Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to Block WHMCS licensedebug
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How to Block WHMCS licensedebug

raindog308raindog308 Administrator, Veteran
edited March 2013 in Tutorials

So I was recently reminded (thanks @Spencer) that if you call any WHMCS .php with ?licensedebug&forceremote, you get back some info that frankly I'm not wild about giving out. For example:

Performing Remote Check: Array ( [licensekey] => MYLICENSEKEY [domain] => MYDOMAIN [ip] => MYIP [dir] => /home/SOMEUSER/public_html ) 
Raw Remote Response: Active MY_WHMCS_RESELLER 2 Monthly Lease DATE_LEASED Monthly MYDOMAIN MY_IP /home/SOMEUSER/public_html SOME_HASH MY_WHCMS_VERSION
Remote Check Completed

Some of that is obvious public - domain name, IP address. I don't think WHMCS version is, and why give it out? Also, the absolute path on the server (/home/SOMEUSER) is needlessly exposed, as is the name of the company I leased WHMCS through, etc.

Nothing really OMG but when in doubt, why needlessly expose?

I looked and apparently the licensedebug is in ioncube'd code:

# grep -R licensedebug *
#

So you can't modify the php directly...which means an alternative is to create a mod_security rule that blocks that. In this case, here is what I put in:

# don't allow people to see whmcs sensitive configs
SecRule ARGS_GET_NAMES licensedebug phase:2,block,id:102

This results in

Not Acceptable

An appropriate representation of the requested resource /index.php could not be found on this server.

Curious if this is the best way to do this or if I'm going to break something else in WHMCS.

Comments

  • RewriteRule

  • erhwegesrgsrerhwegesrgsr Member
    edited March 2013

    How about using RewriteEngine and just serving them the page without it?

    EDIT:

    @rds100 said: RewriteRule

    Ah, beat me to it

  • raindog308raindog308 Administrator, Veteran

    @Jack said: Is this a guide or are you asking for help?

    Both...offered a solution but always open to better ideas.

  • I remember now, there was another trick. Add this in configuration.php:


    if ( isset($_GET['licensedebug']) ) die('Please use http://www.whmcs.com/members/verifydomain.php');
  • @Jack well, use your imaginations and add rules for whatever else you want to block :)

  • superpilesossuperpilesos Member
    edited March 2013

    Add to the top of configuration.php

    if(isset($_GET['licensedebug'])) {
        exit;
    }
    

    .. late again.

  • raindog308raindog308 Administrator, Veteran

    I like the configuration.php solution.

    Imaginary thanks button click to @rds100, @Jack

  • Interesting though what would happen if the licensedebug is passed via POST, not GET.
    I'm too lazy to try it now... ;-)

  • superpilesossuperpilesos Member
    edited March 2013

    @rds100 said: Interesting though what would happen if the licensedebug is passed via POST, not GET.

    I'm too lazy to try it now... ;-)

    I tested with curl,doesn't work with POST.

  • natestammnatestamm Member
    edited March 2013

    @raindog308 if you go htaccess please make sure to consider httpS .. some parties involved in this thought they made a good fix but well /checks yeah.. *And check your DNS zone settings as well. Don't trust your wild cards, et al. Just pointing in the right direction here. Htaccess can still handle the job. But people trust it thinking they're addressing requests more directly blah blah, Point is you need to have some black on your hat to figure this right away. Do we need to break out burp suite here /cracksknuckles

  • DotALDotAL Member

    @rds100 said: Interesting though what would happen if the licensedebug is passed via POST, not GET.

    I'm too lazy to try it now... ;-)

    If the WHMCS developers did not use the global variable $_REQUEST[] then POST wont work ;)

  • jeff_lfcvpsjeff_lfcvps Member
    edited March 2013

    foreach(array("licensedebug", "forceremote", "revokelocal") as $junk => $name) { if (isset($_GET[$name])) { exit("Meh"); } }

    A short and sweet way!

  • AdducAdduc Member

    An alternative implementation:

    $keys = array("licensedebug", "forceremote", "revokelocal");
    if(count(array_combine($keys, array_keys($_GET))) {
        exit("This feature has been disabled due to security concerns.");
    }
    
  • header("Location: ". preg_replace("/[&?]/", "", $_SERVER['REQUEST_URI'])); exit; joking..

  • joepie91joepie91 Member, Patron Provider

    @natestamm said: header("Location: ". preg_replace("/[&?]/", "", $_SERVER['REQUEST_URI'])); exit; joking..

    Oh man, I can see a rule like this wreaking so much havoc.

  • I guess now we have one less way to find out if someone is using a nulled license...

  • @zhuanyi said: I guess now we have one less way to find out if someone is using a nulled license...

    http://www.whmcs.com/members/verifydomain.php

  • Awmusic12635Awmusic12635 Member, Host Rep

    ^^

Sign In or Register to comment.