amuck-landowner

WHMCS 24/10/2013 Vuln

rds100

New Member
Verified Provider
Well, at least this time they published MD5 checksums of all the archives. So they can't just fix this "version not increased" thing silently. They will release a new patch (5.2.12) shortly.
 

lbft

Active Member
This isnt a really big issue, but it does give people the ability to get name/address/phone number from other customers.
Leaking personally identifiable information is serious and could cause legal problems for providers in parts of the world with sensible laws on data breaches.
 

DamienSB

Active Member
Verified Provider
Leaking personally identifiable information is serious and could cause legal problems for providers in parts of the world with sensible laws on data breaches.
It isnt as big as SQLI, and can be avoided with the disable of mass pay. So no, it's not as big of an issue as the first few were this month.
 

bizzard

Active Member
Well, yet another vulnerability. Feels like its a good time to give a demo of the panel my team was developing for our internal billing. It now can handle individual invoices, recurring invoices, customer login, shopping cart and basic support tickets. If anyone is interested in developing it, as a community project, under GPL compatible license, it will be great. 

Will try to setup a demo today night itself. Not completely sure of it, as I have a friend of mine in hospital who had an accident today.
 

KuJoe

Well-Known Member
Verified Provider
Last patch/e-mail has restored some confidence in WHMCS, not a lot, but some.
 

Damian

New Member
Verified Provider
I find it somewhat entertaining that there's plenty of sentiment like OH NOT AGAIN FUCK THIS IM GOING TO <xyz> PANEL INSTEAD, when every single one of us are using other software that's had heinous security issues, usually due to poor coding practices.

The blog post I looked had five other security issues fixed also. They're working on it. Yes, "localhost"'s method of "LOZL THESE GUYS R DUM HERES THE HACK" is unethical, but i'm pretty sure all of us are keeping on top of things otherwise.

Let's all chill out and relax: they're fixing it.

For those considering moving to Blesta, there's various issues with a 1:1 migration. Don't think you're going to run a script and just turn off WHMCS and turn on Blesta and go about your day. Read http://www.blesta.com/forums/index.php?/topic/960-whmcs-migrator-beta-updated-2013-10-24/?p=10488 onward. Also consider that Blesta is missing some payment gateways and doesn't do product addons at all.

Now, the difference here is that the Blesta team is actively working on everything. They're participating in forums. They're making changes that you can see. 

Blesta might not be the immediate replacement, but it's coming along nicely otherwise.
 

datarealm

New Member
Verified Provider
Let's all chill out and relax: they're fixing it.

Now, the difference here is that the Blesta team is actively working on everything. They're participating in forums. They're making changes that you can see. 

Blesta might not be the immediate replacement, but it's coming along nicely otherwise.
Free market at work...  

Thankfully whmcs is not just rolling over and is instead making patches.

Meanwhile others are smelling opportunity to dethrone the king and coming up with viable alternatives.  Once whmcs has shored up their code, they will need to continue to innovate if they wish to remain in business.

Either way, hosting companies should win....
 

jarland

The ocean is digital
Fuck this shit. Anyone moved to Blesta? Does it work well? I'm considering it...
The flow of setting up products is so different coming from whmcs. On top of that, adding a product that it can't push a signal somewhere to provision seems stupid difficult. There's no "none" module but instead "universal" that seems to freak out at having nothing to do. I may need to read more but first impression based on that was bad. If it doesn't have a module you're really expected to write one or make it fit the universal one, not just manually provision your products.
 

Damian

New Member
Verified Provider
The flow of setting up products is so different coming from whmcs. On top of that, adding a product that it can't push a signal somewhere to provision seems stupid difficult. There's no "none" module but instead "universal" that seems to freak out at having nothing to do. I may need to read more but first impression based on that was bad. If it doesn't have a module you're really expected to write one or make it fit the universal one, not just manually provision your products.
I'll give you a dollar if you can figure out how to add an addon to an existing product. :X
 

KuJoe

Well-Known Member
Verified Provider
I coded a SolusVM replacement for WHMCS that was 95% done and am in the process of porting it over to Blesta. In terms of documentation, Blesta blows WHMCS out of the water. In terms of ease of implementation, WHMCS wins hands down. WHMCS makes it extremely simple to code a custom module while Blesta basically wants you to code a completely separate script that kind of integrates with Blesta. While I like the idea, it will require a complete rewrite of my module for it to work with Blesta and even after reading the documentation I am still very lost in how to proceed. :(

At this point, I am debating on whether to just turn the module into a WHMCS replacement also since it would probably take the same amount of time just to convert what I have.
 
Last edited by a moderator:

lifetalk

New Member
Verified Provider
I'm beginning to wonder how many more times localhost will need to publicly release exploits on WHMCS before they actually consider an external audit and programmers that are not a complete joke.
 

shovenose

New Member
Verified Provider
I'm beginning to wonder how many more times localhost will need to publicly release exploits on WHMCS before they actually consider an external audit and programmers that are not a complete joke.
If they ever actually fix their problems.
 

Lee

Retired Staff
Verified Provider
Retired Staff
Whilst it is painful look at it from the point of view that WHMCS is getting a really good audit right now by someone/people who clearly know what to look for and is publishing the results forcing quick action to remedy the issue.  The end result has to be a better product.

It's creating pain all round, no doubt about that.

Of course everyone is rushing about trying to create their own panel which is great but is their haste creating something that is any better security wise?  I doubt it.
 
Last edited by a moderator:

KuJoe

Well-Known Member
Verified Provider
The last communication from them shows that there are a lot of people looking at the code now including a well respected software auditor (vld) which makes me feel a bit better even though our WHMCS dev install is being used primarily to convert over to Blesta as a precaution.
 

tallship

Member
Verified Provider
Although there were patches released relatively quickly, thanks in large part to contributors here at VPSBoard and the full disclosure independent security teams out there, the official email announcement from WHMCS wasn't particularly all that timely.

Nevertheless, the email alerts did eventually arrive as documented HERE

Thanks goes out to the good folks over at WHMCS and those testers who published the initial announcements, lighting the fires that prompted the bilge pumps into operation :)

Kindest regards,
 

XFS_Duke

XFuse Solutions, LLC
Verified Provider
Wow, all the hate for WHMCS... I can pretty much guarantee that once Blesta becomes mainstream they will find issues with it as well. Nothing is ever 100% safe, unless you coded it yourself and YOU did all the security and did an external audit...

Just be patient. Update as soon as the patches come out and report issues to WHMCS.

Stop all the bitching and complaining and wanting to jump ship, because you know damn good and well that you ain't going anywhere! lol I had to wake up this morning and patch 3 WHMCS installs... :| Heh... It's all in a days work...

It'll get better just takes time.
 
  • Like
Reactions: Lee

hzr

#hashtagtwerkteam
can we just pre-post "whmcs *.*.*.*.* vuln" threads for the next few years?

Wow, all the hate for WHMCS... I can pretty much guarantee that once Blesta becomes mainstream they will find issues with it as well. Nothing is ever 100% safe, unless you coded it yourself and YOU did all the security and did an external audit...

Just be patient. Update as soon as the patches come out and report issues to WHMCS.

Stop all the bitching and complaining and wanting to jump ship, because you know damn good and well that you ain't going anywhere! lol I had to wake up this morning and patch 3 WHMCS installs... :| Heh... It's all in a days work...

It'll get better just takes time.
there is a difference between "not too bad" and "i'm going to reimplement register_globals badly myself, a feature that was removed from PHP core for being too insecure" and "i'm going to write my own version of mysql_query that doesn't actually sanitise anything or escape anything instead of using pdo"
 
Last edited by a moderator:
Top
amuck-landowner