amuck-landowner

WHMCS 24/10/2013 Vuln

serverian

Well-Known Member
Verified Provider
Put this in configuration.php to patch it:

if(isset($_REQUEST['invoiceids']) && is_array($_REQUEST['invoiceids'])) { die('no'); }
 
Last edited by a moderator:

jarland

The ocean is digital
Excel spreadsheets and email addresses for your company like reboot@ or reinstall@. That'll secure it.
 

WebSearchingPro

VPS Peddler
Verified Provider
Just a little note, this post was posted at 01:01:01 AM +0000 October 25th 2013 - So there may be something more sinister in the making.
 

tallship

Member
Verified Provider
Yeah, desire to build a WHMCS replacement rising.
There remains the promise of http://WHSuite.com but no word on progress at all. And then there's Blesta, which has promise w/the participation of 3rd party developers, yet w/o that is still pretty much just a billing platform for webhosting.

HostBill works nicely, when it works at all, and if you're really daring you can even take a chance on destroying your entire business each week by performing updates, which usually break something else that was previously working, but only a fool would consider that app now.

I'm actually considering going back to a simple script based system much like http://prgmr.com/ - or at least re-deploying under a different brand for those services.
 

GIANT_CRAB

New Member
New patch was released but the version number doesn't change after updating.

I guess they're paying "so much attention" to fixing the issue that they "accidentally forgot" about the version number.

Even minor issues like this (version number) are overlooked, its really unsafe to continue using WHMCS.
 
Last edited by a moderator:
Top
amuck-landowner