All The Latest From WHMCS

Home / Blog

Security Threat Notification


We are aware of a post that is circulating in which the author proposes an exploit via a cookie variable. However the proposed vulnerability is only possible if the attacker has gained access to a valid admin login session already through other means. For this reason, we feel that the viability of the vulnerability is not immediate nor is of a critical risk to installations.

We can confirm this vulnerability vector does exist as we have already identified and resolved it in our currently in progress internal security audit. We have in fact also prepared a refinement to the code that will negate the proposed attack vector and we anticipate publishing a new release of the software next week that will include this change along with others found during our internal audit.

In the meantime however, you may download the hook file below and upload it to the /includes/hooks/ folder of your WHMCS installation to negate any potential attacks based on this - although please note this will also prevent admin list ordering from working fully in certain places.

Cookie Override Hook - http://go.whmcs.com/262/cookie_override_hook


Posted by Matt on Sunday, November 3rd, 2013







Response to Recent Security Events


Over the last few months, WHMCS has released an unusually high number of security related updates - more than we would have liked or than you would have expected.

We understand the inconvenience that these cause, and their severity.

We have tasked several staff members with doing an internal code audit which is now well underway, and they have already identified a number of items which were addressed in the last release. We plan to continue our internal audit and release further updates as required.

We will also be commissioning at least one additional external security audit, and introducing a Security Bounty Program. External security audits are not something that are new to us, however as a security audit alone is not a guaranteed solution, we will be increasing the frequency of both internal and independent external security audits being performed.

As mentioned above, we will also be launching a Security Bounty Program designed to reward those who find issues in our software and report them to us in a responsible and safe manner. In order to encourage this we will be offering free development licenses to security researchers and monetary rewards of up to $5000 per issue. Further details will be released about this in the near future.

These steps are just the start of our overall plans to proactively address your concerns. As we move forward additional announcements will be made.

We appreciate the trust that you put in us, and we intend to make sure that trust is not misplaced.


mattsig.png

Matt Pugh
Founder/CEO


Posted by Matt on Thursday, October 31st, 2013







WHMCS Security Advisory for 5.x


UPDATE 2: We have published 5.2.12 incremental and full versions. These include all security related enhancements as well as the missing file that triggers the version increment.

Please Note: if you downloaded 5.2.11, your update is incomplete. Please deploy 5.2.12 to ensure the software version increments properly. Version 5.1.13 was not affected by this packaging deficiency.

UPDATE: We've identified a missing file in 5.2.11 which causes the version number not to increment. All security related enhancements are present. We will be updating this post again with version 5.2.12 which will contain the complete change set. Thank you for you patience.

WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates provide targeted changes to address security concerns with the WHMCS product. You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical & important security impacts. Information on security ratings is available at http://docs.whmcs.com/Security_Levels

Releases
The following patch release versions of WHMCS have been published to address all known vulnerabilities:
v5.2.12
v5.1.13


Security Issue Information

These updates resolve the following issues:

> Information disclosure via the client area as published by 'localhost'
> HTTP Split Attack discovered by the WHMCS Development Team
> SQL Injection Vulnerability discovered by the WHMCS Development Team
> Privilege boundaries not being enforced on addons reported by Vlad C of NetSec Interactive
> Download directory traversal reported privately by an individual
> Lack of input validation in data feeds input discovered by the WHMCS Development Team
> Deficient Null Byte sanitization on input discovered by the WHMCS Development Team

Important Fix Information

These updates also include the following non-security related functional fixes:

> Improved validation of monetary amounts
> Moneris Vault Gateway compatibility update
> Credit cards not processing under certain conditions
> Correction to internal logic for testing Authorize.net payment gateway


Mitigation

WHMCS Version 5.2

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS site as itemized below.

v5.2.12 (full version) - Downloadable from the WHMCS Members Area
MD5 Checksum: fd2500df9068b7c00a9452ef31cfd522

v5.2.12 (patch only; for 5.2.10 or 5.2.11 ) - http://go.whmcs.com/254/5212_incremental
MD5 Checksum: dbf1f18f98c14d5f212f6e4bc249cca6

To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.

WHMCS Version 5.1

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS site as itemized below.

v5.1.13 (patch only; for 5.1.12) - http://go.whmcs.com/250/5113_incremental
MD5 Checksum: e06d0033c388a8f2c43e24134fe8bd63

To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.



All versions of WHMCS are affected by these vulnerabilities, however only 5.1 and 5.2 will be provided updates per our Long Term Support Policy.

You can read more about our Long Term Support Policy here:

http://docs.whmcs.com/Long_Term_Support



This Security Advisory is in the process of being emailed to all active license holders.


Posted by Matt on Friday, October 25th, 2013







Security Status Update


As you may be aware, a security issue has been published within the last hour which allows for information disclosure.

We are aware of the issue and are investigating it, and will be issuing a fix for this issue along with any others we discover during our targeted investigation shortly. In the meantime disabling the Mass Payment feature voids the immediate threat.

You can do this by de-selecting the "Enable Mass Payment" checkbox in Setup > General Settings > Invoices and saving.

Please watch our blog, facebook and twitter feeds to receive the latest updates.


Posted by Matt on Friday, October 25th, 2013







WHMCS Security Advisory for 5.x


WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates provide targeted changes to address security concerns with the WHMCS product. You are highly encouraged to update immediately.

WHMCS has rated these updates as having critical security impacts. Information on security ratings is available at http://docs.whmcs.com/Security_Levels

Releases
The following patch release versions of WHMCS have been published to address a specific privilege and SQL vulnerabilities:
v5.2.10
v5.1.12

Security Issue Information

These changes resolve security issues identified by public disclosure. The follow security issues have been addressed within the latest patches:
- Missing Cross Site Request Forgery Token checks for certain operations related to Product Bundles and Product Configuration
- SQL Injection viable due to improper validation of expected numeric data
- Enforce privilege boundaries for particular ticket actions


Important Fix Information
These changes also include important functional fixes that were produced from previous security patches:
- SQL error in getting ticket departments (5.1 only)
- Mass mail client filter excluding users set to default language
- Admin clients list displaying multiple instances of the same record in certain conditions
- Prevent user input from manipulating IP Ban logic (5.2 only)

Mitigation

WHMCS Version 5.2

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.2 series are located on the WHMCS site as itemized below.

v5.2.10 (full version) - Downloadable from the WHMCS Members Area
v5.2.10 (patch only; for 5.2.9 ) - http://go.whmcs.com/242/5210_incremental

To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.

WHMCS Version 5.1

Download and apply the appropriate patch files to protect against these vulnerabilities.

Patch files for affected versions of the 5.1 series are located on the WHMCS site as itemized below.

v5.1.12 (patch only; for 5.1.11) - http://go.whmcs.com/246/5112_incremental

To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.



All versions of WHMCS are affected by this vulnerability, however only 5.1 and 5.2 will be provided updates per our Long Term Support Policy.

You can read more about our Long Term Support Policy here:

http://docs.whmcs.com/Long_Term_Support



This Security Advisory is in the process of being emailed to all active license holders.


Posted by WHMCS Chris on Monday, October 21st, 2013







« Previous Posts

Newer Posts »