WHMCS Security Advisory

[TruvisT]

btw the domain ordering issue has been fixed. You need to re-download the patch, which now has the fixed class.init.php file.

(I really don't understand why it's so difficult to call this v5.2.5.1 so that people know whether they've got the fixed version or not...)

THIS. I checked for a new patch today, and still saw the old one. Why can't they do minor patches for crying out loud?

 

[George_Fusioned]

I wouldn't trust anything to automatically overwrite any software that is billing or production related. What if WHMCS gets hit again and someone pushes a bad update to every WHMCS user?

My point exactly 

 

[coreyman]

I wouldn't trust anything to automatically overwrite any software that is billing or production related. What if WHMCS gets hit again and someone pushes a bad update to every WHMCS user?

My point exactly 

So I guess noone here uses Cpanel? What happens if Cpanel gets hit again and a bad update gets pushed to every cpanel user? A lot more than just 'WHMCS' could be compromised. If you remember, WHMCS was bought out by Cpanel recently.

 

[DamienSB]

So I guess noone here uses Cpanel?

You can turn off auto updates on cpanel.

 

[coreyman]

You can turn off auto updates on cpanel.

I'm sure you would be able to do the same on WHMCS if they implemented the feature... same company and all. Not everyone turns it off though... so then we are still left with a bunch of 'compromise able' systems I guess.

 

[DamienSB]

'm sure you would be able to do the same on WHMCS if they implemented the feature... same company and all. Not everyone turns it off though... so then we are still left with a bunch of 'compromise able' systems I guess.

No system is perfect, but i do hope they allow us to disable the system.

 

[coreyman]

No system is perfect, but i do hope they allow us to disable the system.

On another note, even though you turn off automatic updating from cpanel.... Do you download cpanel from them again and use rsync to replace files or something? Surely you aren't replacing every file one by one. Everything is encoded as well - so how are you to know if there is an exploit in the software or not. Do you have some policy to wait a certain amount of time to let everyone else test the waters and see if there is an exploit or not?

 

[DamienSB]

cpanel has a better track record than WHMCS in this regard.

 

[coreyman]

cpanel has a better track record than WHMCS in this regard.

That's true but do you feel as if they are cleaning up with the new merger?

 

[DamienSB]

That's true but do you feel as if they are cleaning up with the new merger?

I don't think WHMCS will change at all. Honestly, i think they've gotten worse with it.

 

[Licensecart]

You would think they would learn by now, and I would get domains orders right after the updates.

Seriously, considering leaving WHMCS now.

I already am preparing to move. WHMCS is just not good enough anymore.

 

[VPSDATABASE]

They broke the auto tick on select all option too.

 

[jhadley]

I already am preparing to move. WHMCS is just not good enough anymore.

What are you moving to?

 

[rsk]

What are you moving to?

 

Definitely not hostbill I hope haha

 

[InertiaNetworks-John]

Sometimes I wonder about WHMCS. We are currently using HostBill, but plan to move over to Blesta when it comes out. It looks very good so far!