How to Block WHMCS licensedebug
So I was recently reminded (thanks @Spencer) that if you call any WHMCS .php with ?licensedebug&forceremote, you get back some info that frankly I'm not wild about giving out. For example:
Performing Remote Check: Array ( [licensekey] => MYLICENSEKEY [domain] => MYDOMAIN [ip] => MYIP [dir] => /home/SOMEUSER/public_html ) Raw Remote Response: Active MY_WHMCS_RESELLER 2 Monthly Lease DATE_LEASED Monthly MYDOMAIN MY_IP /home/SOMEUSER/public_html SOME_HASH MY_WHCMS_VERSION Remote Check Completed
Some of that is obvious public - domain name, IP address. I don't think WHMCS version is, and why give it out? Also, the absolute path on the server (/home/SOMEUSER) is needlessly exposed, as is the name of the company I leased WHMCS through, etc.
Nothing really OMG but when in doubt, why needlessly expose?
I looked and apparently the licensedebug is in ioncube'd code:
# grep -R licensedebug * #
So you can't modify the php directly...which means an alternative is to create a mod_security rule that blocks that. In this case, here is what I put in:
# don't allow people to see whmcs sensitive configs SecRule ARGS_GET_NAMES licensedebug phase:2,block,id:102
This results in
Not Acceptable An appropriate representation of the requested resource /index.php could not be found on this server.
Curious if this is the best way to do this or if I'm going to break something else in WHMCS.
For LET support, please visit the support desk.