WHMCS zero-day vulnerability issue

[technut]

A critical zero-day vulnerability was published today affecting any hosting provider using WHMCS.

WHMCS quickly published a patch here: http://blog.whmcs.com/?t=79427

See below email from WHMCS today.



========================================
WHMCS Security Advisory for 5.x
http://blog.whmcs.com/?t=79427
========================================

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates
provide targeted changes to address security concerns with the WHMCS product.
You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical security impacts. Information
on security ratings is available at http://docs.whmcs.com/Security_Levels


== Releases ==
The following patch release versions of WHMCS have been published to address a
specific SQL Injection vulnerability:
v5.2.8
v5.1.10

== Security Issue Information ==

The resolved security issue was publicly disclosed by "localhost" on
October 3rd, 2013.
The vulnerability allows an attacker, who has valid login to the installed
product, to craft a SQL Injection Attack via a specific URL query parameter
against any product page that updates database information.


== Mitigation ==

=== WHMCS Version 5.2 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS
site as itemized below.

v5.2.8 (full version) - Downloadable from the WHMCS Members Area
v5.2.8 (patch only; for 5.2.7) - http://go.whmcs.com/218/v528_Incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.

=== WHMCS Version 5.1 ===

Download and apply the appropriate patch files to protect against these
vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS
site as itemized below.

v5.1.10 (patch only; for 5.1.9) - http://go.whmcs.com/226/v5110_Incremental

To apply a patch, download the files indicated above and replace the files
within your installation.
No upgrade process is required.

========================================

WHMCS Limited
www.whmcs.com

- Members Area: https://www.whmcs.com/members/
- Support: http://www.whmcs.com/support/
- Documentation: http://docs.whmcs.com/
- Community Forums: http://forums.whmcs.com/

 

[dedideals]

Was watching this on WHT the saw the patch within an hour if that, all patched up!

 

[komodovpn]

Patched up as soon as it was released. Updating WHMCS is so painless these days

 

[Inventive]

We disabled our WHMCS until the patch was released - I heard about the issue at about 4pm and the patch was released just after 7pm.

 

[Alex - A2 Hosting]

We disabled our WHMCS until the patch was released - I heard about the issue at about 4pm and the patch was released just after 7pm.

We to disabled our client area until the patch was out. Hopefully we won't see anymore rebounds on this or like this.

 

[komodovpn]

Agreed. Considering how widely used WHMCS is in not just the web hosting business but also many other service based providers these things can cause major damage. I am just glad they released a fix in a reasonable timeframe. If it took more than a day or two I would've heavily considered moving to another billing platform.

 

[HeartHost_CO]

Unfortunately the biggest problem with the software, is that it gets attacked because it's so popular... which also makes it the best part about it.. it's widely recognized.

Regardless, they really should get their auto-update feature perfectly working. However, somehow, that would be exploited too.

So, WHMCS is now becoming the Java of the billing portal industry. But we are all glad that they are patching things as soon as they can, from the time they hear about it.

 

[02Hosting]

I didnt get affected by this but i disabled my whmcs too for the moment to apply the patch , we dont have to change to another billing system this is a problem every big company have . You need to stay tuned for latest update everytime.

 

[SkylarM]

I didnt get affected by this but i disabled my whmcs too for the moment to apply the patch , we dont have to change to another billing system this is a problem every big company have . You need to stay tuned for latest update everytime.

Was easy to avoid. Just disable editing of client fields after signup.

 

[Stream101]

Unfortunately the biggest problem with the software, is that it gets attacked because it's so popular... which also makes it the best part about it.. it's widely recognized.

Regardless, they really should get their auto-update feature perfectly working. However, somehow, that would be exploited too.

So, WHMCS is now becoming the Java of the billing portal industry. But we are all glad that they are patching things as soon as they can, from the time they hear about it.

They are large which means there is a lot of support for it. This, as you stated, is good and bad. Good, they'll most likely keep developing the product and community members will too. Bad, hackers will keep finding exploits!

 

[jcarney1987]

Yea I to applaud WHMCS fixing this so fast. They were at a Cpanel seminar in Louisiana U.S.A. so great job to them.

 

[nigelb]

Its good to know that we are using a product that is well supported.

 

[ServerSub]

follow their twitter to be update about critical updates,and recommend to update very fast when a bug found!there are large wide of people which want to test bugs on your sites,after update more than 25 people tried to run this on our website

 

[HN-Alejo]

WHMCS needs to have their code externally audited. They need to pay Rack911 to get someone to look at their code and ensure that these silly little things won't happen anymore.

It's ridiculous, especially since this business is owned by cPanel!

 

[easyhostmedia]

this business is owned by cPanel!

WRONG, it is still owned by WHMCS Limited. cPanel is just a major partner/shareholder. They DONT Own WHMCS

 

[HN-Alejo]

WRONG, it is still owned by WHMCS Limited. cPanel is just a major partner/shareholder. They DONT Own WHMCS

It still reflects poorly on cPanel as the major shareholder.

 

[easyhostmedia]

It still reflects poorly on cPanel as the major shareholder.

Maybe , but i was correcting your statement when you stated WHMCS was owned by cPanel

 

[paul-ukwsd]

WHMCS needs to have their code externally audited. They need to pay Rack911 to get someone to look at their code and ensure that these silly little things won't happen anymore.

It's ridiculous, especially since this business is owned by cPanel!

cPanel being a share holder shouldn't have any bearing on the audit, the external audit should be done simply because it's a billing application where customers data is held and WHMCS have been caught out now a few times now. WHMCS really need to step up and get this done before they loose all credibility.

 

[HeartHost_CO]

cPanel being a share holder shouldn't have any bearing on the audit, the external audit should be done simply because it's a billing application where customers data is held and WHMCS have been caught out now a few times now. WHMCS really need to step up and get this done before they loose all credibility.

Completely and utterly agree. Honestly, they should be held to the same standard that corporate businesses are... We all love using WHMCS over some of the other similar products that we've tried out over time, but they are making it extremely worrying to have to constantly have to patch it.

I understand though, that it's not necessarily their fault for having security issues... but they are doing what they can. Their software is just like every other piece of software.. there will always be bugs, and they will always have to patch them to fix it... Just ask every other major software provider about patching bugs... it's just part of the software maintenance part of making said software.