WHMCS don't take security seriously

[easyhostmedia]

So as my title states

i opened a ticket with WHMCS as

Hi

I set up a new VPS with Interworx and set up a plan and then set up server and product in my WHMCS

So i went to set up an account on the Interworx server to test the setup and make sure the new account email looks good.

but on creating the account i just get this

Fatal error: Class 'soapclient' not found in /home/**********/public_html/********/modules/servers/interworx/interworx.php on line 0

so i add Soap to the server that holds my WHMCS and try again only to get this

Fatal error: Uncaught SoapFault exception: [SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://**.**.**.***:2443/nodeworx/soap?wsdl' : failed to load external entity "https://**.**.**.***:2443/nodeworx/soap?wsdl" ] 0 in /home/**********/public_html/clients/includes/classes/WHMCS/Terminus.php:0 Stack trace: #0 /home/**********/public_html/clients/includes/classes/WHMCS/Terminus.php(0): WHMCS\Terminus::whmcsExceptionHandler() #1 [internal function]: WHMCS\Terminus->whmcsExceptionHandler(Object(SoapFault)) #2 {main} thrown in /home/**********/public_html/clients/includes/classes/WHMCS/Terminus.php on line 0

but naturally https://**.**.**.***:2443/ wont work as the server with my Interworx is https://***.***.*.**:2443, **.**.**.*** is the IP of the server that holds my WHMCS installation

3 days later i get this reply

Hi Terry,
Thanks for contacting technical support, my apologies for the delayed reply.

I can advise we are aware of an issue with the Interworx module create function. Case #CORE-8723 is open with our developers in order to have this reviewed for future releases. Unfortunately, I cannot provide an estimated time for completion for this. However, once we resolve cases and push features they are available at our change log, here:

http://changelog.whmcs.com/

In the meantime, a user has advised the following workaround was successful for them:
Under Setup > Products/Services > Servers > Edit, changed the Hostname to the IP address of the server
Ensured port 2080 was being used, as opposed to the SSL path of 2443
Unchecked the Force SSL Box.

I apologize for the inconvenience, and appreciate your patience as we work to resolve this.


If we can be of any more assistance, please don't hesitate to get back in contact.
-------
Kind Regards,
John
Technical Analyst II

So they want me to use an insecure connection between servers, because they cant release working software.

so i replied with

so you want me to make an insecure connection between servers.

well WHMCS may not take security seriously, but i do, so until this is fixed i expect WHMCS to pick up the tab of my interworx licence and server cost. As it is WHMCS who have provided a plugin that does not work.

so lets see how they they reply to that.

also on a second note. do not let WHMCS staff have access to your admin area ever. the reason i say this is due to this issue

Hi would like to thank whoever at WHMCS thought it would be funny to move one of my site to my other server


24/08/2015 22:26
New Account created.
Domain: *********.co.uk
IP Address: ***.***.***.*** (Shared)
CGI Access: Enabled
Username: *********
Password: ***HIDDEN***
cPanel Theme: x3
Home Directory: /home
Quota: 24,000 MB
Name Server 1: ns1.venus.*********.eu
Name Server 2: ns2.venus.*********.eu
Contact Email: *********.co.uk
Package: root_root_super
Feature List: default
Locale: en

“root” set up the account.

this is form admin log
Login Time Last Access Logout Time Username IP Address
24/08/2015 22:19 24/08/2015 22:31 24/08/2015 22:31 wh*****in **.***.***.**

because of my servers DNS cluster my ecommerce site is down with http://*********.co.uk/cgi-sys/defaultwebpage.cgi so i will be losing money.
This is not funny, so WHMCS WILL be covering all my loses because of this and this i can GUARANTEE

so someone from WHMCS access my admin area using the admin details provided in one of my tickets to them and moved one of my sites from 1 server to another. strange no one has answered that ticket, well they messed up the DNS zones for the site, so it is down losing me money.

 

[cwvps]

We use WHMCS and never had any problems with them. This not good. Good luck with it!

 

[easyhostmedia]

We use WHMCS and never had any problems with them. This not good. Good luck with it!

normally i dont, but they had no reason to access my WHMCS admin area and alter one of my accounts to one of my other servers which changed the DNS settings for that site due to DNS clustering.
Still waiting to here from them,while the site remains down due to them. The should at least get the IDIOTIC monkey who did this off his fat backside and get him to fix this

 

[Licensecart]

Hello Terry,

I think someone else had a similar issue on the InterWorx forums.

Are you using v6? John and a OP had issues and John said:

"Actually, v6.01 gives a 500 error on module creation, so on my dev I cannot provision siteworx accounts, but it looks like a soap issue I think, as logs show details do not match."

Is your WHMCS installation on your InterWorx control panel? If it is try enabling graceful restart under Webserver.

 

[easyhostmedia]

Hello Terry,

I think someone else had a similar issue on the InterWorx forums.

Are you using v6? John and a OP had issues and John said:

"Actually, v6.01 gives a 500 error on module creation, so on my dev I cannot provision siteworx accounts, but it looks like a soap issue I think, as logs show details do not match."

Is your WHMCS installation on your InterWorx control panel? If it is try enabling graceful restart under Webserver.

yes using WHMCS 6.0.2, and soap is enabled just wont communicate with interworx. its on a different server.

i have another hosting site that uses Blesta and that communicates and set sup siteworx accounts without any issue.

interworx support could not be anymore helpful, they extended my trial period a further 4 weeks, so i can try it out.

last 2 messages from interworx support were

02/09/2015 18:59 Hey Terry,

Just a quick update. I've spoken to Jimmy B. at WHMCS and they are working on it. I'll let you know when I have more information.


Thanks,
-Nathan

and

03/09/2015 15:24 Hey Terry,

It looks like WHMCS expects a release for the updated InterWorx Module in about two weeks time, but they are considering a hotfix which could be available as soon as 2 - 3 days. I'll stay in contact with them, but it looks like they are resolving this issue. Thanks again for bringing this to out attention!


Thanks,
-Nathan

but guess what nothing from WHMCS

 

[Licensecart]

InterWorx are amazing, and Nathan is helpful but why didn't WHMCS QA team test it before they released the version? Ah well at least you can sort of work around it. Fingers crossed for you mate that they release a hot fix.

 

[easyhostmedia]

why didn't WHMCS QA team test it before they released the version? A

i have asked that several times, but they never give an answer apart ' a user tried with an insecure connection and it worked' when i tried it failed , also why should i risk security because WHMCS never released a working product

 

[webling]

I discontinued WHMCS, too many problems and after two site compromises, one on their site and one on mine I am done. Rebuilt the site and installed new account management software. The price? FREE........Hello?

 

[easyhostmedia]

I discontinued WHMCS, too many problems and after two site compromises, one on their site and one on mine I am done. Rebuilt the site and installed new account management software. The price? FREE........Hello?

don't like phpcoin as it looks like what it is a cheap system and does not look professional

 

[cheapdedicated]

despite a few lows, I still think WHMCS offer the industry leader in host billing and client management. What I can not understand though is why they moved your site to another server without your express permission!

 

[easyhostmedia]

What I can not understand though is why they moved your site to another server without your express permission!

Thats what i could not understand and even as the logs show it was done using the admin access/account set up for WHMCS use only and only them have these details when they need access for support issues they insisted it was not them, but that does not surprise me as even with support issues to them its always a user fault as WHMCS is the most secure software going and never faulters according to them

 

[cheapdedicated]

to them its always a user fault as WHMCS is the most secure software going and never faulters according to them

I once had an issue with a client's license it just couldn't re-issue and some support advisor kept telling me it was client's error yet it made no sense at all.

 

[easyhostmedia]

I once had an issue with a client's license it just couldn't re-issue and some support advisor kept telling me it was client's error yet it made no sense at all.

the best one is after they issues an update and your WHMCS breaks, they says its user or 3rd party addon fault. but strange how works before their update everything worked, so anyone with a brain can see it would be their upgrade that caused the issue ( well that is apart from WHMCS advisors) who i think are programmed to always blame others

 

[cheapdedicated]

The bitter pill is you just have to accommodate them and work around it as (in my opinion) they still offer the best for this industry.

 

[easyhostmedia]

The bitter pill is you just have to accommodate them and work around it as (in my opinion) they still offer the best for this industry.

true, just wish their support was better, i think its got worse since cPanel took over and brought in the $30 fast track system

 

[cheapdedicated]

They are encouraging users to pay for support.

 

[easyhostmedia]

They are encouraging users to pay for support.

but if everyone paid for priority support, then they would be in the same boat as without paying as the queues would build up.

I never pay for cpanel support and i get replies within a couple hours, dont pay for support with WHMCS and you may if you are lucky get a reply within a week.

 

[cheapdedicated]

A good way to sale their premium support by offering crappy free support hehehehe

 

[easyhostmedia]

A good way to sale their premium support by offering crappy free support hehehehe

but even those that have lifetime licences and pay an annual fee for support are also faced with the same crappy support monthly users face

 

[habangnet]

we use whmcs before, was good. But we change to hostbill because hostbill got more feature on cloud base