WHMCS Security Advisory

Awmusic12635

http://blog.whmcs.com/?t=72051

Just got the email:

 ========================================
WHMCS Security Advisory for 4.x, 5.0, 5.1
http://blog.whmcs.com/?t=72051
========================================

WHMCS has released new patches for the 4 series, 5.0 and 5.1 minor releases.
These updates provide targeted changes to address security concerns with the
WHMCS product. If you are not running the WHMCS 5.2, you are highly encouraged
to update immediately.

WHMCS has rated these updates as including critical or important security
impacts. Information on security ratings is available at
http://docs.whmcs.com/Security_Levels

++++++++++++
Releases
++++++++++++
The following full-release version of WHMCS have been published and address all
known vulnerabilities:
5.1.6

The latest public releases of WHMCS are available inside our members area at
https://www.whmcs.com/members/clientarea.php

++++++++++++++++++++++++++++++++++++
Security Issue Information
++++++++++++++++++++++++++++++++++++
The resolved security issue was identified by Dinesh Kumar Mohanty of Ultra Web
Solutions Private Limited, India. There is no reason to believe that these
vulnerabilities are known to the public. As such, WHMCS will only release
limited information regarding the vulnerabilities at this time.

Once sufficient time has passed to allow WHMCS customers to update their
installed software, WHMCS will release additional information regarding the
nature of the security issue. These Targeted Security Releases and Patches
address 1 vulnerability in WHMCS version 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 5.0, and
5.1. Additional, supplemental information is scheduled to be released May 28th,
2013.

++++++++++++
Mitigation
++++++++++++

------------------
WHMCS Version 4.x
------------------
Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 4.x series are located on the WHMCS
site as itemized below.

4.0 series: http://www.whmcs.com/download/258/v403patch
4.1 series: http://www.whmcs.com/download/262/v413patch
4.2 series: http://www.whmcs.com/download/266/v422patch
4.3 series: http://www.whmcs.com/download/270/v432patch
4.4 series: http://www.whmcs.com/download/274/v443patch
4.5 series: http://www.whmcs.com/download/278/v454patch

To apply the patch, simply download the appropriate patch file specific to the
WHMCS version you are running, extract the contents, and upload the files from
the /whmcs/ folder to your installation.

No install or upgrade process is required.

------------------
WHMCS Version 5.x
------------------
Download and apply the appropriate full-version or patch of WHMCS to protect
against these vulnerabilities.

Full-version and patches for the affected version of the 5.x series are located
in the WHMCS members area download section, under your license details.

v5.0.5 (patch only)
v5.1.6 (full-version and patch)

When updating from v5.0.4 or v5.1.5, the upgrade process is not required. To
apply the full-version or patch, simply download the appropriate file specific
to the WHMCS version you are running, extract the contents, and upload the files
from the /whmcs/ folder to your installation.

================================================================================

WHMCS Limited
www.whmcs.com

- Support: http://support.whmcs.com/
- Documentation: http://docs.whmcs.com/
- Members Area: http://www.whmcs.com/members/

What do you think it is this time?

qhoster

WHMCS give us a break Seems they will have a monthly security patches now

NYCServers_Nick

Another month, another patch. Got the email as well.

Noerman

@qhoster said: WHMCS give us a break

So true.

BlueVM

It looks like if you have 5.2 already you don't have to update.

Nick_A

Yeah just use 5.2.

RobertClarke

@Nick_A said: Yeah just use 5.2.

unused

So is 5.2 stable/working out for everyone then?

OttoYiu

How many times do they have to patch dbconnect.php?

rds100

Damn they should at least start publishing md5 checksums of these patches. God knows how many different patches with the same version number will be released this time.

rds100

@Nick_A said: Yeah just use 5.2.

There is a patch for 5.2 too - version 5.2.4, released on 23rd of April, 2013.

concerto49

@OttoYiu said: How many times do they have to patch dbconnect.php?

At least they are admitting flaws and patching rather then sitting and letting us users die.

rds100

We don't really know if dbconnect.php is the problem - it may be changed just to bump the version number.

DamienSB

@OttoYiu said: How many times do they have to patch dbconnect.php?

This file holds the version numbers i belive. it was the cart.php file this time.

qps

Has anyone rolled out the 5.1.6 patch yet? If so, any issues?

Nick_A

@rds100 said: There is a patch for 5.2 too - version 5.2.4, released on 23rd of April, 2013.

Not a security patch AFAICT

rds100

@Nick_A don't know what's changed there, but it was released at the same time as the patches for the previous versions. Who knows.

OttoYiu

@DamienSB said: This file holds the version numbers i belive. it was the cart.php file this time.

Ah, yes, that makes much more sense.

qps

We updated from 5.1.5 to 5.2.4. It killed one of our fraud addon modules, but after removing it we're back up and running.

superpilesos

I upgraded my sites from 5.1.5 to 5.1.6. Nothing is broken, first time, congratulations whmcs team.

joepie91

Ah, it's that time of the... week again.