Big hole in WHMCS, unbilled accounts created [Archive]

View Full Version : Big hole in WHMCS, unbilled accounts created

RSanders

11-28-2009, 11:06 AM

Hello,

We've been having problems with the latest version of WHMCS giving out free accounts. Fortunately, an existing customer called and asked why a new sign up wasn't charged.

If you have your packages set to 'Pro Rata' and have 'Automatically setup the product as soon as the first payment is received' your user will get a free account for the first pro-rate+month and no fraud checking.

This is known by WHMCS and they are calling it user error so far. You can find this in their forums and I am sure I am not the only one with a support ticket.

I have also confirmed this with 'un-named host' and was able to duplicate the problem on their system and get a free account. I have called the host and notified them of this vulnerability in their system. They are a colocation client of ours for several years, so we have a trust relationship. I would not recommend trying this with a random host.

I have also reverted to the standard install templates and themes to make sure this wasn't self induced. I do not know the scope of the problem, if all new install or only upgraded, certain environmental variables and so on.

When you check out as a user, you will see
Subtotal: $0.00 USD
Total Due Today: $0.00 USD
Total Recurring: $8.95 USD Monthly

Since your balance is $0, you are never sent to Credt Card payment or go through any of your fraud prevention. As long as 'Automatically setup the product as soon as the first payment is received' you now have an instant free account. If the account requires review, you may or may not find an admin who has even noticed he isn't getting paid.

If pro-rating is disabled the system seems to return back to normal, but once you have more than a few hundred accounts doing your billing daily becomes an issue of it's own.

I hope this information helps protect some other hosts in here. If your in this situation please check your install. We are fortunate only a small handful of our low cost clients have been migrated to WHMCS which has minimized our losses.

Thanks,
Rob

hostingvince

11-28-2009, 11:41 AM

Hi Rob,
I am still considering the switch to WHMCS, so have only just begun to look into it on their forums.

One thing that I had a reply about was indeed auto account activation, for which they replied "Orders always have to be manually approved"

Therefore, I am somewhat confused why you have a problem as their reply suggests no customers will be able to use the hosting account anyway?

- Vince

RSanders

11-28-2009, 11:56 AM

Yeah, sure...

Go ahead and give it a shot. Order the basic hosting, change nameservers (if you buy a domain it does not pro-rate it) and sign up. The only real info you need to use is your email access, as all of the maxmind fraud and telephone verification are bypassed. If you disable pro rate in the product, then maxmind fraud and telephone verification are re-enabled as it is actually going to purchase something.

http://www.managedway.com/

You'll get your log in details in a few seconds, go ahead and log into your account. As long as you don't try to abuse the issue I'm happy to provide proof of concept on our live systems.

Also, heck, if you put in your real info I'll leave the account. Happy holidays.

RSanders

11-28-2009, 12:36 PM

How to reproduce this in your WHMCS

Prorata Billing Tick this box to enable
Prorata Date 1 Enter the day of the month you want to charge on
Charge Next Month 14 Enter the day of the month after which point the following month will also be charged for with the first payment

So, we enable prorata
We set our Prorata Date to 1, so we bill on the first
We set our Next Month to 14, so if someone orders after the 14th it charges them the prorata for the month and then the full amount for the following month.

This is where it is broken. If you sign up after the Next Month day (i.e. 14th) then it calculates the total due as $0 and makes the next payment 01/01/2010

Now, if you set 'Next Month' to 0, so that it only prorata the month and does not include the next month it will charge and work.

The problem is in the prorata calculations when charging a prorata and following month.

This is confirmed with two independent installs.

Thanks,
Rob

Hostwire.com

11-28-2009, 12:43 PM

I can confirm that there is definitely a bug in WHMCS that does not properly calculate services when Prorate is enabled. When the prorate option is set to 0 it calculates for the current month, but change that to say 14 to prorate after the 14th of the month it does not calculate. WHMCS v. 4.1.1

RandomLittleHost

11-28-2009, 12:46 PM

I suspect you've got something screwy in your setup. However I set the dates on Prorated billing (on latest WHMCS version), as an end user I'm always seeing a cost involved for the package being purchased.

Having said that, I still have problems with the WHMCS prorata setup which I've tried to resolve through their forums (without success).

Nick H

11-28-2009, 12:55 PM

There is an error in your settings somewhere. I use proration in my setup as well and there is no issue whatsoever with it.

RSanders

11-28-2009, 12:57 PM

It seems they posted a patch without updating their site.

Log into your client area and get 4.1.2 incremental. Unlike the last update, I didn't have to spend two days rebuilding my templates. This applied cleanly right over top of my 4.1.1. I did make a rsync -ab backup. Here is a changed file list.

find . -name \*~
./clientarea.php~
./modules/gateways/callback/paypal.php~
./modules/gateways/callback/2checkout.php~
./modules/registrars/resellone/resellone.php~
./modules/registrars/opensrs/opensrs.php~
./submitticket.php~
./cart.php~
./admin/clientsaddons.php~
./admin/clientshostinglist.php~
./admin/massmail.php~
./admin/orders.php~
./admin/quotes.php~
./upgrade.php~
./supporttickets.php~
./domainchecker.php~
./includes/api/gettickets.php~
./includes/api/getticket.php~
./includes/api/updateclient.php~
./includes/api/getclientsdetails.php~
./includes/api/domainwhois.php~
./includes/api/addclient.php~
./includes/api/capturepayment.php~
./includes/gatewayfunctions.php~
./includes/invoicefunctions.php~
./includes/orderfunctions.php~
./includes/whoisservers.php~
./includes/processinvoices.php~
./includes/quotefunctions.php~
./login.php~
./templates/portal/supportticketslist.tpl~
./templates/portal/clientareaproducts.tpl~
./templates/portal/viewticket.tpl~
./templates/default/supportticketslist.tpl~
./templates/default/clientareaproducts.tpl~
./dbconnect.php~
./dl.php~
./viewinvoice.php~
./dologin.php~

Hostwire.com

11-28-2009, 01:09 PM

RSanders

11-28-2009, 01:17 PM

WHMCS support did get back with me, and it seems this is also in relation to the new year (2010). They have also confirmed that 4.1.2 incremental patch was to resolve this.

If you use WHMCS, make sure you are on 4.1.2 or you will find yourself with a lot of free accounts like us. On their site, they still list 4.1.1 as stable which probably is confusing more than us in this thread.

GarethP

11-28-2009, 01:35 PM

If you subscribe to whmcs announcement forum you will get a notification when ever they release a new version/update.

RSanders

11-28-2009, 01:43 PM

If you subscribe to whmcs announcement forum you will get a notification when ever they release a new version/update.

Yes, along with every other dribble of marketing material. I already get 300-400 non-spam emails a day, I don't really need to know about McAfee and Softwhatever.
McAfee PCI Compliance Service for WHMCS users (http://forum.whmcs.com/showthread.php?t=25099)
Softaculous Release WHMCS Module (http://forum.whmcs.com/showthread.php?t=24791)
VPS.NET Module - Testers Needed (http://forum.whmcs.com/showthread.php?t=23039)

I guess it's my mistake in assuming they would keep their site updated, as that's the first place I look.

vpshostingtv

11-29-2009, 08:07 PM

I have a question:
Do you suggest to install WHMCS in root with same folder name or better to rename to something like billing...?
I've just download the 4.1.2 with so I supoose not having this bug?

RSanders

11-29-2009, 08:17 PM

I have a question:
Do you suggest to install WHMCS in root with same folder name or better to rename to something like billing...?
I've just download the 4.1.2 with so I supoose not having this bug?

Yes 4.1.2 seems to work well.

I rename mine, and I think you will find it is common. Also, you may wish to change the admin directory name as well. This is documented at WHMCS.

If this is your billing on your site, name it billing.

Thanks,
Rob

citycm

11-29-2009, 10:09 PM

Yes 4.1.2 seems to work well.

I rename mine, and I think you will find it is common. Also, you may wish to change the admin directory name as well. This is documented at WHMCS.

If this is your billing on your site, name it billing.

Thanks,
Rob

Not sure if you're aware of this, but your SSL Certificates are showing as $0.00. Sorry, I know it's unrelated but thought it might be worth mentioning.

RSanders

11-29-2009, 10:13 PM

Not sure if you're aware of this, but your SSL Certificates are showing as $0.00. Sorry, I know it's unrelated but thought it might be worth mentioning.

It's a WHMCS 'feature'
If you set a custom field for Years, it shows $0 until you try to buy one. Select the certificate, and the Years option will appear with the pricing. $19.99/yr SSL and $199.99/yr EV SSL

Thank you very much for caring enough to let us know! If you find a work around to remove the $0 price let me know.

Documentation
http://wiki.whmcs.com/Enom_SSL_Certificates

Thanks,
Rob

citycm

11-29-2009, 10:30 PM

It's a WHMCS 'feature'
If you set a custom field for Years, it shows $0 until you try to buy one. Select the certificate, and the Years option will appear with the pricing. $19.99/yr SSL and $199.99/yr EV SSL

Thank you very much for caring enough to let us know! If you find a work around to remove the $0 price let me know.

Documentation
http://wiki.whmcs.com/Enom_SSL_Certificates

Thanks,
Rob
I'll look into it and get back to you :)

RSanders

11-29-2009, 10:42 PM

Logic Surge

11-29-2009, 11:48 PM

Other than the free accounts we gave away and the funny $0 here and there, overall this is working out quite well. I've gone from Modernbill to ClientExec to WHMCS and even with the little problems overall its been an improvement each step.

If you do find a way to dump the $0 do let me know :)
Rob
You can mess with the template and do some conditional smarty work on the price area (if the product id is X show this, otherwise show the price). That's what we did for sundomains on our backup service (it shows a message saying that the subdomain isn't real, just to keep track of your account).

RSanders

11-30-2009, 09:07 AM

You can mess with the template and do some conditional smarty work on the price area (if the product id is X show this, otherwise show the price). That's what we did for sundomains on our backup service (it shows a message saying that the subdomain isn't real, just to keep track of your account).

Nice :agree:
I'm going to stick that one in my hat and save it for the next round of updates.

Thanks for the tip!
Rob

websiteguy

11-30-2009, 02:20 PM

whmcs is so far stable happy OP got the solution. you need to be careful in options in whmcs

vpshostingtv

11-30-2009, 07:49 PM

it is recomended to move some directories too, do you think it is necessary?

RSanders

11-30-2009, 08:29 PM

it is recomended to move some directories too, do you think it is necessary?

I relocate mine, and I also require http auth to some places. Here's an example that will authenticate your staff.

AuthName "Password"
AuthType Basic
AuthMySQLHost localhost
AuthMySQLUser whmcs
AuthMySQLPassword change_password
AuthMySQLDB whmcs
AuthMySQLUserTable tbladmins
AuthMySQLNameField username
AuthMySQLPasswordField password
AuthMySQLPwEncryption md5

AuthMySQLEnable On
require valid-user

BUT, any modification you make will make it harder to update.

Thanks,
Rob