Release Candidate 1 of the upcoming WHMCS V5.3 release has now been made available to our beta testers.
If you enrolled as a beta tester, you will be able to download this latest pre-release version from our Members Area.
If you are not yet part of our beta testing usergroup but would like to get involved, please visit http://docs.whmcs.com/Beta_Testing to find out how.
What is a Release Candidate?
A release candidate (RC) is a beta version with potential to be a final product, which is ready to release unless significant bugs emerge. At this stage, functionality development is completed and tested through at least one or more beta cycles.
If no major bugs are found, a public release will be made. If however bugs are found that are considered sufficiently important to delay the release, we will make a second release candidate. This process continues until no significant bugs are discovered during the testing period for the latest release candidate.
As always, please remember that this release is not officially supported and we do not recommend running pre-release software in a production environment.
Posted by Matt on Wednesday, January 15th, 2014
We are pleased to announce the release of WHMCS Version 5.3.2 Beta - and just in time for Christmas!
This build contains the last significant changes and bug fixes scheduled for inclusion in 5.3 prior to its public release.
Beta testers are an invaluable part of our development process, and we rely on their work to help ensure we release the best possible product.
As always, Beta releases are not recommended for production use.
If you would like to become part of our Beta testing team of Solutioneers, please follow the link below to find out how.
We hope you have an enjoyable Christmas holiday, and look forward to working with you again in 2014!
Posted by Matt on Monday, December 23rd, 2013
WHMCS has released a new update for all supported versions of WHMCS. This update contains a change that addresses a specific security concern within the WHMCS product.
We strongly encourage you to update your WHMCS installations as soon as possible.
WHMCS has rated this update as having an important security impact. Information on security ratings can be found at http://docs.whmcs.com/Security_Levels
Please update your installation to the following version:
Patches - What is a Patch?
Incremental patches can be downloaded by following the provided links below. These patch sets contain only the files that have changed between the previous release and this update. The previous release version that these patch sets are designed for is clearly indicated as the first and smaller number.
Do not attempt to apply an incremental patch set to an installation that is running a different version than the indicated version. Doing so will result in a "Down for Maintenance" message and require you to use the full release to complete the upgrade.
Incremental patches do not require any update process. Simply apply the changed files to the existing WHMCS installation.
The following incremental patches are available for direct download:
5.2.14 --> 5.2.15 Patch http://go.whmcs.com/290/v5214_incremental_to_v5215_patch
MD5 Checksum: 709126303a0296ea41e6984c84aa42fa *
To apply a patch set release, download the files as indicated above. Then follow the upgrade instructions for a "Patch Set" which can be found at http://docs.whmcs.com/Upgrading#For_a_Patch_Set
Full Release - What is a Full Release?
A full release distribution contains all the files of a WHMCS product installation. It can be used to perform a new install or update an existing installation (regardless of previous version).
The latest full release can always be downloaded from our members area at https://www.whmcs.com/members
5.2.15 Full Version - Downloadable from the WHMCS Members Area
MD5 Checksum: d990f802db28c28d6d2fc003c8f339eb
To apply a full release, download the files as indicated above. Then follow the upgrade instructions for a "Full Release Version" which can be found at http://docs.whmcs.com/Upgrading#For_a_Full_Release_Version
Important Maintenance Issue Information
This release also provides resolution for the following maintenance issues:
Case #3706 - Some graphs failing after recent Google Graph API Update
Case #3711 - CSV Export content should not contain HTML entities
Case #3726 - PDF Line Items failing to output some specific characters
Case #3727 - Admin password reset process failing to send new password email
Case #3738 - Sub-account password field's default text must be removed on focus/click events
Security Issue Information
This Advisory provides resolution for a single security issue which was publicly disclosed. Specific information regarding that issue can be found below.
SQL Injection via Admin Credit Routines
=== Severity Level ===
=== Description ===
An attacker who can function as an authenticated admin user with the ability to apply credits to an invoice can, using specially crafted input, cause the credit routines to execute arbitrary SQL commands if the target user has a credit balance known to the attacker.
Due to the many prerequisites necessary to successfully navigate this vector, a security impact level has been assessed as "Important". Information on security ratings can be found at http://docs.whmcs.com/Security_Levels
=== Resolution ===
Download and apply the appropriate software updates to protect against these vulnerabilities; information about software update releases is provided in the "Releases" section of this Advisory.
All published and supported versions of WHMCS prior to 5.2.15 are affected by one or more of these maintenance and security issues.
For information regarding our Long Term Support Policy, read our documentation here:
* Within a few minutes of publishing this blog post, it was discovered that the incremental update files were contained within a subfolder. The release was updated to remove the subfolder and MD5 checksum updated.
Posted by Matt on Monday, December 23rd, 2013
As customers increasingly choose to shop, share, bank, and view accounts online, they have become more savvy about security. However, concerns about identity theft and fraud still keep many website visitors from completing, or starting, their transactions online. They need to be reassured that the confidential information that they share will be protected from malicious activity.
Online Growth Slowed by Lack of Trust
Today, more people have access to the Internet and spend more time online than ever before. Financial industry experts predict that online banking, and other accounts, will become the primary customer touch-point over the next decade. As Internet adoption continues to grow and Web browsing becomes more common on mobile devices, businesses have the opportunity to tap new markets with online sales and account-based services. However, reluctance to conduct transactions online remains due to concerns about protecting confidential information. Even though identity theft occurs more often offline than online, many Internet users are nonetheless extremely wary of identity theft. On the Web, the impact of this doubt is easy to measure:
- Abandoned shopping carts add up to lost sales and missed revenue.
- Click-through tracking shows that potential customers reach enrollment forms, but do not complete them.
- Search analytics and alerts show how brands and company names are hijacked to lure customers away from legitimate sites.
Internet scams have become more coordinated and sophisticated, eroding the trust that is essential to online business. In the second half of 2013 the Anti-Phishing Working Group reported an average of 305 brands hijacked each month, with September having the highest monthly incidence at 355.1.
Phishing schemes use emails and websites that appear legitimate to trick visitors into sharing personal information. SSL stripping, a type of man-in-the-middle attack, redirects users to "secure" websites that are fake (i.e., some security measures have been taken, and are displayed, but the website is not really the one the visitor believes they are visiting). These types of attacks often target webmail applications, secure sites, and intranets.
Extended Validation (EV) SSL Certificates
can be a key factor in helping increase customer confidence during online business transactions. More confidence can mean more conversions for customers with EV SSL certificates
. GeoTrust True Business ID with EV turns address bars green in high-security browsers for an extra layer of website security that customers can see and trust.
Posted by WHMCS Aaron on Monday, December 16th, 2013
Today we are pleased to announce the launch of our Security Bounty Program.
Security researchers play an important part in helping keep our product secure, and from today, we now have an official program and process for handling their submissions and rewarding those who report issues and follow responsible disclosure principles.
We have chosen to team up with BugCrowd.com to help manage the program. This allows us to remain focused on the ongoing evolution and support of our product, while benefiting from BugCrowd's experience and extensive reach within the security researcher community.
To find out more and learn how to get involved, please visit:
We also want to take this opportunity to thank all those that have made responsible disclosures to us to date. We fully recognize and appreciate your assistance in making WHMCS a better product.
Posted by Matt on Friday, December 6th, 2013