WHMCS 24/10/2013 Vuln
- Thread starter DamienSB
- Start date
lbft
New Member
Leaking personally identifiable information is serious and could cause legal problems for providers in parts of the world with sensible laws on data breaches.
It isnt as big as SQLI, and can be avoided with the disable of mass pay. So no, it's not as big of an issue as the first few were this month.
Well, yet another vulnerability. Feels like its a good time to give a demo of the panel my team was developing for our internal billing. It now can handle individual invoices, recurring invoices, customer login, shopping cart and basic support tickets. If anyone is interested in developing it, as a community project, under GPL compatible license, it will be great.
Will try to setup a demo today night itself. Not completely sure of it, as I have a friend of mine in hospital who had an accident today.
Will try to setup a demo today night itself. Not completely sure of it, as I have a friend of mine in hospital who had an accident today.
I find it somewhat entertaining that there's plenty of sentiment like OH NOT AGAIN FUCK THIS IM GOING TO <xyz> PANEL INSTEAD, when every single one of us are using other software that's had heinous security issues, usually due to poor coding practices.
The blog post I looked had five other security issues fixed also. They're working on it. Yes, "localhost"'s method of "LOZL THESE GUYS R DUM HERES THE HACK" is unethical, but i'm pretty sure all of us are keeping on top of things otherwise.
Let's all chill out and relax: they're fixing it.
For those considering moving to Blesta, there's various issues with a 1:1 migration. Don't think you're going to run a script and just turn off WHMCS and turn on Blesta and go about your day. Read http://www.blesta.com/forums/index.php?/topic/960-whmcs-migrator-beta-updated-2013-10-24/?p=10488 onward. Also consider that Blesta is missing some payment gateways and doesn't do product addons at all.
Now, the difference here is that the Blesta team is actively working on everything. They're participating in forums. They're making changes that you can see.
Blesta might not be the immediate replacement, but it's coming along nicely otherwise.
The blog post I looked had five other security issues fixed also. They're working on it. Yes, "localhost"'s method of "LOZL THESE GUYS R DUM HERES THE HACK" is unethical, but i'm pretty sure all of us are keeping on top of things otherwise.
Let's all chill out and relax: they're fixing it.
For those considering moving to Blesta, there's various issues with a 1:1 migration. Don't think you're going to run a script and just turn off WHMCS and turn on Blesta and go about your day. Read http://www.blesta.com/forums/index.php?/topic/960-whmcs-migrator-beta-updated-2013-10-24/?p=10488 onward. Also consider that Blesta is missing some payment gateways and doesn't do product addons at all.
Now, the difference here is that the Blesta team is actively working on everything. They're participating in forums. They're making changes that you can see.
Blesta might not be the immediate replacement, but it's coming along nicely otherwise.
Free market at work...
Thankfully whmcs is not just rolling over and is instead making patches.
Meanwhile others are smelling opportunity to dethrone the king and coming up with viable alternatives. Once whmcs has shored up their code, they will need to continue to innovate if they wish to remain in business.
Either way, hosting companies should win....
jarland
The ocean is digital
The flow of setting up products is so different coming from whmcs. On top of that, adding a product that it can't push a signal somewhere to provision seems stupid difficult. There's no "none" module but instead "universal" that seems to freak out at having nothing to do. I may need to read more but first impression based on that was bad. If it doesn't have a module you're really expected to write one or make it fit the universal one, not just manually provision your products.
I'll give you a dollar if you can figure out how to add an addon to an existing product. :X
I coded a SolusVM replacement for WHMCS that was 95% done and am in the process of porting it over to Blesta. In terms of documentation, Blesta blows WHMCS out of the water. In terms of ease of implementation, WHMCS wins hands down. WHMCS makes it extremely simple to code a custom module while Blesta basically wants you to code a completely separate script that kind of integrates with Blesta. While I like the idea, it will require a complete rewrite of my module for it to work with Blesta and even after reading the documentation I am still very lost in how to proceed. 
At this point, I am debating on whether to just turn the module into a WHMCS replacement also since it would probably take the same amount of time just to convert what I have.
At this point, I am debating on whether to just turn the module into a WHMCS replacement also since it would probably take the same amount of time just to convert what I have.
Last edited by a moderator:
If they ever actually fix their problems.
Whilst it is painful look at it from the point of view that WHMCS is getting a really good audit right now by someone/people who clearly know what to look for and is publishing the results forcing quick action to remedy the issue. The end result has to be a better product.
It's creating pain all round, no doubt about that.
Of course everyone is rushing about trying to create their own panel which is great but is their haste creating something that is any better security wise? I doubt it.
It's creating pain all round, no doubt about that.
Of course everyone is rushing about trying to create their own panel which is great but is their haste creating something that is any better security wise? I doubt it.
Last edited by a moderator:
The last communication from them shows that there are a lot of people looking at the code now including a well respected software auditor (vld) which makes me feel a bit better even though our WHMCS dev install is being used primarily to convert over to Blesta as a precaution.
Although there were patches released relatively quickly, thanks in large part to contributors here at VPSBoard and the full disclosure independent security teams out there, the official email announcement from WHMCS wasn't particularly all that timely.
Nevertheless, the email alerts did eventually arrive as documented HERE
Thanks goes out to the good folks over at WHMCS and those testers who published the initial announcements, lighting the fires that prompted the bilge pumps into operation
Kindest regards,
Nevertheless, the email alerts did eventually arrive as documented HERE
Thanks goes out to the good folks over at WHMCS and those testers who published the initial announcements, lighting the fires that prompted the bilge pumps into operation
Kindest regards,
Wow, all the hate for WHMCS... I can pretty much guarantee that once Blesta becomes mainstream they will find issues with it as well. Nothing is ever 100% safe, unless you coded it yourself and YOU did all the security and did an external audit...
Just be patient. Update as soon as the patches come out and report issues to WHMCS.
Stop all the bitching and complaining and wanting to jump ship, because you know damn good and well that you ain't going anywhere! lol I had to wake up this morning and patch 3 WHMCS installs... :| Heh... It's all in a days work...
It'll get better just takes time.
Just be patient. Update as soon as the patches come out and report issues to WHMCS.
Stop all the bitching and complaining and wanting to jump ship, because you know damn good and well that you ain't going anywhere! lol I had to wake up this morning and patch 3 WHMCS installs... :| Heh... It's all in a days work...
It'll get better just takes time.
As mentioned above about WHSuite, they have a dev blog on their site.
http://blog.whsuite.com/will-ready-need-now/
http://blog.whsuite.com/will-ready-need-now/
can we just pre-post "whmcs *.*.*.*.* vuln" threads for the next few years?
there is a difference between "not too bad" and "i'm going to reimplement register_globals badly myself, a feature that was removed from PHP core for being too insecure" and "i'm going to write my own version of mysql_query that doesn't actually sanitise anything or escape anything instead of using pdo"
Last edited by a moderator: