Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SolusVM V4 WHMCS Module
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SolusVM V4 WHMCS Module

zafouharzafouhar Veteran
edited November 2016 in General

I am not very security orientated but has anyone viewed the latest version of the SolusVM WHMCS Module that they released a few weeks ago?

In my opinion specifying the SolusVM admin username and password as plaintext in a php file is asburd in 2016.

And ofcourse I can protect my WHMCS server but this isn't how security works and I really don't know who in the right mind would do this. And also what is the purpose of the API username and password if that isn't used?

Or am I failing to understand how their new module works?

«1

Comments

  • @zafouhar said:
    I am not very security orientated but has anyone viewed the latest version of the SolusVM WHMCS Module that they released a few weeks ago?

    In my opinion specifying the SolusVM admin username and password as plaintext in a php file is asburd in 2016.

    And ofcourse I can protect my WHMCS server but this isn't how security works and I really don't know who in the right mind would do this. And also what is the purpose of the API username and password if that isn't used?

    Or am I failing to understand how their new module works?

    Clearly storing any privileged credentials in plaintext on software with a history of being vulnerable is the most secure thing to do

    Thanked by 1zafouhar
  • @GCat said:

    Clearly storing any privileged credentials in plaintext on software with a history of being vulnerable is the most secure thing to do

    Yeah I guessed that, I guess that they should win the award for developing the most secure software in the planet.

    Here is the related function, since they opensourced their module, replace ADMINUSERNAME and ADMINPASSOWRD and you are good to go!

    if ( ! function_exists( 'solusvmpro_AdminLink' ) ) {
    function solusvmpro_AdminLink( $params ) {
    try {
    $solusvm = new SolusVM( $params );
    
    $fwdurl = $solusvm->apiCall( 'fwdurl' );
    
    $code = '<form action="' . ( $fwdurl ) . '/admincp/login.php" method="post" target="_blank">
    <input type="hidden" name="username" value="ADMINUSERNAME" />
    <input type="hidden" name="password" value="ADMINPASSOWRD" />
    <input type="submit" name="Submit" value="Login" />
     </form>';
    
    Thanked by 2GCat jh
  • May aswell tag them for a comment on these excellent security practices @OnApp_Terry - not that they'll respond.

    Thanked by 1GCat
  • MikeAMikeA Member, Patron Provider

    "Updated the WHMCS modules and added WHMCS7 support"

    What exactly was updated for WHMCS7 support? I'm using an older version and everything works perfectly fine.

    Thanked by 1zafouhar
  • Php 7 compatibility > @MikeA said:

    "Updated the WHMCS modules and added WHMCS7 support"

    What exactly was updated for WHMCS7 support? I'm using an older version and everything works perfectly fine.

    Thanked by 1MikeA
  • AnthonySmithAnthonySmith Member, Patron Provider

    @MikeA said:
    "Updated the WHMCS modules and added WHMCS7 support"

    What exactly was updated for WHMCS7 support? I'm using an older version and everything works perfectly fine.

    Because despite having access to the v7 beta for 3 months no one at solusvm thought to test the module with the new version, I can guarantee this because the reason they had to update it was because it did not support php7.

    anyway they will probably just try to sue you and at the very very very least cancel your license now, they do not react well to people decrypting the software.

  • @AnthonySmith said:

    @MikeA said:
    "Updated the WHMCS modules and added WHMCS7 support"

    anyway they will probably just try to sue you and at the very very very least cancel your license now, they do not react well to people decrypting the software.

    Btw their last version of their module is opensource :)

  • MikeAMikeA Member, Patron Provider

    @seriesn said:
    Php 7 compatibility > @MikeA said:

    "Updated the WHMCS modules and added WHMCS7 support"

    What exactly was updated for WHMCS7 support? I'm using an older version and everything works perfectly fine.

    Guess it's a good thing I decided yesterday to not update to PHP7 yet.

  • AnthonySmithAnthonySmith Member, Patron Provider
    edited November 2016

    zafouhar said: Btw their last version of their module is opensource :)

    wow.

    You cant blame me for not expecting that :)

    Guess they don't care with V2 beta launching in November.

  • @AnthonySmith said:

    zafouhar said: Btw their last version of their module is opensource :)

    wow.

    You cant blame me for not expecting that :)

    Guess they don't care with V2 beta launching in November.

    Yes indeed it was unexpected, I can't imagine though what their encrypted code looks like.

    I hope they get a security audit performed before they release v2 beta.

  • jarjar Patron Provider, Top Host, Veteran
    edited November 2016

    I mean, Wordpress stores the DB password in plain text in wp-config.php. To some degree you have to assume that if someone is able to get to the point where they can dump the contents of a file that shouldn't be accessible from public angle (and you should use web server config to ensure that they are not), then you're compromised either way.

    While I agree that it could/should be better, I just don't think that one detail is going to be the smoking gun in an event.

  • OnApp_TerryOnApp_Terry Member
    edited November 2016

    @zafouhar said:
    May aswell tag them for a comment on these excellent security practices @OnApp_Terry - not that they'll respond.

    The extent of my "programming" is HTML & Excel (with a bit of Crystal reports & Tableau), so I don't have an immediate answer for you. As @Jarland said, I know this isn't uncommon but I will certainly raise the issue with the development team.

  • @OnApp_Terry said:

    @zafouhar said:
    May aswell tag them for a comment on these excellent security practices @OnApp_Terry - not that they'll respond.

    The extent of my "programming" is HTML & Excel (with a bit of Crystal reports & Tableau), so I don't have an immediate answer for you. As @Jarland said, I know this isn't uncommon but I will certainly raise the issue with the development team.

    I don't have a programming background either to be honest, I just felt it was really strange and not security friendly the implementation you have. But yes indeed as Jarland pointed out Wordpress does the same thing and many other applications aswell do the same thing so maybe this is normal but still I don't understand why you don't use the API to perform the login or does it not support autologin?

    And also can you please update your documentation as to how to install this new Solusvm module?

  • DETioDETio Member
    edited November 2016

    GCat said: Clearly storing any privileged credentials in plaintext on software with a history of being vulnerable is the most secure thing to do

    Not exactly aware of how SolusVM's recent security has been, however the VPS hosting business I used to previously run went under (late 2013) due to an exploit in SolusVM Software that left all our servers inside SolusVM compromised. So the fact that things like this are approved and pushed to production does not come to surprise me.

  • SolusVMSolusVM Member, Host Rep

    @zafouhar said:
    I am not very security orientated but has anyone viewed the latest version of the SolusVM WHMCS Module that they released a few weeks ago?

    In my opinion specifying the SolusVM admin username and password as plaintext in a php file is asburd in 2016.

    And ofcourse I can protect my WHMCS server but this isn't how security works and I really don't know who in the right mind would do this. And also what is the purpose of the API username and password if that isn't used?

    Or am I failing to understand how their new module works?

    The admin username and password is only used if you want a login button to the admin area from within the WHMCS admin area. It has nothing to do with the API.

    Thanked by 1vpsGOD
  • TamerciagaTamerciaga Member, Host Rep

    That solution should be fine if you really want to provide this feature, because almost any other approach will provide the same type of admin access (API keys).

    I've come up with two perfect solutions to improve security, early in the morning:
    1. Force the use of two-factor authentication;
    2. Completely remove this feature, it doesn't really provide a good feature in my opinion.

    Thanked by 1zafouhar
  • FlapadarFlapadar Member
    edited November 2016

    @Qarizma said:
    That solution should be fine if you really want to provide this feature, because almost any other approach will provide the same type of admin access (API keys).

    I've come up with two perfect solutions to improve security, early in the morning:
    1. Force the use of two-factor authentication;
    2. Completely remove this feature, it doesn't really provide a good feature in my opinion.

    3 - If you see anything that concerns you, make a ticket with them explaining why you think it's bad practice/insecure. They'll probably fix it.

    Thanked by 1vpsGOD
  • @SolusVM said:

    The admin username and password is only used if you want a login button to the admin area from within the WHMCS admin area. It has nothing to do with the API.

    Yes I understand that, but why don't you use the SolusVM API login details to provide that functionality that are already provided?

    Kind of contradicts with each other :)

  • @zafouhar said:

    @GCat said:

    Clearly storing any privileged credentials in plaintext on software with a history of being vulnerable is the most secure thing to do

    Yeah I guessed that, I guess that they should win the award for developing the most secure software in the planet.

    Here is the related function, since they opensourced their module, replace ADMINUSERNAME and ADMINPASSOWRD and you are good to go!

    if ( ! function_exists( 'solusvmpro_AdminLink' ) ) {
    function solusvmpro_AdminLink( $params ) {
    try {
    $solusvm = new SolusVM( $params );

    $fwdurl = $solusvm->apiCall( 'fwdurl' );

    $code = '

    > > > >

    ';

     
    

    hoooly sh*t, one view source later and free VPSes for dayzzz

  • Disable the user/pass login. Use the API login instead.

  • TamerciagaTamerciaga Member, Host Rep

    @Flapadar said:

    @Qarizma said:
    That solution should be fine if you really want to provide this feature, because almost any other approach will provide the same type of admin access (API keys).

    I've come up with two perfect solutions to improve security, early in the morning:
    1. Force the use of two-factor authentication;
    2. Completely remove this feature, it doesn't really provide a good feature in my opinion.

    3 - If you see anything that concerns you, make a ticket with them explaining why you think it's bad practice/insecure. They'll probably fix it.

    I don't use it so I actually don't care. There are coming better alternatives for SolusVM, so it will be EOL soon I predict.

  • moonmartinmoonmartin Member
    edited November 2016

    Anyone using this v4 module on WHMCS v6? Is it a pretty straight forward upgrade from v3? Can I reuse my existing custom.php file?

    Briefly looking at the code, it looks like they added html5 console which I have been waiting for. Making it open source adds some interesting possibilities.

  • zafouharzafouhar Veteran
    edited November 2016

    @moonmartin said:
    Anyone using this v4 module on WHMCS v6? Is it a pretty straight forward upgrade from v3? Can I reuse my existing custom.php file?

    Briefly looking at the code, it looks like they added html5 console which I have been waiting for. Making it open source adds some interesting possibilities.

    Unfortunately I have not been able to get it successfully to work, it just doesn't even attempt to connect to the API despite the API logins being correctly specified, v3 works flawlessly with the same API details so there must be some bug I guess or it could be just be me not configuring it correctly :)

  • SpeedBusSpeedBus Member, Host Rep

    Sorry for the bump, has anyone been able to use this module on WHMCS 7 ? I get blank fields for existing/new products when trying to configure them (Module Settings).. Tried with a new API key as well.

  • AnthonySmithAnthonySmith Member, Patron Provider

    SpeedBus said: Sorry for the bump, has anyone been able to use this module on WHMCS 7 ? I get blank fields for existing/new products when trying to configure them (Module Settings).. Tried with a new API key as well.

    I have had 3 people contact me on skype with the same issue, do you have a solusvm ticket number, afaik solusvm have been aware of this for a couple of months at least, maybe @OnApp_Terry can put his size 12's in to push for resolution?

    Thanked by 1SpeedBus
  • FlapadarFlapadar Member
    edited January 2017

    @AnthonySmith said:

    SpeedBus said: Sorry for the bump, has anyone been able to use this module on WHMCS 7 ? I get blank fields for existing/new products when trying to configure them (Module Settings).. Tried with a new API key as well.

    I have had 3 people contact me on skype with the same issue, do you have a solusvm ticket number, afaik solusvm have been aware of this for a couple of months at least, maybe @OnApp_Terry can put his size 12's in to push for resolution?

    Phill's been about (on their support desk) recently so if you're lucky you might get ahold of him.

  • MadMad Member
    edited January 2017

    @SpeedBus said:
    Sorry for the bump, has anyone been able to use this module on WHMCS 7 ? I get blank fields for existing/new products when trying to configure them (Module Settings).. Tried with a new API key as well.

    @SpeedBus @AnthonySmith

    It happens if you have not the SSL certificates configured properly.

    The alternative fix is available in their documentation:

    https://documentation.solusvm.com/display/DOCS/SSL+Configuration

    Thanked by 1SpeedBus
  • SpeedBusSpeedBus Member, Host Rep

    @AnthonySmith said:

    SpeedBus said: Sorry for the bump, has anyone been able to use this module on WHMCS 7 ? I get blank fields for existing/new products when trying to configure them (Module Settings).. Tried with a new API key as well.

    I have had 3 people contact me on skype with the same issue, do you have a solusvm ticket number, afaik solusvm have been aware of this for a couple of months at least, maybe @OnApp_Terry can put his size 12's in to push for resolution?

    Yeouch, Going to drop them a ticket now :/

  • SpeedBusSpeedBus Member, Host Rep

    @andreamada said:

    @SpeedBus said:
    Sorry for the bump, has anyone been able to use this module on WHMCS 7 ? I get blank fields for existing/new products when trying to configure them (Module Settings).. Tried with a new API key as well.

    @SpeedBus @AnthonySmith

    It happens if you have not the SSL certificates configured properly.

    The alternative fix is available in their documentation:

    https://documentation.solusvm.com/display/DOCS/SSL+Configuration

    Hmm tried this now, no luck :(

  • @AnthonySmith said:

    SpeedBus said: Sorry for the bump, has anyone been able to use this module on WHMCS 7 ? I get blank fields for existing/new products when trying to configure them (Module Settings).. Tried with a new API key as well.

    I have had 3 people contact me on skype with the same issue, do you have a solusvm ticket number, afaik solusvm have been aware of this for a couple of months at least, maybe @OnApp_Terry can put his size 12's in to push for resolution?

    I will at least get an update for everyone on this. Obviously WHMCS is a critical piece of the ecosystem so if things aren't working there, we need to get that fixed.

    Thanked by 1AnthonySmith
Sign In or Register to comment.