WHMCS Security Advisory

nigelb

New member
========================================
WHMCS Security Advisory TSR-2014-0001
http://blog.whmcs.com/?t=84387
========================================

WHMCS has released a new update for all supported versions of WHMCS. These
updates contain changes that address security concerns within the WHMCS
product.

We recommend you update your WHMCS installation(s) as soon as possible.

WHMCS has rated this update as having an important security impact. Information
on security ratings can be found at http://docs.whmcs.com/Security_Levels

==========
Releases
==========
Please update your installation to the one of the following versions:
v5.2.16

== Patches ==

Incremental patches can be downloaded by following the provided links below.
These patch sets contain only the files that have changed between the previous
release and this update. The previous release version that these patch sets are
designed for is clearly indicated as the first and smaller number.

The following incremental patches are available for direct download:

5.2.15 --> 5.2.16 http://go.whmcs.com/298/v5215_incremental_to_v5216_patch
MD5 Checksum: 706e352796e91c4f27a40470c83125b8

To apply a patch set release, download the files as indicated above. Then follow
the upgrade instructions for a "Patch Set" which can be found at
http://docs.whmcs.com/Upgrading#For_a_Patch_Set

== Full Release ==

A full release distribution contains all the files of a WHMCS product
installation. It can be used to perform a new install or update an existing
installation (regardless of previous version).

5.2.16 - Downloadable from the WHMCS Members Area
https://www.whmcs.com/members
MD5 Checksum: fe2a804ade2bfd69d4107ff8aa1b718b

To apply a full release, download the files as indicated above. Then follow the
upgrade instructions for a "Full Release Version" which can be found
at http://docs.whmcs.com/Upgrading#For_a_Full_Release_Version


=========================================
Important Maintenance Issue Information
=========================================

This Advisory provides resolution for the following important maintenance
issues:

Case #2557 - 2Checkout Gateway: Update to currency variable
Case #2623 - Fix calculations of promotions when more than 50% off
Case #2739 - Add TLD Specific Fields required for .CN domain registrations
Case #2874 - Authorize.net Echeck: Fix capture function behaving incorrectly
Case #3019 - Refine internal criteria for bulk domain lookup
Case #3030 - Resolve SQL error in Income by Product Report
Case #3086 - Nominet Registrar: Update to Contact Registration Logic for
Individuals
Case #3116 - Required Custom Fields not validating correctly when using API
Case #3360 - Resolved issue where one time promotions could be treated as
recurring
Case #3360 - Disable Recur For input box when Recurring is disabled
Case #3361 - Fix time limited recurring promotions calculating incorrectly
Case #3388 - Fix Invalid Token Error when applying credit in Original and
Portal Client Templates
Case #3414 - Payflow Pro: Update to store PayFlow Reference in PayFlow Mode
Case #3617 - Do not CC password reset emails to sub-accounts
Case #3740 - ProtX VSP Form: Pass correct callback values to debug log
Case #3801 - Resolved PDF Quotes missing clients name/address
Case #3802 - Make a quantity of zero remove item from the cart
Case #3809 - Regular Expression Custom Field Validation failing on single
quotes
Case #3811 - Resolve Invalid Token error when deleting recurring calendar
entry
Case #3814 - Improvements to IPv6 detection and validation logic
Case #3862 - NameCheap Registrar: Fix incorrect function name call
Case #3864 - Authorize.net Echeck: Fix storage of bank account details
Case #3893 - Enom SSL Module: Fix Province is Required Error Message

=========================================
Security Issue Information
=========================================

This Advisory provides resolution for several security issues, all of which were
either reported privately via the Security Bounty Program or found internally by
the WHMCS Development team as part of the regular on-going internal security
audits.

There is no reason to believe that any of these vulnerabilities are known to the
public. As such, WHMCS will only release limited information about the
vulnerabilities at this time.

Once sufficient time has passed, WHMCS will release additional information about
the nature of the security issues.

Case #3637 - Improve Access Controls in Project Management Addon
Case #3782 - Improve Access Controls in Tickets
Case #3783 - Improve Access Controls in Invoices
Case #3784 - Resolve Admin Area SQL Injection Vulnerability
Case #3839 - Resolve Potential XSS Vulnerability
Case #3841 - Resolve Potential XSS Vulnerability
Case #3842 - Resolve Potential XSS Vulnerability
Case #3843 - Resolve Potential XSS Vulnerability
Case #3846 - Improve Access Controls in Tickets
Case #3922 - PayPal Express Checkout Improve Validation
Case #3931 - Potential header injection via whois lookups
Case #3932 - Improve sanitization for whois query

All supported versions of WHMCS are affected by one or more of these maintenance
and security issues.

For information regarding our Long Term Support Policy, read our documentation
here:
http://docs.whmcs.com/Long_Term_Support


=========================================


WHMCS Limited
www.whmcs.com
 
Back
Top