WHMCS Security Advisory

George_Fusioned

Active Member
Verified Provider
This just came in the mail:

========================================
WHMCS Security Advisory for 4.5, 5.0, 5.1, 5.2
http://blog.whmcs.com/?t=73290
========================================

WHMCS has released new patches for the 4.5, 5.0, 5.1 and 5.2 minor releases.
These updates provide targeted changes to address security concerns with the
WHMCS product. You are highly encouraged to update immediately.

WHMCS has rated these updates as including critical or important security
impacts. Information on security ratings is available at
http://docs.whmcs.com/Security_Levels

++++++++++++
Releases
++++++++++++
The following full-release versions of WHMCS have been published and address all
known vulnerabilities:
5.2.5

The latest public releases of WHMCS are available inside our member's area at
https://www.whmcs.com/members/clientarea.php

++++++++++++++++++++++++++++++++++++
Security Issue Information
++++++++++++++++++++++++++++++++++++
The Targeted Security Release and Patch updates for 4.5, 5.0, and 5.1 resolve an
issue of unsanitized information being used in a SQL query. Using a crafted URL,
an attacker could perform an SQL Injection.

The Targeted Security Release and Patch update for 5.2 addresses a security
enhancement regression discovered in 5.2.3 and 5.2.4. This regression is not
related to the itemized vulnerability mentioned for 4.5, 5.0, and 5.1. The
regression was identified internally and is not a candidate for public
disclosure.

++++++++++++
Mitigation
++++++++++++

------------------
WHMCS Version 4.5
------------------
Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected version of the 4.x series is located on the WHMCS site
as itemized below.

 > v4.5.5 (patch only) - http://www.whmcs.com/download/302/v455patch

To apply the patch, simply download the appropriate patch file specific to the
WHMCS version you are running, extract the contents, and upload the files from
the /whmcs/ folder to your installation.

No install or upgrade process is required.

------------------
WHMCS Version 5.x
------------------
Download and apply the appropriate full-version or patch of WHMCS to protect
against these vulnerabilities.

Patch files for affected version 5.x are located on the WHMCS site as itemized
below. A full-version of 5.2.5 is located in the WHMCS member's area download
section, under your license details.

 > v5.0.6 (patch only) - http://www.whmcs.com/download/306/v506patch
 > v5.1.7 (patch only) - http://www.whmcs.com/download/310/v517patch
 > v5.2.5 (patch only) - http://www.whmcs.com/download/314/v525patch
 > v5.2.5 (full-version) - Available in the members area

When updating from v5.0.5, v5.1.6, or v5.2.4 you can use the patch file and the
upgrade process is not required. Simply download the appropriate file specific
to the WHMCS version you are running, extract the contents, and upload the files
from the /whmcs/ folder to your installation.

If running any other version you should apply the full-version, simply download
the file from our member's area and then follow the regular upgrade instructions
which can be found at http://docs.whmcs.com/Upgrading

================================================================================
 

George_Fusioned

Active Member
Verified Provider
From what I've been reading, the guys at WHMCS managed to release an update that breaks things, again.

this fix breaks the ability for customers to order domains.
 
Last edited by a moderator:

weservit

New Member
Verified Provider
I hope that there will be an official WHMCS -> Hostbill migration script sometime so we can move to Hostbill. We are using Hostbill for some other services and I have to say that I like Hostbill over WHMCS.
 

Jono20201

New Member
Verified Provider
You would think they would learn by now, and I would get domains orders right after the updates.

Seriously, considering leaving WHMCS now.
Everyone says that every time they release a security update, however there isn't any good alternative that offers a good migration script and is not silly priced. If there was good competition WHMCS would quickly loose market share.
 

George_Fusioned

Active Member
Verified Provider
btw the domain ordering issue has been fixed. You need to re-download the patch, which now has the fixed class.init.php file.

(I really don't understand why it's so difficult to call this v5.2.5.1 so that people know whether they've got the fixed version or not...)
 

mitgib

New Member
Verified Provider
btw the domain ordering issue has been fixed. You need to re-download the patch, which now has the fixed class.init.php file.

(I really don't understand why it's so difficult to call this v5.2.5.1 so that people know whether they've got the fixed version or not...)
Awesome, was unable to accept orders all day, and no response to my ticket, what a bunch of slackers
 

coreyman

Active Member
Verified Provider
I got the email and I did a facepalm wondering when the auto update feature will come out. I swear it seems like I've been updating WHMCS every few weeks.
 

George_Fusioned

Active Member
Verified Provider
I got the email and I did a facepalm wondering when the auto update feature will come out. I swear it seems like I've been updating WHMCS every few weeks.
To be honest, I prefer replacing files over FTP on my own :)

I'm sure the time will come were their auto update feature will have a dot or a backslash too much, which will completely screw the WHMCS installation.
 

DamienSB

Active Member
Verified Provider
To be honest, I prefer replacing files over FTP on my own :)

I'm sure the time will come were their auto update feature will have a dot or a backslash too much, which will completely screw the WHMCS installation.
I wouldn't trust anything to automatically overwrite any software that is billing or production related. What if WHMCS gets hit again and someone pushes a bad update to every WHMCS user?
 
Top