is painful look at it from the point of view that WHMCS is getting a really good audit right now by someone/people who clearly know what to look for and is publishing the results forcing quick action to remedy the issue.  The end result has to be a better product.

It's creating pain all round, no doubt about that.

Of course everyone is rushing about trying to create their own panel which is great but is their haste creating something that is any better security wise?  I doubt it.


----------



## KuJoe (Oct 25, 2013)

The last communication from them shows that there are a lot of people looking at the code now including a well respected software auditor (vld) which makes me feel a bit better even though our WHMCS dev install is being used primarily to convert over to Blesta as a precaution.


----------



## tallship (Oct 25, 2013)

Although there were patches released relatively quickly, thanks in large part to contributors here at VPSBoard and the full disclosure independent security teams out there, the official email announcement from WHMCS wasn't particularly all that timely.

Nevertheless, the email alerts did eventually arrive as documented HERE

Thanks goes out to the good folks over at WHMCS and those testers who published the initial announcements, lighting the fires that prompted the bilge pumps into operation 

Kindest regards,


----------



## XFS_Duke (Oct 25, 2013)

Wow, all the hate for WHMCS... I can pretty much guarantee that once Blesta becomes mainstream they will find issues with it as well. Nothing is ever 100% safe, unless you coded it yourself and YOU did all the security and did an external audit...

Just be patient. Update as soon as the patches come out and report issues to WHMCS.

Stop all the bitching and complaining and wanting to jump ship, because you know damn good and well that you ain't going anywhere! lol I had to wake up this morning and patch 3 WHMCS installs... :| Heh... It's all in a days work...

It'll get better just takes time.


----------



## Ivan (Oct 26, 2013)

As mentioned above about WHSuite, they have a dev blog on their site.

http://blog.whsuite.com/will-ready-need-now/


----------



## hzr (Oct 26, 2013)

can we just pre-post "whmcs *.*.*.*.* vuln" threads for the next few years?



XFS_Duke said:


> Wow, all the hate for WHMCS... I can pretty much guarantee that once Blesta becomes mainstream they will find issues with it as well. Nothing is ever 100% safe, unless you coded it yourself and YOU did all the security and did an external audit...
> 
> Just be patient. Update as soon as the patches come out and report issues to WHMCS.
> 
> ...


there is a difference between "not too bad" and "i'm going to reimplement register_globals badly myself, a feature that was removed from PHP core for being too insecure" and "i'm going to write my own version of mysql_query that doesn't actually sanitise anything or escape anything instead of using pdo"


----------

