Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Subscribe to our newsletter

Advertise on LowEndTalk.com

Latest LowEndBox Offers

    WHMCS security update
    New on LowEndTalk? Please read our 'Community Rules' by clicking on it in the right menu!

    WHMCS security update

    liviuliviu Member
    edited March 2013 in General

    I just stumbled across a fresh post on blog.whmcs.com: WHMCS Security Advisory for 4.x, 5.x
    They say that the patch is fixing 6 security vulnerabilities

    I have no idea if WHMCS sent any email update yet, I just checked my inbox and got none. Perhaps it's on its way.
    update time, I guess

    «134

    Comments

    • Oh, not again.
      Let's see how many times they will reissue the same patch this time, until it finally works.

      -

    • 24khost24khost Member
      edited March 2013

      @rds100
      Remember cpanel is in charge now.

    • patch from 5.1.3 to 5.1.4 breaks the transaction log, no payments are recorded after we applied it

      VPSCheap.NET - UNMetered Bandwidth Virtual Servers
    • @VPSCheap_net said: patch from 5.1.3 to 5.1.4 breaks the transaction log, no payments are recorded after we applied it

      Fantastic, we just used that one as well.

    • Do tell this to WHMCS, they should fix it eventually.

      -

    • Well I guess @rds100 is right. Still can't get it right even with Cpanel involved.

    • Why not just write safe code in the first place?

    • @superpilesos said: Why not just write safe code in the first place?

      Because it would result in less profit for the code writer i guess? ;-)

      -

    • @24khost said: Well I guess @rds100 is right. Still can't get it right even with Cpanel involved.

      cPanel are far from perfect themselves and they aren't in charge at WHMCS, Matt still is, they just have share in the company i believe.

    • @superpilesos Problem is when they right it, it looks secure. if something changes in the php kernel then an exploit is found in a function that they were using. It happens. It happens to most if not all software companies. Apple, Microsoft, RedHat, Unbuntu. It is a fact of life with software.

    • @GetKVM_Ash It sounded like cpanel owned more than Matt does. And that Cpanel's coder's were going to help get whmcs back on track.

    • I can confirm that. Another issue is that whmcs shows "An update is available!" but there isn´t any update ready..

      fileMEDIA - Dedify: German Private Cloud @ https://www.dedify.com - CloudStack+XenServer+SSD

    • Down for Maintenance (Err 2)
      An upgrade is currently in progress... Please come back soon...
      

      Is all we get.

    • DamianDamian Member
      edited March 2013

      Fixed that. Now we're on the things that @fileMEDIA mentioned.

      @fileMEDIA: WHen you go to Help->Check for Updates, what's the version?

    • @Damian Version installed: 5.1.4 Latest Version Version: 5.1.3..I think the update function checks: lastest version != installed version and not latest version > installed version..

      fileMEDIA - Dedify: German Private Cloud @ https://www.dedify.com - CloudStack+XenServer+SSD

    • Has WHMCS fixed the transaction log issue yet?

    • @Jono20201 they probably don't even know there is a problem, until someone tells them.

      -

    • If it's so important, they should have it as an update when the administrator logs in.

      Your Version 5.1.4
      Latest Version 5.1.3

    • @rds100 said: they probably don't even know there is a problem, until someone tells them.

      Yeah.. that someone is normally me. I sit there for the next hour uploading dbconnect files to my WHMCS install for Matt. -.-

    • @fileMEDIA: did you set up htaccess for your payment notification callbacks?

    • Ash_HawkridgeAsh_Hawkridge Member
      edited March 2013

      Anybody informed WHMCS yet or...

    • fileMEDIAfileMEDIA Member
      edited March 2013

      No, only on the admin dir, but works fine up to 5.1.3..I´ll take a few tests..

      fileMEDIA - Dedify: German Private Cloud @ https://www.dedify.com - CloudStack+XenServer+SSD

    • image 5.2.1 is the latest update, anyone else?

    • That wasn't there earlier.. Typical WHMCS. Change this and that, inform nobody.

    • WHMCS ‏@whmcs
      WHMCS v5.2 is out now! Get the latest version at https://whmcs.com/members http://blog.whmcs.com/?t=69406

      32 Minutes ago via Twitter, messy release to say the least

    • KuJoeKuJoe Member, Provider

      This is why I usually wait 6-10 months between updates. :)

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • The WHMCS/Solus interface seems to be perpetually down for maintenance now:

      image

    • JacobJacob Member

      Yup, I learned this when I installed a Beta version of Solus and it ended up screwing up majority of the database.

      @KuJoe said: This is why I usually wait 6-10 months between updates. :)

      AboveClouds • UK Company • UK Datacentre • UK Customer Support

      High Performance Pure SSD Cloud Hosting with a personal touch

    • @KuJoe said: This is why I usually wait 6-10 months between updates. :)

      You'd wait 6-10 months to put a security update in?

    • vldvld Member
      edited March 2013

      I suggest you install the security update (5.1.4) even tho it may have some bugs.

      While the fixed vulnerabilities are not public, this may quickly change. As the patches are now available, someone can decode them and see the vulnerabilities while comparing to the previous, vulnerable versions.

    • KuJoeKuJoe Member, Provider

      @Kairus said: You'd wait 6-10 months to put a security update in?

      I was referring to the new version (5.2.x).

      @vld said: I suggest you install the security update (5.1.4) even tho it may have some bugs.

      I'll wait for 5.1.5 until I update. :)

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • jarjar Provider
      edited March 2013

      @Kairus said: You'd wait 6-10 months to put a security update in?

      Plenty of ways to make up for little security flaws besides patching, most of the time.

    • Okay, this upgrade has:

      A) Changed my admin password
      B) Stopped sending email from working

      Password Reset
      There was an error sending the email. Please try again.

      So now i cant access, nor reset my password.

    • AlexBarakovAlexBarakov Member, Provider

      @GetKVM_Ash said: Okay, this upgrade has:

      A) Changed my admin password

      B) Stopped sending email from working

      Password Reset

      There was an error sending the email. Please try again.

      So now i cant access, nor reset my password.

      Restore an old backup of your DB, get your old password (hashed) and replace it with the changed one in your current DB.

      AlphaVPS - OpenVZ and KVM, DDoS Protected VPS in London, UK | Sofia, BG | Nuremberg, DE | NYC, US and LA, US. Cheap Dedicated servers with fast delivery!

    • @GetKVM_Ash said: So now i cant access, nor reset my password.

      Protect the admin path with htaccess and clear the password.

    • So to summarize - this one causes breakage?
      54f39e33b6e508865dc6fcbb0f6bf87b whmcs_v514_patch.zip

      -

    • @Alex_LiquidHost said: Restore an old backup of your DB, get your old password (hashed) and replace it with the changed one in your current DB.

      Tried that, no luck!

    • johnjohn Member

      @Damian said: The WHMCS/Solus interface seems to be perpetually down for maintenance now:

      Also happening on our installation... Anyone know a fix?

      garrisonhost.com
    • KuJoeKuJoe Member, Provider

      @GetKVM_Ash, the 5.1.4 patch broke your admin password??

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • jarjar Provider

      Did everyone get their torches in the mail? This is what we kept them for. Ready? Go!

      image

    • KuJoeKuJoe Member, Provider

      Why people still push updates to production I will never understand. :(

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • @rds100 said: So to summarize - this one causes breakage?

      54f39e33b6e508865dc6fcbb0f6bf87b whmcs_v514_patch.zip

      I installed this and I don't have any problems.

    • @KuJoe said: Why people still push updates to production I will never understand. :(

      wait, you mean people should always keep the same version in production?

    • KuJoeKuJoe Member, Provider

      @Bogdacutuu said: wait, you mean people should always keep the same version in production?

      I mean don't test things in production. Test them in development then after you are done with testing push them to production.

      -Joe @ SecureDragon - LEB's Powered by Wyvern in FL, CO, CA, IL, NJ, GA, OR, TX, and AZ
      Need backup space? Check out BackupDragon
    • @KuJoe i installed it on my dev whmcs installation, but i can't check if transactions are logged there since... no transactions are happening there :)

      -

    • Nick_ANick_A Top Provider

      Is it confirmed that payments aren't working?

      RamNode: High Performance Cloud VPS
      NYC - LA - ATL - SEA - NL - IPv6 - DDoS Protection
    • @john said: Also happening on our installation... Anyone know a fix?

      They asked for admin access. $deity save us all.

    • @Nick_A said: Is it confirmed that payments aren't working.

      We have not witnessed this issue, and we have received 4 Paypal, 2 gcheckout, and 1 Amazon payment in the last hour; all were recorded.

    • vldvld Member

      @GetKVM_Ash said: Okay, this upgrade has:

      A) Changed my admin password

      B) Stopped sending email from working

      Password Reset

      There was an error sending the email. Please try again.

      So now i cant access, nor reset my password.

      You're talking about v5.2.1, right?

    • @vld said: You're talking about v5.2.1, right?

      Same question.. deciding if I should try update or not.. Will make backups before (instead of relying on our hourly backups).

    Sign In or Register to comment.