Page 1 of 2 12 LastLast
Results 1 to 25 of 31
  1. #1
    Join Date
    Apr 2005
    Location
    UK
    Posts
    257

    WHMCS Security Patch

    Since I know a lot of our users browse these forums I just thought I'd post a quick heads up here that we have released a Security Patch today. Please refer to this announcement for details: http://forum.whmcs.com/showthread.php?t=42121

    Matt
    WHMCompleteSolution
    The Complete Client Management, Billing & Support System
    www.whmcs.com

  2. #2
    Join Date
    Mar 2006
    Location
    Ventura CA
    Posts
    321

    WHMCS 4.X Security Patch

    A potential security issue has been discovered whereby it may be possible for a malicious user to inject a specially crafted combination of variables leading to unexpected results. The issue revolves around the Smarty templating system and template related processing.
    Reference:
    http://forum.whmcs.com/showthread.php?t=42121
    *G.C. SOLUTIONS Elastic Sites Shared Web Hosting* - Hosting Quality Sites Since 2006. Experience Your Website On A Whole New Level
    *Dedicated Resource Usage Experts*

  3. #3
    Join Date
    Jan 2007
    Location
    Kent, UK
    Posts
    421
    Repost, see http://www.webhostingtalk.com/showthread.php?t=1090735 (this was pretty much top of 'new' posts when you posted...
    RackSRV Communications Limited
    UK Hosting specialists in Dedicated Servers & Server Colocation
    Company: 06856870 VAT: GB 934 7073 15 Tel: 0330 229 1000

  4. #4
    Join Date
    Jan 2010
    Location
    San Francisco
    Posts
    1,800
    Thanks, Matt.

  5. #5
    Join Date
    Mar 2006
    Location
    Ventura CA
    Posts
    321


    Did not even bother to go look in that area. Ahh well the more the merrier.
    *G.C. SOLUTIONS Elastic Sites Shared Web Hosting* - Hosting Quality Sites Since 2006. Experience Your Website On A Whole New Level
    *Dedicated Resource Usage Experts*

  6. #6
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Wouldn't it be wise to mass mail all clients since this is a security patch.

    I wish you guys was more pro-active in letting your clients know about such security releases in the form of an email aswell.

  7. #7
    Join Date
    Nov 2008
    Location
    Florida, U.S
    Posts
    1,738
    Thanks for the heads up.
    HOSTLEET.COM, LLC - Elite Website Hosting Since 2008!
    Fast Reliable Affordable Secure Friendly & Courteous
    RISK-FREE Money Back Guarantee U.S.A Based & Operated
    Read Through Our Most F.A.Q's!

  8. #8
    Join Date
    May 2006
    Location
    San Francisco
    Posts
    7,325
    Quote Originally Posted by cd/home View Post
    Wouldn't it be wise to mass mail all clients since this is a security patch.

    I wish you guys was more pro-active in letting your clients know about such security releases in the form of an email aswell.
    A mass email would be helpful.

  9. #9
    Join Date
    Oct 2002
    Location
    /roof/ledge
    Posts
    28,088
    Quote Originally Posted by cd/home View Post
    Wouldn't it be wise to mass mail all clients since this is a security patch.

    I wish you guys was more pro-active in letting your clients know about such security releases in the form of an email aswell.
    Had that very thought. Posted here I was bound to see it eventually, but an email would most likely have been quicker. Maybe even something like Vbulletin has with patch notices pushed to the admin home page?
    Anyway, patched.
    Your one stop shop for decentralization

  10. #10
    Thanks like another user said would be nice if WHMCS let everyone know on an email i never check there forums

  11. #11
    Join Date
    Dec 2009
    Location
    Canada
    Posts
    748
    Thanks for the heads up. I agree with Bear, some sort of notification similar to that VB or IPB has would be a neat and worthwhile feature. You already have something similar in the check for updates section, why not bring even something as simple as a one line "security update available, click here for information" onto the front page? It is a bit disconcerting that had I not noticed this thread my installation would have been vulnerable until the next version was released.
    NorthernOrange - Canadian Web Hosting Solutions since 2005
    24/7 World Class Support - 99.9% Uptime Guaranteed
    30 Day Money Back Guarantee (No hassle!)
    Shared cPanel Hosting - Business Hosting

  12. #12
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by Jeff Bee View Post
    I not noticed this thread my installation would have been vulnerable until the next version was released.
    The very same happened to me on their last security patch, Well it didnt go as far to the next release but I was vulnerable for longer than necessary due to lack of communication...

    I can see something along the lines of what happened to LxLabs happening to WHMCS installs if they carry on with this poor communication upon security patches...

    (Note: The MASS "hacking" of LxLabs was either poor code or poor passwords, We'll never know the truth)
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  13. #13
    Join Date
    Apr 2005
    Location
    UK
    Posts
    257
    Hi,

    We have got an email sending out about this, but for all you WHT (addicts ) I just knew this would be a quicker way of getting it to you as our mailing list takes some time to get through due to it's size.

    We always do send notifications about things we deem to be serious enough. Thankfully we don't have this kind of thing happen very often, but if you remember the last time it did, (a) it raised no direct threat to an installation and (b) there was a new release due out within days anyway and so that was the only reason there was no email sent out.

    Matt
    WHMCompleteSolution
    The Complete Client Management, Billing & Support System
    www.whmcs.com

  14. #14
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135

    WHMCS: Security update issued

    In case you DIDN'T get their email last night (or this afternoon), here it is (without the patch download link):
    A potential security issue has been discovered whereby it may be possible for a malicious user to inject a specially crafted combination of variables leading to unexpected results. The issue revolves around the Smarty templating system and template related processing.

    To make the patching process as simple as possible, we are issueing a single file patch that will work for all versions of WHMCS 4.x. The file (download link below) simply needs to be uploaded to the root WHMCS directory to take effect, and there's no install or upgrade process necessary.
    You can view the full post and email on their forum, as well as get the download link.

    Seems to be a pretty straight forward, single file update, no huge problems so far. If you HAVEN'T downloaded and updated this file, you probably should get on that pretty quickly!
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  15. #15
    Join Date
    Jan 2006
    Location
    India
    Posts
    637

    * WHMCS security update.. apply asap..

    Hi,

    There seems to be a major security hole in WHMCS which allows easy hacking..

    example thread.. http://www.webhostingtalk.com/showthread.php?t=1088035

    WHMCS just released a security update and acknowledge it..

    update your WHMCS installation asap..

    Here is the link.. http://forum.whmcs.com/showthread.php?t=42121
    ►ExpertWebHost.NET- Instant reliable hosting since 2008+
    ►Quality Shared, Reseller, SEO and VPS hosting
    ►Choose to host from US/Uk/Canada/Singapore/Netherlands/Australia - 10 locations

  16. #16
    Join Date
    May 2010
    Location
    Bhakkar
    Posts
    1,592

    Wink

    Quote Originally Posted by bear View Post
    Maybe even something like Vbulletin has with patch notices pushed to the admin home page?
    This may be a good idea as everyone login to admin area at least one time in a day. So, he can be informed in a better way.
    HostinPK.com
    [US/UK] Shared Hosting, Reseller Hosting, VPS Hosting
    cPanel/CWP | Softaculous | WHMCS | Dedicated IP | SSL
    We accept PayPal, 2checkout, Credit Cards, and Bank payments

  17. #17
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by bear View Post
    Had that very thought. Posted here I was bound to see it eventually, but an email would most likely have been quicker. Maybe even something like Vbulletin has with patch notices pushed to the admin home page?
    Anyway, patched.
    I got an email (two in fact, one last night, one this morning), but I like the announcement approach as well.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  18. #18
    Join Date
    Aug 2002
    Location
    Bharat
    Posts
    4,808
    Email was there too in my inbox, I checked at WHMCS forum to double check and then updated that file.

    Waiting eagerly for the new release.
    Vinsar.Net - Quality Web Hosting at Economical Price on USA & European Servers
    Offering domains, shared, reseller & VPS hosting.
    Reliable Domain Reseller Account Resell Domains with Confidence

  19. #19
    Great job Matt!

  20. #20
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    Quote Originally Posted by ExpertWebHostNET View Post
    What about that thread?

    Since the OP cannot provide any details including logs, I,d say the story is half baked!
    UK Based Proactive Server Management.
    Zabbix Enterprise 24/7 Monitoring.

  21. #21

    WHMCS Security Advisory

    Hello,
    I just received this message from WHMCS, has anybody fix this piece of patch and has anybody experienced the potential risk involved.

    I am always skeptical to be the first to try...

    A potential security issue has been discovered whereby it may be possible for a malicious user to inject a specially crafted combination of variables leading to unexpected results. The issue revolves around the Smarty templating system and template related processing.

    To make the patching process as simple as possible, we are issueing a single file patch that will work for all versions of WHMCS 4.x. The file (download link below) simply needs to be uploaded to the root WHMCS directory to take effect, and there's no install or upgrade process necessary.

    > Patch Download Link: http://www.whmcs.com/go/21/download

    We always develop and test WHMCS with security in mind but unfortunately sometimes things do slip through. However, whenever we're notified of potential security issues we always fully investigate & issue a fix immediately where needed.

    If you have any questions or need any assistance applying the patch, please do not hesitate to contact us.

    We apologize for the inconvenience.

    ---
    WHMCS
    www.whmcs.com
    █▌ Cheapest Domain Registration Service & Shared Hosting Solutions .
    █▌ Skrill, Perfect Money, AdvCash, Webmoney,Monero, Neteller, BitCoin, Payeer, Crypto.
    █▌ Instant Domain Name Registration - Over 700+ Extensions x3reg.com!

  22. #22
    Join Date
    Aug 2009
    Location
    Montreal
    Posts
    1,697
    Already used the patch, you should too.
    CrocWeb Cloud - High Availability Cloud Website Hosting
    > NVMe Storage, LSCache, Redis, Global CDN, Unlimited SSL
    > Triple Data Replication, Automated Server Failover
    > Bad Bots, Malware, DDoS Protection

  23. #23
    Join Date
    Oct 2010
    Posts
    5,079
    Thanks for the head's up, hostnesta. Duly patched.
    Not as active on WHT as I used to be, but still drop in and receive email notifications from here.
    My personal blog site: https://www.oakleys.org.uk/blog

  24. #24
    Join Date
    Aug 2010
    Location
    FL
    Posts
    184
    Yes I patched when I read about it on the forums and then the email. I typically patch immediately when it states security ect..
    Erick T.

  25. #25
    i was abit more cautious, receivied the email but downloaded it direct from their site and double checked. My concern was it was a spoof email and i could have been uploading a security issue to my server. Once checked genuine patched straight away.
    █ DMB SOLUTIONS LTD
    DMB Hosting - UK Web hosting and VPS Servers
    █ All owned hardware Chicago and UK

Page 1 of 2 12 LastLast

Similar Threads

  1. latest kernel security patch?
    By r00t pAsSw0rd in forum Hosting Security and Technology Tutorials
    Replies: 4
    Last Post: 11-07-2006, 07:20 PM
  2. Applied a security patch only to get problems Help please
    By jcrespi in forum Hosting Software and Control Panels
    Replies: 1
    Last Post: 05-13-2004, 04:03 AM
  3. any one else having probs with IE after the security patch's
    By phill2003 in forum Web Hosting Lounge
    Replies: 8
    Last Post: 04-15-2004, 03:49 PM
  4. Win2k security patch
    By Serverplan in forum Hosting Security and Technology
    Replies: 3
    Last Post: 03-15-2003, 05:27 PM
  5. MySQL 3.23.55 Update (Security Patch)
    By gpan in forum Hosting Security and Technology
    Replies: 0
    Last Post: 02-09-2003, 03:05 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •