By Matt / August 26th, 2014
WHMCS has released new updates for all supported versions of WHMCS. These updates include changes that address security concerns within the WHMCS product.
WHMCS has rated these updates as having a moderate to important security impact. Information on security ratings can be found at http://docs.whmcs.com/Security_Levels
Please update your installation to the latest version 5.3.9.
This update includes significant changes to IP detection logic in conjunction with the use of proxies. If using services such as CloudFlare, or any other similar public or private proxy service, to proxy traffic to your WHMCS installation, you will need to perform additional steps post upgrading in order to keep IP detection functioning correctly. If in any doubt, we urge you to read the Release Notes here or contact our support team for further information prior to updating.
The update includes a significant update to the low-level cryptographic routines used for admin authentication. These changes will affect any 3rd-party integration which directly accesses the admin user database table; they should not have an observable impact on installations otherwise. Further details can be found in the Release Notes here.
The update brings End Of Life for the Ensim server module as well as the E-Gold and PayOffline gateway modules. Please read the Release Noes here if you are actively using those modules.
Post release of 5.3.9 an issue was identified related to admins who had Two-Factor Authentication enabled prior to upgrading to 5.3.9. We apologize for the inconvenience this has caused and have provided a Hot-Fix here that should be applied after applying the 5.3.9 core update.
Patches - What is a Patch?
Incremental patches can be downloaded by following the links below.
These patch sets contain only the files that have changed between the previous release and this update. The previous release version that these patch sets are designed for is clearly indicated as the first and smaller number.