All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How to Block WHMCS licensedebug
So I was recently reminded (thanks @Spencer) that if you call any WHMCS .php with ?licensedebug&forceremote, you get back some info that frankly I'm not wild about giving out. For example:
Performing Remote Check: Array ( [licensekey] => MYLICENSEKEY [domain] => MYDOMAIN [ip] => MYIP [dir] => /home/SOMEUSER/public_html ) Raw Remote Response: Active MY_WHMCS_RESELLER 2 Monthly Lease DATE_LEASED Monthly MYDOMAIN MY_IP /home/SOMEUSER/public_html SOME_HASH MY_WHCMS_VERSION Remote Check Completed
Some of that is obvious public - domain name, IP address. I don't think WHMCS version is, and why give it out? Also, the absolute path on the server (/home/SOMEUSER) is needlessly exposed, as is the name of the company I leased WHMCS through, etc.
Nothing really OMG but when in doubt, why needlessly expose?
I looked and apparently the licensedebug is in ioncube'd code:
# grep -R licensedebug * #
So you can't modify the php directly...which means an alternative is to create a mod_security rule that blocks that. In this case, here is what I put in:
# don't allow people to see whmcs sensitive configs SecRule ARGS_GET_NAMES licensedebug phase:2,block,id:102
This results in
Not Acceptable An appropriate representation of the requested resource /index.php could not be found on this server.
Curious if this is the best way to do this or if I'm going to break something else in WHMCS.
Comments
RewriteRule
How about using RewriteEngine and just serving them the page without it?
EDIT:
Ah, beat me to it
Both...offered a solution but always open to better ideas.
I remember now, there was another trick. Add this in configuration.php:
@Jack well, use your imaginations and add rules for whatever else you want to block
Add to the top of configuration.php
.. late again.
I like the configuration.php solution.
Imaginary thanks button click to @rds100, @Jack
Interesting though what would happen if the licensedebug is passed via POST, not GET.
I'm too lazy to try it now... ;-)
I'm too lazy to try it now... ;-)
I tested with curl,doesn't work with POST.
@raindog308 if you go htaccess please make sure to consider httpS .. some parties involved in this thought they made a good fix but well /checks yeah.. *And check your DNS zone settings as well. Don't trust your wild cards, et al. Just pointing in the right direction here. Htaccess can still handle the job. But people trust it thinking they're addressing requests more directly blah blah, Point is you need to have some black on your hat to figure this right away. Do we need to break out burp suite here /cracksknuckles
I'm too lazy to try it now... ;-)
If the WHMCS developers did not use the global variable $_REQUEST[] then POST wont work
foreach(array("licensedebug", "forceremote", "revokelocal") as $junk => $name) { if (isset($_GET[$name])) { exit("Meh"); } }
A short and sweet way!
An alternative implementation:
header("Location: ". preg_replace("/[&?]/", "", $_SERVER['REQUEST_URI'])); exit;
joking..Oh man, I can see a rule like this wreaking so much havoc.
I guess now we have one less way to find out if someone is using a nulled license...
http://www.whmcs.com/members/verifydomain.php
^^