Aldryic C'boas
The Pony
Regardless of original intentions, I highly doubt they'll attempt to contact the guy again, now knowing that any correspondence won't be taken seriously.
WHMCS - finally a positive move
- Thread starter MartinD
- Start date
RiotSecurity
New Member
You don't reach out to one single guy for an audit of a software as expansive and non-exhaustive as WHMCS, if you're serious about said audit. Granted the guy is causing you grief, but a single guy against a (possible) team of security professionals won't work.
Last edited by a moderator:
If they can pay that single guy any amount of money to sign an NDA, even if he doesn't find any exploits during that time it's still worth the money for them. Their goal is most likely preventing public disclosure more than obtaining an actual audit since, like you said, they would better off going to a reputable team.
nunim
VPS Junkie
With the resources cPanel has at their disposal, if they wanted a to file lawsuit against this guy for disclosing security vulnerabilities, they could easily do it. I doubt they were trying to "lure" him in to file suit - what are they going to sue him for? What damages could they collect?
Now, hiring him as a consultant to get him to sign an NDA, that is just smart business...
Now, hiring him as a consultant to get him to sign an NDA, that is just smart business...
Last edited by a moderator:
It's also worth noting that the screenshot shows "- Show quoted text -" meaning there is more to the conversation than was posted so looking at it in that context, I'm not sure what to think because at first glance it looks like "We want to find you." but since there was an on-going conversation prior to that it could be a response to a previous reply in which case it would look like a genuine offer.
Either way, this was WHMCS's first positive move in restoring some faith in them.
Either way, this was WHMCS's first positive move in restoring some faith in them.
Seems like they just fixed a few bugs that were reported / discovered. (Doesn't PHP processor already take care of HTTP split attacks?) A real positive move would be to get rid of register globals and replace their custom SQL processing with PDO stored procedures.
Last edited by a moderator:
They fixed multiple bugs/exploits that their team and a software auditor found. This means that somebody else is looking at the code at least which is a step in the right direction.
You'd think that being part of cpanel they would have a preferred team. Honest question, when was the last time cPanel had a 0 day exploit?
I've seen some XSS stuff but nothing granting root in ages.
Francisco
RiotSecurity
New Member
Personally, this is the last one I can find regarding cPanel 0day: http://www.exploit-db.com/wp-content/themes/exploit/docs/14864.pdf
Aldryic C'boas
The Pony
But that would solve almost all the issues I have with it >_>
Besides, you know cPanel took a look at that source after buying in, and though "Bloody hell what have we done".
Besides, you know cPanel took a look at that source after buying in, and though "Bloody hell what have we done".
WHMCS has until November 31st to restore my confidence,if not then I'll cut my losses and pull the trigger on Blesta which we've already done a successful import to and could make it live now but I'm giving WHMCS another chance in hopes of salvaging all of the work I've already done.
Aldryic C'boas
The Pony
So what you're saying is, they have an indefinite amount of time?
Semantics aside; this mess is getting a bit old. Both the kid dicking them around and WHMCS themselves for expecting us to believe that a couple of incremental patches will fix poor coding. Realistically, you can expect the same poor coding practices throughout the entire platform - leaving it to just be a matter of time before very similar exploits are found. I wouldn't count on confidence unless they suddenly announce that not only have they brought in a new group of experienced coders, but the next release would be WHMCS 6 rather than these silly band-aid patches.
This year of course. That's when 5.1.x is EOL and I'm not confident enough to upgrade to 5.2.x with the recent craziness.So what you're saying is, they have an indefinite amount of time?
Semantics aside; this mess is getting a bit old. Both the kid dicking them around and WHMCS themselves for expecting us to believe that a couple of incremental patches will fix poor coding. Realistically, you can expect the same poor coding practices throughout the entire platform - leaving it to just be a matter of time before very similar exploits are found. I wouldn't count on confidence unless they suddenly announce that not only have they brought in a new group of experienced coders, but the next release would be WHMCS 6 rather than these silly band-aid patches.
I'm not expecting a complete re-write in the next month but if they can provide me something that would make me believe they are serious about providing a critical piece of software then I'll be willing to wait it out until they can get 6.0 out but if they force me to upgrade to a version I'm not comfortable with (5.2.x) then I can just as easily migrate to Blesta which has given me little reason to doubt their coding even though it's probably due to them being so new they aren't as big of a target as WHMCS.
Last edited by a moderator:
So what you're saying is, they have an indefinite amount of time?
I think what Aldryic want's to say here is that November only has 30 days
Last edited by a moderator: