New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Edit: saw it too.
Put this in configuration.php to patch it:
if(isset($_REQUEST['invoiceids']) && is_array($_REQUEST['invoiceids'])) { die('no'); }
Guys lets get an external audit performed. Please help by doing the following.
If they start removing posts let's just take this to Twitter and other mediums. This is unacceptable and we need to show them that we've had enough.
edit: nevermind
This is getting ridiculous, I've had to delay the launch of my new site cause of this. Looks like I'm going to get my custom modules ported to a more stable billing system.
shrugs
It's more like, please update your WHMCS everyday.
Oh my god...
Yea I doubt this "external audit" is happening
--Message from WHMCS---
We understand the frustration regarding security that you are having with WHMCS. At WHMCS, it's our desire to take a proactive approach to resolving bugs and preventing security problems in our product. To this point, we have and will continue to conduct both internal and external security audits to further harden and protect our software’s security. While we've been reactive to the recent security problems, it's not how we prefer to operate. The upcoming release of WHMCS, which is currently in beta, will provide over 170 documented bug fixes in our product (http://docs.whmcs.com/Changelog:WHMCS_V5.3).
For any programmers out there, get a product out to replace this as it seems a lot of its users are stuck with it and tired of it.
Haven't googled, is it another SQL injection? There's really no excuses for SQL injections, they should use prepared statements.
The post indicates that SQL injection is possible, but the exploit posted is just to view any invoice.
I like that post, how it talks about bug fixes but not un-fucking their shittastic coding practices and hiding behind the encoded veil.
Update WHMCS every day and you will be safe
Or you can keep WHMCS offline 100% of the time
3 vulnerabilities a month!!!
Hope WHMCS_V5.3 will get through such things
I doubt that, it seems they still didnt get the seriousness of these issues, so far, with no real competition looming over their market share, they can afford to ignore the situation, lets hope their successors will learn from this.
oh again...
New Feature in WHMCS V5.3...spoiler..Full Database Dump in Client Area..I know sounds crazy, but I think it might work to prevent exploits, making it easily available to everyone no reason to exploit. lol
^
I haven't used WHMCS extensively, but IIRC saw a nulled version a while back, as I was interested in domain registrar API implementations. The code looked a little hackish to be fair, cobbled together.
It might be worth a thread to list the main features any alternative software would need.
Here's one choice and a list of its plugins. Monthly leasing price is in the same range as WHMCS
http://www.clientexec.com/plugins.php
end user's perspective: DediDirect used it when I had servers with them and I found it just as user friendly as WHMCS.
It doesn't used stored procedures and it does use register globals.
yeah, it comes across as something that was built in 2007 and then built on top of. so when the surface is scratched, the older more vulnerable code is there to be exploited.
TBH I'd expect better given how widespread their service is used, it certainly seems well funded enough to be able to be more proactive as they claim their intention is.
They should have a rep posting here... LEB providers must add up to a fair few quid a month for them.
It's $15/mo. Even if they have 100 providers here using WHMCS, that's only $1500/mo for a project that probably has a few developers.
Yep. $1500 a month may not pay someones wage, but it pays for an hour a week to stop by.
I guess you are unfamiliar with the numbers after the recent drama of them being hacked..... the numbers are much larger than that.
I'll just put this right here....
companycheck.co.uk/company/06265962/WHMCS-LIMITED
So the last time he had to report his assets to the U.K. (got to love UK laws), he had $1,060,617.63 US dollars in the bank.
And you can get WHMCS licenses through a reseller much cheaper than WHMCS directly.
www.whmcs.com/resellers/
Patch is out and this time they have even published MD5 checksums of the files. Maybe they have started learning something?
http://blog.whmcs.com
hmm version number did not increment ... anyone else?
And again.... Just patched my WHMCS
I'm on 5.1 and mine increased fine to 5.1.13. But people on the 5.2 branch report it's not increasing for them.
I'm very glad I moved from them a few months back now.