Security Status Update
As you may be aware, a security issue has been published which affects all known versions of WHMCS.
We are currently aware of the issue and are working on a software update to prevent this attack vector from being successful.
We will be publishing software updates for the versions in Active Development and LTS per our Long Term Support Policy:
http://docs.whmcs.com/Long_Term_Support
Please keep watch on our blog, facebook and twitter to receive the latest updates.
Posted by Matt on Friday, October 18th, 2013
October 3rd 2013 Security Patch Follow Up
First of all I would like to apologize to anyone who was affected by this week's security issue. Security vulnerabilities that are disclosed publicly like this was, without any prior warning or notice, are always a big concern for a software development company.
The purpose of my blog post today is to provide you with the information you need to both ensure you are safe against this attack and check if you were affected by it.
How do I know if I am protected?
Provided you have updated to either Version 5.2.8 or 5.1.10 (or 5.3.1 if you're testing our most recent Beta), your installation is protected from future attacks of this nature. This does NOT however mean that you won't see attempts to use it. You may still see emails or log entries saying somebody tried to update or submit a value that starts with AES_ENCRYPT. If you see these, do not be alarmed.
You can verify what version you are running within your WHMCS admin area by navigating to Help > Check for Updates.
While all versions of WHMCS published prior to October 3rd 2013 are affected by this vulnerability, only 5.1 and 5.2 will be provided updates per our Long Term Support Policy. This policy is in place to help encourage people to stay current with our software and ensure they are getting the best possible user experience from our product that new updates and improvements bring.
How do I know if I was affected?
It is usually possible to tell if you have been affected by this, or had it attempted on your installation, based on the "WHMCS User Details Change" email notification. This is the email sent any time a client updates their profile details via the client area. When this feature is enabled, which it is by default, it contains both the old and new values to allow you to review any changes. In this email if you see any new field values that start "AES_ENCRYPT" (without the quote marks) then the exploit has been attempted on your installation.
Another way to check is via the Activity Log. This can be accessed via the admin area by navigating to Utilities > Logs > Activity Log. Again here you're looking for any references that contain the keyword "AES_ENCRYPT". If you see them, then somebody has attempted to use the exploit on your system.
Of course, someone attempting to use the exploit does NOT inherently mean it was successful. If the time of the attempt was after you applied the patch then the exploit will have failed; at most the attacker would only be able to alter details of their own, dummy, account.
If the attempted exploit occurred prior to implementing the security patch, this alone does not indicate that your system was compromised any further than the information disclosure.
In the published exploit example, the scripted behavior is to retrieve the admin user password hashes. These password hashes, in themselves, are not sufficient to allow the attacker to authenticate into your admin area. The attacker must find the text which equates to the same hash value as your password.
If the attacker is able to extract the true admin user password value, they would then need to also know the exact location of the admin login page as well as have access to load it. As described in our recommended further security steps, WHMCS provides an extra layer of protection to help mitigate the unauthorized access into the administrative area by allowing a custom admin folder path. We also recommend restricting IP access to that folder with an htaccess file.
Please note that due to the nature of SQL Injection attacks, it is possible to do more that just information disclosure if the attempt was successful. We encourage you to look at the injected values and identify the exact SQL statements used by the attacker from the log entries prior to applying the patch; from this information you can known what database values the attacker was seeking to access or update.
If you see anything suspicious or that causes you concern, either in the email notifications or the activity log, then be sure to get in touch with our support team via www.whmcs.com/get-support Our team has been fully briefed and should be able to answer any questions you may have, or escalate it to someone who can.
Posted by Matt on Sunday, October 6th, 2013
WHMCS Security Advisory for 5.x
WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates provide targeted changes to address security concerns with the WHMCS product. You are highly encouraged to update immediately.
WHMCS has rated these updates as having critical security impacts. Information on security ratings is available at http://docs.whmcs.com/Security_Levels.
Releases
The following patch release versions of WHMCS have been published to address a specific SQL Injection vulnerability:
v5.2.8
v5.1.10
Security Issue Information
The resolved security issue was publicly disclosed by "localhost" on October 3rd, 2013.
The vulnerability allows an attacker, who has valid login to the installed product, to craft a SQL Injection Attack via a specific URL query parameter against any product page that updates database information.
Mitigation
WHMCS Version 5.2
Download and apply the appropriate patch files to protect against these vulnerabilities.
Patch files for affected versions of the 5.2 series are located on the WHMCS site as itemized below.
v5.2.8 (full version) - Downloadable from the WHMCS Members Area
v5.2.8 (patch only; for 5.2.7) - http://go.whmcs.com/218/v528_Incremental
To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.
WHMCS Version 5.1
Download and apply the appropriate patch files to protect against these vulnerabilities.
Patch files for affected versions of the 5.1 series are located on the WHMCS site as itemized below.
v5.1.10 (patch only; for 5.1.9) - http://go.whmcs.com/226/v5110_Incremental
To apply a patch, download the files indicated above and replace the files within your installation.
No upgrade process is required.
All versions of WHMCS are affected by this vulnerability, however only 5.1 and 5.2 will be provided updates per our Long Term Support Policy.
You can read more about our Long Term Support Policy here:
http://docs.whmcs.com/Long_Term_Support
This Security Advisory is in the process of being emailed to all active license holders.
Updated: 10/3/2013 - 2:46PM CST
- Introduced 5.1 Mitigation
Posted by WHMCS Chris on Thursday, October 3rd, 2013
WHMCS Invades New Orleans
If you've ever been to a cPanel Conference you'll know it's one of the most laid back and innovative conferences in the industry. It also throws the best parties!
This year some of the guest speakers will be discussing the future of Web Hosting, Server Security, and laying out what's new for cPanel in 11.40.
But cPanel's not the only one with exciting news.
- WHMCS is unveiling its new reseller program showcasing on-demand licensing.
- Performing a workshop on full stack monitoring with Selenium by our very own Nate Custer.
- Speed Geeking with Matt Pugh & Chris Borsheim on the future of WHMCS.
- And kicking off one of the most invasive Scavenger Hunts New Orleans has ever seen!
We'll also be lounging around after a hard nights work at our booth #312 during the conference, so swing by to see what's going on in WHMCS v5.3 and how you can join the beta.
Make sure to watch our Facebook & Twitter page to watch the scavenger hunt unfold, and tune in Wednesday as we give away WHMCS Jackets to the top 10 players from the hunt.
Visit http://conference.cpanel.net to check the agenda for all of the conference event times & after hour festivities.
See you in New Orleans!
Posted by WHMCS Chris on Sunday, September 29th, 2013
v5.3.0 Released to Beta
We are pleased to announce that v5.3 has now been made available to our private beta testers group. Beta testers are an invaluable part of our development process, and we rely on their efforts and communication during the release process.
We expect a few iterations of beta releases prior to a public release candidate.
Over the last several months, and with version 5.3 we've worked very hard on improving stability and reliability of the WHMCS product as a whole, including upgrades.
If you would like to get involved, please navigate here to start the application process.
As always, Beta Releases are not intended for production use.
Posted by WHMCS Chris on Friday, September 27th, 2013
RSS Feed