Results 1 to 25 of 31
Thread: WHMCS Security Patch
-
10-15-2011, 07:03 PM #1Web Hosting Guru
- Join Date
- Apr 2005
- Location
- UK
- Posts
- 257
WHMCS Security Patch
Since I know a lot of our users browse these forums I just thought I'd post a quick heads up here that we have released a Security Patch today. Please refer to this announcement for details: http://forum.whmcs.com/showthread.php?t=42121
Matt
-
10-15-2011, 07:05 PM #2Web Hosting Guru
- Join Date
- Mar 2006
- Location
- Ventura CA
- Posts
- 321
WHMCS 4.X Security Patch
A potential security issue has been discovered whereby it may be possible for a malicious user to inject a specially crafted combination of variables leading to unexpected results. The issue revolves around the Smarty templating system and template related processing.
http://forum.whmcs.com/showthread.php?t=42121*G.C. SOLUTIONS Elastic Sites Shared Web Hosting* - Hosting Quality Sites Since 2006. Experience Your Website On A Whole New Level
*Dedicated Resource Usage Experts*
-
10-15-2011, 07:14 PM #3Aspiring Evangelist
- Join Date
- Jan 2007
- Location
- Kent, UK
- Posts
- 421
Repost, see http://www.webhostingtalk.com/showthread.php?t=1090735 (this was pretty much top of 'new' posts when you posted...
RackSRV Communications Limited
UK Hosting specialists in Dedicated Servers & Server Colocation
Company: 06856870 VAT: GB 934 7073 15 Tel: 0330 229 1000
-
10-15-2011, 07:18 PM #4Web Hosting Master
- Join Date
- Jan 2010
- Location
- San Francisco
- Posts
- 1,800
Thanks, Matt.
-
10-15-2011, 07:19 PM #5Web Hosting Guru
- Join Date
- Mar 2006
- Location
- Ventura CA
- Posts
- 321
Did not even bother to go look in that area. Ahh well the more the merrier.*G.C. SOLUTIONS Elastic Sites Shared Web Hosting* - Hosting Quality Sites Since 2006. Experience Your Website On A Whole New Level
*Dedicated Resource Usage Experts*
-
10-15-2011, 07:20 PM #6Hello World
- Join Date
- Nov 2009
- Location
- /etc/my.cnf
- Posts
- 10,657
Wouldn't it be wise to mass mail all clients since this is a security patch.
I wish you guys was more pro-active in letting your clients know about such security releases in the form of an email aswell.
-
10-15-2011, 07:24 PM #7Elite Webmaster
- Join Date
- Nov 2008
- Location
- Florida, U.S
- Posts
- 1,738
Thanks for the heads up.
HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
★ Fast ★ Reliable ★ Affordable ★ Secure ★ Friendly & Courteous
★ RISK-FREE Money Back Guarantee ★ U.S.A Based & Operated
★ Read Through Our Most F.A.Q's!
-
10-15-2011, 07:26 PM #8Retired Moderator
- Join Date
- May 2006
- Location
- San Francisco
- Posts
- 7,325
-
10-15-2011, 07:28 PM #9
-
10-15-2011, 07:33 PM #10Newbie
- Join Date
- Oct 2011
- Posts
- 23
Thanks like another user said would be nice if WHMCS let everyone know on an email i never check there forums
-
10-15-2011, 07:41 PM #11Web Hosting Master
- Join Date
- Dec 2009
- Location
- Canada
- Posts
- 748
Thanks for the heads up. I agree with Bear, some sort of notification similar to that VB or IPB has would be a neat and worthwhile feature. You already have something similar in the check for updates section, why not bring even something as simple as a one line "security update available, click here for information" onto the front page? It is a bit disconcerting that had I not noticed this thread my installation would have been vulnerable until the next version was released.
▪ NorthernOrange - Canadian Web Hosting Solutions since 2005
▪ 24/7 World Class Support - 99.9% Uptime Guaranteed
▪ 30 Day Money Back Guarantee (No hassle!)
▪ Shared cPanel Hosting - Business Hosting
-
10-16-2011, 08:21 AM #12Hello World
- Join Date
- Nov 2009
- Location
- /etc/my.cnf
- Posts
- 10,657
The very same happened to me on their last security patch, Well it didnt go as far to the next release but I was vulnerable for longer than necessary due to lack of communication...
I can see something along the lines of what happened to LxLabs happening to WHMCS installs if they carry on with this poor communication upon security patches...
(Note: The MASS "hacking" of LxLabs was either poor code or poor passwords, We'll never know the truth)UK Based Proactive Server Management.
Zabbix Enterprise 24/7 Monitoring.
-
10-16-2011, 09:43 AM #13Web Hosting Guru
- Join Date
- Apr 2005
- Location
- UK
- Posts
- 257
Hi,
We have got an email sending out about this, but for all you WHT (addicts ) I just knew this would be a quicker way of getting it to you as our mailing list takes some time to get through due to it's size.
We always do send notifications about things we deem to be serious enough. Thankfully we don't have this kind of thing happen very often, but if you remember the last time it did, (a) it raised no direct threat to an installation and (b) there was a new release due out within days anyway and so that was the only reason there was no email sent out.
Matt
-
10-16-2011, 03:59 PM #14
WHMCS: Security update issued
In case you DIDN'T get their email last night (or this afternoon), here it is (without the patch download link):
A potential security issue has been discovered whereby it may be possible for a malicious user to inject a specially crafted combination of variables leading to unexpected results. The issue revolves around the Smarty templating system and template related processing.
To make the patching process as simple as possible, we are issueing a single file patch that will work for all versions of WHMCS 4.x. The file (download link below) simply needs to be uploaded to the root WHMCS directory to take effect, and there's no install or upgrade process necessary.
Seems to be a pretty straight forward, single file update, no huge problems so far. If you HAVEN'T downloaded and updated this file, you probably should get on that pretty quickly!Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
10-16-2011, 09:45 PM #15Web Hosting Master
- Join Date
- Jan 2006
- Location
- India
- Posts
- 637
WHMCS security update.. apply asap..
Hi,
There seems to be a major security hole in WHMCS which allows easy hacking..
example thread.. http://www.webhostingtalk.com/showthread.php?t=1088035
WHMCS just released a security update and acknowledge it..
update your WHMCS installation asap..
Here is the link.. http://forum.whmcs.com/showthread.php?t=42121
-
10-16-2011, 09:46 PM #16Web Hosting Master
- Join Date
- May 2010
- Location
- Bhakkar
- Posts
- 1,592
██ HostinPK.com
██ [US/UK] Shared Hosting, Reseller Hosting, VPS Hosting
██ cPanel/CWP | Softaculous | WHMCS | Dedicated IP | SSL
██ We accept PayPal, 2checkout, Credit Cards, and Bank payments
-
10-16-2011, 10:15 PM #17Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons
-
10-17-2011, 01:14 AM #18Always Learning...
- Join Date
- Aug 2002
- Location
- Bharat
- Posts
- 4,808
Email was there too in my inbox, I checked at WHMCS forum to double check and then updated that file.
Waiting eagerly for the new release.Vinsar.Net - Quality Web Hosting at Economical Price on USA & European Servers
Offering domains, shared, reseller & VPS hosting.
Reliable Domain Reseller Account Resell Domains with Confidence
-
10-17-2011, 02:18 AM #19Disabled
- Join Date
- Aug 2008
- Posts
- 2,237
Great job Matt!
-
10-17-2011, 02:56 AM #20Hello World
- Join Date
- Nov 2009
- Location
- /etc/my.cnf
- Posts
- 10,657
-
10-17-2011, 04:30 AM #21Web Hosting Master
- Join Date
- Jan 2010
- Posts
- 856
WHMCS Security Advisory
Hello,
I just received this message from WHMCS, has anybody fix this piece of patch and has anybody experienced the potential risk involved.
I am always skeptical to be the first to try...
A potential security issue has been discovered whereby it may be possible for a malicious user to inject a specially crafted combination of variables leading to unexpected results. The issue revolves around the Smarty templating system and template related processing.
To make the patching process as simple as possible, we are issueing a single file patch that will work for all versions of WHMCS 4.x. The file (download link below) simply needs to be uploaded to the root WHMCS directory to take effect, and there's no install or upgrade process necessary.
> Patch Download Link: http://www.whmcs.com/go/21/download
We always develop and test WHMCS with security in mind but unfortunately sometimes things do slip through. However, whenever we're notified of potential security issues we always fully investigate & issue a fix immediately where needed.
If you have any questions or need any assistance applying the patch, please do not hesitate to contact us.
We apologize for the inconvenience.
---
WHMCS
www.whmcs.com█▌ Cheapest Domain Registration Service & Shared Hosting Solutions .
█▌ Skrill, Perfect Money, AdvCash, Webmoney,Monero, Neteller, BitCoin, Payeer, Crypto.
█▌ Instant Domain Name Registration - Over 700+ Extensions x3reg.com!
-
10-17-2011, 04:33 AM #22
Already used the patch, you should too.
CrocWeb Cloud - High Availability Cloud Website Hosting
> NVMe Storage, LSCache, Redis, Global CDN, Unlimited SSL
> Triple Data Replication, Automated Server Failover
> Bad Bots, Malware, DDoS Protection
-
10-17-2011, 04:49 AM #23Retired Moderator
- Join Date
- Oct 2010
- Posts
- 5,079
Thanks for the head's up, hostnesta. Duly patched.
Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
My personal blog site: https://www.oakleys.org.uk/blog
-
10-17-2011, 05:01 AM #24Junior Guru
- Join Date
- Aug 2010
- Location
- FL
- Posts
- 184
Yes I patched when I read about it on the forums and then the email. I typically patch immediately when it states security ect..
Erick T.
-
10-17-2011, 05:11 AM #25WHT Addict
- Join Date
- Feb 2010
- Posts
- 164
i was abit more cautious, receivied the email but downloaded it direct from their site and double checked. My concern was it was a spoof email and i could have been uploading a security issue to my server. Once checked genuine patched straight away.
█ DMB SOLUTIONS LTD
█ DMB Hosting - UK Web hosting and VPS Servers
█ All owned hardware Chicago and UK
Similar Threads
-
latest kernel security patch?
By r00t pAsSw0rd in forum Hosting Security and Technology TutorialsReplies: 4Last Post: 11-07-2006, 07:20 PM -
Applied a security patch only to get problems Help please
By jcrespi in forum Hosting Software and Control PanelsReplies: 1Last Post: 05-13-2004, 04:03 AM -
any one else having probs with IE after the security patch's
By phill2003 in forum Web Hosting LoungeReplies: 8Last Post: 04-15-2004, 03:49 PM -
Win2k security patch
By Serverplan in forum Hosting Security and TechnologyReplies: 3Last Post: 03-15-2003, 05:27 PM -
MySQL 3.23.55 Update (Security Patch)
By gpan in forum Hosting Security and TechnologyReplies: 0Last Post: 02-09-2003, 03:05 AM