The Heartbleed bug (http://en.wikipedia.org/wiki/Heartbleed_bug
) is a serious vulnerability in OpenSSL 1.0.1 through 1.0.1.f.
This vulnerability allows an attacker to read chunks of memory from servers and clients that connect using SSL through a flaw in OpenSSL's implementation of the heartbeat extension.
OpenSSL provides critical functionality in the internet ecosystem, and therefore vulnerabilities, such as Heartbleed, have a significant impact on digital communications and their integrity.
What does this mean for WHMCS installations?
SSL is an important protocol for securing web traffic, and thus securing web requests for logins, order transactions, etc.. WHMCS, like all web applications, must rely on web servers to correctly implement the SSL protocol. WHMCS as a web application cannot patch the Heartbleed vulnerability, nor can we mitigate its effects. However as a member of the internet community, we feel it's important to raise awareness of the risk and ensure that our users check that their server is protected.
How do I check if my server is protected?
Essentially, there are three ways you can verify if your server is protected:
What do I do if my server is not protected?
1) You can open a support ticket with your hosting provider.
2) You can leverage a third party scanning tool via the web.
Below are three such sites that the community deems reputable and trustworthy. You simply enter your website and it will let you know:
3) You can run a scanning tool locally on your server. One such tool is:
Contact your local system administrator or hosting provider immediately! They will have the technical expertise to update the OpenSSL libraries on your server to protect your SSL communications going forward.
Once I have patched my server, is there anything else I need to do?
Due to the nature of the vulnerability it is not possible to immediately know what information, including private keys, passwords, or session ID's, may have been compromised. Attacks that leverage the Heartbleed bug occur very early in an information exchange process, before a full connection has been made, and thus leaves no log history that an attack has occurred.
We recommend that you take precautionary action and regenerate all SSH keys as well as reissue all SSL certificates in use.
If you have purchased SSL certificates directly from WHMCS or resell SSL certificates through Enom, you can find more information on how you and the SSL provider can reissue your certificates here: http://docs.whmcs.com/Reissueing_Enom_SSL_Certificates
We also recommend that you take precautionary action concerning passwords used to authenticate against your WHMCS installation. This would include resetting administrative passwords as well as contacting your customers and asking them to reset their passwords. A step by step guide and sample email template are provided here: http://go.whmcs.com/386/heartbleed-pw-reset-email-tutorial
How has WHMCS servers and my account been affected by Heartbleed?
The WHMCS website, our public servers, and the whmcs.com SSL certificate end point were not vulnerable to the Heartbleed bug when it was publicly disclosed on April 7th 2014.
Any secure communication with our servers, such as logging into the members area, would not be affected by any attacks following the public disclosure of the Heartbleed bug.
The Heartbleed bug has had a profound impact on the transmission of secure data throughout the Internet. It is for that reason that we are encouraging our customers to reset their member area passwords
at their earliest convenience as a matter of common password maintenance. Please remember to always make your passwords unique, random, and periodically rotate them.
WHMCS is in the process of emailing all active clients to inform them of this blog post. That email also contains a direct link to the whmcs.com password reset function as a precautionary measure.
Posted by Matt on Friday, April 11th, 2014
This week we attended and exhibited at WHD.global 2014 - the world's largest annual hosting event.
This was our first time exhibiting at a conference in Europe, and so it was great to get to meet so many of our European users, many for the first time, and many of whom we've been working with and talking to for years.
If you missed it, we've uploaded some pictures from the event to our official Flickr account
Conferences are always a great opportunity to connect with users of our product, and to talk with customers about what we've been working on, and what you can expect to see from us in the coming weeks and months. And right now we really have a lot to talk about - there's our automatic update utility (which by the way is now super close to entering public beta status), as well as deeper cPanel integration, and an all-new fully responsive mobile (and tablet) friendly client area theme.
I'll soon be reaching out to members of our beta community about this, as one thing that attending conferences always re-confirms for us, is that our users really care about what we do, and we care that you care, and want you to be involved to benefit from all of your experiences and ideas. The new theme is way more than just a fresh coat of paint too, and so right now we're demoing and working on it with some of our closest partners, so stay tuned for more on that.
There's a lot more we're working on too, but I can't reveal all just yet... maybe if you come and hang out with us in Miami at HostingCon, we might just be able to let you in on it then :)
Posted by Matt on Sunday, April 6th, 2014
WHMCS has released new updates for all supported versions of WHMCS. These updates include changes that address security concerns within the WHMCS product.
WHMCS has rated these updates as having a moderate to trivial security impact. Information on security ratings can be found at http://docs.whmcs.com/Security_Levels
Please update your installation to one of the following versions:
Patches - What is a Patch?
Incremental patches can be downloaded by following the links below.
These patch sets contain only the files that have changed between the previous release and this update. The previous release version that these patch sets are designed for is clearly indicated as the first and smaller number.
Need a patch for an older version? Visit our downloads page: http://download.whmcs.com/
To apply a patch set release, download the files as indicated above. Then follow the upgrade instructions for a "Patch Set" which can be found at http://docs.whmcs.com/Upgrading#For_a_Patch_Set
- What is a Full Release?
A full release distribution contains all the files of a WHMCS product installation. It can be used to both perform a new installation or update an existing one (regardless of previous version).
To apply a full release, download the release from the URL above. Then follow the upgrade instructions for a "Full Release Version" which can be found at http://docs.whmcs.com/Upgrading#For_a_Full_Release_Version
Security Issue Information
The security changes in these releases address 11 privately reported issues through our security bounty program, and 1 issue discovered internally by the WHMCS Development Team. The issues addressed are rated as having Moderate to Trivial security impact.
Once sufficient time has passed to allow WHMCS customers to update their installed software, WHMCS will release additional information regarding the nature of the security issues.
Maintenance Issue Information
This release also provides resolution for a number of maintenance issues. For full details please refer to the change logs for each respective version:
All published and supported versions of WHMCS prior to 5.3.6 are affected by one or more of these maintenance and security issues.
Posted by Matt on Tuesday, March 25th, 2014
In the past few months, we ceased offering custom development services to allow us to focus more directly on core product development and specifically projects that have a broader benefit to our entire customer base.
Being accessible and easily extendable to developers is one of the key things that has helped WHMCS get to where it is today. And so in doing this, it was very important to us that we still had a solution that we could offer to clients for customising their WHMCS installation - from creating reports, to creating custom modules and hooks, to adding whole new functionality.
And that's where ModulesGarden comes in. ModulesGarden have been doing custom development work for WHMCS since 2011 and they've worked with some big names - OpenSRS and OnApp to name just two. We've also been recommending them for some time now, and the feedback we have been getting from clients who have used them has been very positive.
So today we are pleased to announce we have now created a formal partnership with them. ModulesGarden is our preferred development company, and we are proud to recommend them for all your WHMCS customization needs. Custom Development Services offered by ModulesGarden include:
- Custom Gateway Module Development
- Custom Registrar Module Development
- Custom Provisioning Module Development
- Custom Addon Module Development
- Custom Reports
- Custom Hooks
- Custom Theme Development
To celebrate this partnership, ModulesGarden will be joining us at our booth at World Hosting Day 2014 in Rust, Germany all next week, to talk with clients about custom module development and how we can work together to create additional functionality for your installation of WHMCS.
WHMCS Upcoming Events: http://www.whmcs.com/about/upcoming-events/
So if you're needing custom development work, be sure to check out their page in our partners area @ http://www.whmcs.com/partners/custom-development-modules/
Posted by WHMCS Aaron on Monday, March 24th, 2014
An update has been made available to the WHMCS Live Chat & Visitor Tracking Addon and can be downloaded from our Members Area.
This update features improvements to the online admin interface, multi-device PUSH messaging support for chat notifications and the ability to insert Knowledgebase Articles from WHMCS directly into your chat responses.
For a full list of changes, please refer to the changelog @ http://changelog.whmcs.com/Live_Chat_V4.1
To upgrade, please refer to the instructions @ http://docs.whmcs.com/Live_Chat_Addon
About WHMCS Live Chat & Visitor Tracking
The WHMCS Live Chat & Visitor Tracking Addon provides real-time visitor monitoring and direct access to a logged-in users profile, products & services and other vital information to aid in providing support quickly. Integration directly with the ticket system allows open tickets to be reviewed, the user of predefined replies and logging of chat transcripts alongside ticket history. For more information please refer to http://www.whmcs.com/addons/live-chat-visitor-tracking/
Posted by Matt on Monday, March 17th, 2014