All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WHMCS Security Advisory 2020-01-28
Just received following mail:
https://www.whmcs.com/members/mailings/?k=security-advisory-2020-01-28
Hello,
We are writing to advise you of a potential security vulnerability when htaccess directives are not enforced appropriately for WHMCS. This most commonly occurs in web server environments such as nginx.
Affected Versions
WHMCS 6.0 and later
How to tell if you're affected
If the following file is readable from a web browser, then you need to investigate and apply appropriate configurations for your web server environment.
https://www.example.com/path/to/whmcs/vendor/composer/LICENSE
A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded here.
How to fix the vulnerability
Please follow the instructions provided in the detailed security advisory:
WHMCS Security Advisory 2020-01-28
WHMCS is here to help, if you are unsure if your system is enforcing .htaccess directives you can open a support ticket for assistance.
Kind regards,
WHMCS
Somehow the mail looks suspicious to me. Its somehow unclear why i should execute an ioncube encrypted script on the server just to check if public access to the mentioned directory is possible - reminds me on the hack of WHMCS Global Services
Comments
Commented on "the other place".
The fact that the only thing between exploitable code and the world is an .htaccess file is insane.
People are running this on Shared Hosting, instead of a separate environment, which is equal worse.
Yeah got the same e-mail. The fix is easy, if you run NGINX just add this to your server configuration file where billing is the path of your WHMCS installation.
Then do a systemctl reload nginx.
How is that insane? That would be the same as saying the only thing between my house and a burglar who wants to break in is a door.
The issue is only with non-apache web servers. For Apache if you run a newer WHMCS version (which you should) the htaccess file is already in place. Unless you've set the global config to ignore it of course, you should be ok.
This is mostly for NGINX which is a lot better than Apache, shame they still don't officially support it.
LMFTFY
my house has guns and cameras. I suppose you can do that with a web server in a way, but most people don't.
I have a hamster that looks after the place when I am gone.
I also have received that email and after doing the verification no vulnerability was found
Scary stuff, for something so simple, you'd think they'd cover this initially.
While I applaud them for making the statement, I have to say I'm not really sure that I would've put it out like that. Given how common it is for self-hosted applications, specifically PHP applications, to ship with necessary security measures on a default .htaccess file, they really shouldn't be taking a reputation hit for it. Tons of applications ship this way, and if you don't use Apache you have to secure them separately.
How is this issue exploitable? What can be gained if it is exploited? Is it High Risk?
No congrats on your first post