Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


New WHMCS Vulnerability
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

New WHMCS Vulnerability

MartinDMartinD Member
edited October 2012 in General

Heads up:

http://www.webhostingtalk.com/showthread.php?t=1198117

Relating to the Boleto payment gateway module.

«1

Comments

  • Another reason to use HostBill :P

  • Why do they include these useless modules most people will never use..

    Anyone know what the exploit actually is? Just curious to see how they cocked up and missed it.

  • @AsadHaider Good question but some may use it, they should just open a up customer download area to download modules as needed or alternatively just delete what you don't need

  • Has anybody else got an email about this? Or are we expected to find it ourselves on WHT :S

  • @GetKVM_Ash said: Has anybody else got an email about this? Or are we expected to find it ourselves on WHT :S

    Nope, no email here either... :/

  • If they did send one, it takes a while to arrive given the size of their customer base :)

  • Mon5t3rMon5t3r Member
    edited October 2012

    It was, or is this another "new" boleto module vulnerable?

  • qpsqps Member, Host Rep

    @Mon5t3r said: It was, or is this another "new" boleto module vulnerable?

    Another new vulnerability for this module. The second within the past few months, I believe.

    Thanked by 1Mon5t3r
  • InfinityInfinity Member, Host Rep
    edited October 2012

    @GetKVM_Ash said: Has anybody else got an email about this? Or are we expected to find it ourselves on WHT :S

    None here either, did you buy your WHMCS direct from themselves?

  • joepie91joepie91 Member, Patron Provider

    Looks like their usual modus operandi - not notifying customers of a breach properly.

    I don't care how many customers they have and how long it would allegedly take, stuff like this is what you use things like Sendgrid for, as a company.

  • aaaaaaaaaaaaaaaaaaand the folder has been deleted. Thank you WHMCS LET + WHT for informing me of this security exploit

    Thanked by 1Infinity
  • Thanks for this, the folder has been deleted, not received any email although they claim they have sent them out.

  • AsadAsad Member
    edited October 2012

    WHMCompleteSolution (WHMCS) contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'require' function in the modules/gateways/boleto/boleto.php script not properly sanitizing user input supplied to the 'banco' parameter. This may allow an attacker to include a file from a third-party remote host that contains commands or code that will be executed by the vulnerable script with the same privileges as the web server.

    Developer who wrote that module is a f***ing retard, whmcs are idiots for missing that.

  • Seriously? A RFI vulnerability? In 2012? What is wrong with them?

    Thanked by 3Infinity Taz djvdorp
  • KuJoeKuJoe Member, Host Rep

    For those of you who didn't get the e-mail, check your spam filters.

    Alternatively, don't rely on WHMCS to send out e-mails. Get your own alerts to WHMCS security updates by subscribing to their "News and Announcements" forum and when they create a new thread you'll get an e-mail right away (I can guarantee the subscribe list on their forum is much smaller than their client list so when they send out a Mass E-mail to their clients it can take quite a while to arrive).

    Thanked by 3rds100 Infinity Oliver
  • @KuJoe said: Alternatively, don't rely on WHMCS

    I don't :) I waited for the LET whining to start

    Thanked by 1Oliver
  • @KuJoe said: For those of you who didn't get the e-mail, check your spam filters.

    Not had any emails at all, I use Google Apps for my personal mail.

    I also don't use my WHMCS installation on a public URL, it's used for backend client/services management and invoicing only (which I then manually email out).

  • Nothing in SPAM here (I use Google apps also). Judging by the look of it nobody got an email, it doesn't take this long to send out, i don't care how big there client base is.

  • TazTaz Member
    edited October 2012

    @GetKVM_Ash said: Nothing in SPAM here (I use Google apps also). Judging by the look of it nobody got an email, it doesn't take this long to send out, i don't care how big there client base is.

    If you consider wht as big, and 80% wht members are at some part of their life were host (Which is most likely), and wht only has a fraction of all the hosts out here and more than 90% hosts out here use whmcs, WHMCS client base is HUGE!

  • @GetKVM_Ash said: Judging by the look of it nobody got an email, it doesn't take this long to send out, i don't care how big there client base is.

    I got an email, received at Delivery-date: Fri, 05 Oct 2012 15:12:12 -0400

    From: WHMCS Limited 
    Subject: WHMCS Security Alert
    Reply-To: noreply @ whmcs.com
    Precedence: bulk
    Sender: 
    Date: Fri, 05 Oct 2012 19:12:09 +0000
    
  • PatrickPatrick Member
    edited October 2012

    Just got mine to few mins ago, they need better mail system since notifying about security alert should be done within minutes of it being patched or a large message like hostbill has when a new update is available.

  • I see no reason to not just go with HostBill.

  • @miTgiB said: I got an email, received at Delivery-date: Fri, 05 Oct 2012 15:12:12 -0400

    Thank you for confirming, i still have nothing yet.

    All i was getting at is that in the amount of time its taking them to get these out there, a lot of hosts could have been compromised due to releases on forums.

    Clients should be hearing things first from WHMCS directly. I mean don't get me wrong, im glad Martin posted this otherwise i wouldn't have a clue personally, but a lot of people that don't need to know (Non-clients & skiddys) know as well.

  • jarjar Patron Provider, Top Host, Veteran

    Thanks for the heads up. You can never be too cautious.

  • Just got mine

  • MartinDMartinD Member
    edited October 2012

    What I find amusing is people moaning and complaining about WHMCS releasing software that has bugs/security issues that they haven't checked. Surely then, if people think this, they will have checked their own systems for issues...including software they're running, no?

    Just a thought really. Can't moan about these things as we're all just as guilty.

  • joepie91joepie91 Member, Patron Provider
    edited October 2012

    @MartinD said: What I find amusing is people moaning and complaining about WHMCS releasing software that has bugs/security issues that they haven't checked. Surely then, if people think this, they will have checked their own systems for issues...including software they're running, no?

    Yeah, great idea.

    ... only WHMCS uses Ioncube to encode their source, so you can't check it out for yourself.

    Yeah. Great idea, that Ioncube thing.

  • @joepie91 said: Yeah, great idea.

    ... only WHMCS uses Ioncube to encode their source, so you can't check it out for yourself.

    Yeah. Great idea, that Ioncube thing.

    You can buy WHMCS fully decrypted

  • @Spencer said: You can buy WHMCS fully decrypted

    You can...?

    Thanked by 1Randy
  • MartinDMartinD Member
    edited October 2012

    Doesn't really matter. We're all responsible for the security of our own systems so if we can't verify the security of the software being used, we're no better than WHMCS.

Sign In or Register to comment.