WHMCS Security Advisory

[Coastercraze]

http://blog.whmcs.com/?t=81890

Better update your WHMCS installations.

 

[peterw]

Case 3492
Remove dependency on unserialize() for admin table sorting

=== Severity Level ===
Important

=== Description ===
Object Injection Attack.
An attacker, once authenticated into the admin area of the product, could leverage user input passed to unserialize() to execute arbitrary PHP.

 

[Jack]

Anyone else getting invalid token on replying to tickets?

 

[MartinD]

Do a hard refresh or clear your cache.

Currency symbol issue too... that's resolved with some patches from WHMCS.

 

[InertiaNetworks-John]

Oh gosh.... here we go yet again!!

 

[XFS_Duke]

Oh gosh.... here we go yet again!!

Yea, atleast they're fixing things.

 

[InertiaNetworks-John]

Yea, atleast they're fixing things.

Very true. I believe that they came out with this bug and not some third party?

 

[ComputerTrophy]

In my opinion WHMCS should be contacting CloudFlare as well with vulnerability details so CloudFlare can develop their Web Application Firewall. Such a partnership could be great, since CloudFlare could block the vulnerabilities in the first hour before they're even patched.

 

[KuJoe]

So the only security exploit that was patched was one that allows admin to run PHP code on my server? Considering all of the admins in my WHMCS have root access to the server already this is not a huge concern.

 

[InertiaNetworks-John]

So the only security exploit that was patched was one that allows admin to run PHP code on my server? Considering all of the admins in my WHMCS have root access to the server already this is not a huge concern.

Very true, but you have to realize for bigger companies, this may not be the case.

 

[Aldryic C'boas]

Very true, but you have to realize for bigger companies, this may not be the case.

Hell, we have a small staff, and it's not the case with us, either.  I'm the only one with full WHMCS privs (Fran doesn't even have a login, although he and I are the only two with keys on that box).  Though granted, we don't bring anyone onboard as staff unless we're willing to put a LOT of trust into them anyways.

 

[Coastercraze]

So the only security exploit that was patched was one that allows admin to run PHP code on my server? Considering all of the admins in my WHMCS have root access to the server already this is not a huge concern.

No there is more... Read the blog post.

 

[Hannan]

Hopefully this one is the last one.. fixes the issues!

 

[InertiaNetworks-John]

Hopefully this one is the last one.. fixes the issues!

Hopefully...

 

[hostthebest]

they new update http://blog.whmcs.com/?t=82298

 

[nunim]

I keep getting invalid token errors, mainly in Intelligent Search but I see them from time to time elsewhere. 

 

[InertiaNetworks-John]

they new update http://blog.whmcs.com/?t=82298

I love the comments to this blog post!

 

[fapvps]

I'm very happy to see that they are working on the product they are selling. It was very frustrating to deal with the 0day exploits that came out recently. It is really a good thing that they are releasing the updates often. I'll gladly apply a weekly incremental patch to keep the billing system secure and as bug free as possible. I don't understand why people would complain about WHMCS releasing updates...People should complain if they don't release updates...

 

[ExonHost]

They released another patch for 5.2.13 and 5.1.14 and patched our installation.