New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WHMCS Security Update
There is a WHMCS security update:
http://forum.whmcs.com/showthread.php?47828-Security-Patch
Do it fast before the scanners get ya.
Comments
Thank you
How sure are we that it is Matt who has posted this and uploaded the patch? ;-)
It was on their twitter, which he had control over. And its in the same writing method as his other posts.
But I see what you are saying.
He should consider PGP signing his posts / patches / software from now on. And keep his PGP keys in a safe place of course.
You would think they would do this as a point release so people would see there's an update in the WHMCS itself. Thanks for posting.
No problem. He is e-mailing them out too, but that could take forever. And I would hate for anybody to get their DB hacked because well that would suck.
Just had it confirmed by Matt; it's legit and takes care of a blind SQL exploit disclosed earlier yesterday.
I also received verification from a support ticket I opened that the patch is legit.
You know what this means..
WHMCS was hacked again.
Well.... no comment
http://www.greensql.net/
GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy and has built in support for MySQL and PostgreSQL.
Any review/suggestion about this?
Hmm I might give that a try on my test WHMCS and see how it goes. That is an interesting idea.
Edit
I think it is an abandoned project.
Is there website down for anyone else? Can't seem to load their forum or website.
Their site is down. I am unable to get the patch.
Anyone know if its for 4x or just 5x?
edit* I guess per WHT some are having errors and license validation issues with it, but prob cause they are offline, Perhaps a well timed DDOS on a immediate patch being pushed out.
Guess I will wait =\
It's for both.. I am trying to get it as well. I guess someone desided to ddos them, while playing with the sqli.
Could open a ticket with WHMCS and ask them what's the longest variable for a post within WHMCS and update suhosin to reject anything that long. Usually that's how most attacks work by overflowing a buffer or large post length.
On a semi-related note, the site needs updating.
Site is down.. god, better start pulling whmcs down!
This movie just doesn't want to end.
Their site is up but very slow in case anyone needs to grab the patch
http://forum.whmcs.com/showthread.php?47828-Security-Patch&p=224696#post224696
edit* it looks like Matt is re-uploading patches to the patch as mine did not match one of the mirrors I looked at: http://www.webhostingtalk.com/showpost.php?p=8154000&postcount=88
May want to go re-download it if you went in early.
is a mirror of patch on WHT http://www.webhostingtalk.com/showpost.php?p=8153735&postcount=19
this is for v1 of the patch,
Would appear the patch has been updated to correct MySQL connection errors, just re-applied the patch and fixes errors I was seeing to.
Full story on WHT http://www.webhostingtalk.com/showthread.php?t=1159268
They patched the patch?
Another patch to patch the patch the patch to patch will come, shortly. Trust me.
Isn't that what development is all about? :P
No official word from Matt that I can find, the file sizes are different and the 2nd one I've downloaded fixes the MySQL errors
I understand that all software has bugs but this is getting stupid now. dbconnect.php was patched in mid October 2011. And today - twice? Open the f*in software, Matt, remove the ioncube encoding, we want to do our own auditing. Why wasn't the file thoroughly reviewed the last time in the first place...
Have you ever audited your own code? There's a reason why it's not allowed in most environments. It's like an author editing their own book, it's pointless.
I also find it funny how everybody was pissed that they were hacked and their WHMCS was vulnerable, now they release patches to fix security exploits and people are pissed at the patches. Use another script if you don't like WHMCS but don't attack them for doing their jobs.
@KuJoe 100% agreed.