Page 1 of 4 1234 LastLast
Results 1 to 25 of 94
  1. #1
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681

    WHMCS: Response to Recent Security Events

    This just came out:

    Over the last few months, WHMCS has released an unusually high number of security related updates - more than we would have liked or than you would have expected.

    We understand the inconvenience that these cause, and their severity.

    We have tasked several staff members with doing an internal code audit which is now well underway, and they have already identified a number of items which were addressed in the last release. We plan to continue our internal audit and release further updates as required.

    We will also be commissioning at least one additional external security audit, and introducing a Security Bounty Program. External security audits are not something that are new to us, however as a security audit alone is not a guaranteed solution, we will be increasing the frequency of both internal and independent external security audits being performed.

    As mentioned above, we will also be launching a Security Bounty Program designed to reward those who find issues in our software and report them to us in a responsible and safe manner. In order to encourage this we will be offering free development licenses to security researchers and monetary rewards of up to $5000 per issue. Further details will be released about this in the near future.

    These steps are just the start of our overall plans to proactively address your concerns. As we move forward additional announcements will be made.

    We appreciate the trust that you put in us, and we intend to make sure that trust is not misplaced.

    Matt Pugh
    Founder/CEO
    There is alot of people who hate WHMCS right now, and don't believe anything will change.
    Like I said in prior posts, I for one believe there will be alot of change.
    Last edited by Steven; 10-31-2013 at 12:15 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  2. #2
    Join Date
    Oct 2013
    Posts
    42
    This is good.

  3. #3
    Join Date
    Apr 2013
    Location
    Data center
    Posts
    541
    Interesting. At least the guys at WHMCS are starting to plan for the future. Thats a good start...

  4. #4
    Join Date
    May 2010
    Location
    Bhakkar
    Posts
    1,592
    A good move. At least they have realized that they will have to conduct a code audit to remain in the market. Best of luck for future stable versions...
    HostinPK.com
    [US/UK] Shared Hosting, Reseller Hosting, VPS Hosting
    cPanel/CWP | Softaculous | WHMCS | Dedicated IP | SSL
    We accept PayPal, 2checkout, Credit Cards, and Bank payments

  5. #5
    Join Date
    Jun 2012
    Location
    London, United Kingdom
    Posts
    296
    $5000? A clever way to do it

  6. #6
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by Steven View Post
    There is alot of people who hate WHMCS right now, and don't believe anything will change.
    History repeats itself, over and over and over again.
    I'll believe it when they stop trying to lie to our faces and the person responsible for these glaringly obvious security holes is removed
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  7. #7
    Join Date
    May 2010
    Location
    Lincoln (UK)
    Posts
    901
    Quote Originally Posted by Conn8ct-Sal View Post
    $5000? A clever way to do it
    I think I read that is per release, so if 20 people report 20 different issues then that is upto $250 each (ok still not bad and hopefully there would not be 20 different exploits per release.

    The big question is though, has this announcement made anyone change there mind about leaving WHMCS?

  8. #8
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by evocart View Post
    The big question is though, has this announcement made anyone change there mind about leaving WHMCS?
    Not here.
    I'll give them time to prove themselves, but we've heard the same old same old thing from them before.

    As of now, I'm just waiting for the system to come out that works well enough that I can use. Their attitude regarding security, and their customers is, well, pathetic.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  9. #9
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    Quote Originally Posted by evocart View Post
    I think I read that is per release, so if 20 people report 20 different issues then that is upto $250 each (ok still not bad and hopefully there would not be 20 different exploits per release.

    The big question is though, has this announcement made anyone change there mind about leaving WHMCS?
    "Per Issue" implies one researcher could get 5k. Very nice, but I'm bummed that cPanel doesn't offer it for their control panel.
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  10. #10
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,992
    I'll give them time to prove themselves, but we've heard the same old same old thing from them before.

    What, in everyone's opinion, is an appropriate length of time for WHMCS to get their act together? I want to give them a fair shot as well, but I can't hold my breath forever. I've pulled as much as I can get away with out of production, but that's certainly not a "fix".

  11. #11
    Join Date
    Oct 2003
    Posts
    9,264
    Quote Originally Posted by Steven View Post
    This just came out:

    There is alot of people who hate WHMCS right now, and don't believe anything will change.
    Like I said in prior posts, I for one believe there will be alot of change.
    Do you know of anyone in this thread receiving monetary compensation re: the audit?
    Just curious, as I'd hate to see biased PR posts on WHT.

  12. #12
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,657
    The hardest part for WHMCS will be implementing any changes found from the audit that isn't going to completely knacker there modules or the countless other modules on the planet for it's software.

  13. #13
    Join Date
    Dec 2007
    Location
    Scotland
    Posts
    177
    These steps are just the start of our overall plans to proactively address your concerns. As we move forward additional announcements will be made.
    Does anyone else have the same definition of proactive?

    David Man
    www.openitc.co.uk - We create, we host, we connect - Fully Managed VPS & Dedicated Hosting
    www.direvps.com - When nothing but price matters! - Brutal marketing for a brutal market!

  14. #14
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by David View Post
    Do you know of anyone in this thread receiving monetary compensation re: the audit?
    Just curious, as I'd hate to see biased PR posts on WHT.
    Not that I know of yet. We have not been approached / nor have we offered services if that's what you mean.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  15. #15
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by twhiting9275 View Post
    History repeats itself, over and over and over again.
    I'll believe it when they stop trying to lie to our faces and the person responsible for these glaringly obvious security holes is removed
    Just because you have a one track mind, doesn't mean you are right.
    I know for a fact without a doubt, there are people not 'Matt' working on this.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  16. #16
    Join Date
    May 2003
    Location
    San Francisco, CA
    Posts
    1,506

    WHMCS: Response to Recent Security Events

    Quote Originally Posted by davidman View Post
    Does anyone else have the same definition of proactive?
    I had the same thoughts as well.
    * GeekStorage.com - Offering awesome website hosting for over 13 years!
    * Shared Hosting * Reseller Hosting * Virtual Private Servers * Dedicated Servers
    * Have questions? Send us an e-mail, we'd love to hear from you!

  17. #17
    Join Date
    Oct 2003
    Posts
    9,264
    Quote Originally Posted by Steven View Post
    Not that I know of yet. We have not been approached / nor have we offered services if that's what you mean.
    Just checking, as I know you've received compensation from cPanel, a large shareholder of WHMCS (afaik).
    You suddenly sound very upbeat about WHMCS & their potential, despite their track record.

  18. #18
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by David View Post
    Just checking, as I know you've received compensation from cPanel, a large shareholder of WHMCS (afaik).
    You suddenly sound very upbeat about WHMCS & their potential, despite their track record.
    Never received anything in the form of money from cPanel. We had asked them about bounties several months ago and were told at this time no they do not have anything like that but possibly could one day.
    I have sounded up beat about WHMCS for a while now. They + cPanel are good guys and I have talked with them pretty extensively.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  19. #19
    Join Date
    Oct 2003
    Posts
    9,264
    Quote Originally Posted by Steven View Post
    Never received anything in the form of money from cPanel..
    Have you received any sort of compensation from cPanel, a shareholder of WHMCS, outside of what could be considered money? Just curious.

  20. #20
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by David View Post
    Have you received any sort of compensation from cPanel, a shareholder of WHMCS, outside of what could be considered money? Just curious.
    I received a partner package, when I went there as a partner visit. Lots of people get them. Anything received, has zero to do with any security work.
    They have never said, hey heres payment for that bug you sent us. They (cPanel) does not offer such a program.

    Not really sure why you seem set on derailing a thread with things that have no reason to be in here.

    This is to discuss WHMCS's next moves.
    Last edited by Steven; 10-31-2013 at 01:50 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  21. #21
    Join Date
    Oct 2003
    Posts
    9,264
    Quote Originally Posted by Steven View Post
    I received a partner package, when I went there as a partner visit. Lots of people get them.
    Roger that.

    Quote Originally Posted by Steven View Post
    Not really sure why you seem set on derailing a thread with things that have no reason to be in here.
    No intention whatsoever of derailing the thread, I just wanted to know why your feelings about WHMCS suddenly changed. WHMCS needs a full blown code rewrite, and that'll take quite a few months. Their bounty program is a damned good move (albeit belated).

    These are all steps in the right direction and are all great improvements across the board.

  22. #22
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    14,135
    Quote Originally Posted by Steven View Post
    Just because you have a one track mind, doesn't mean you are right.
    And just because you're gullible enough to believe them doesn't mean you are.

    Quote Originally Posted by Steven View Post
    I know for a fact without a doubt, there are people not 'Matt' working on this.
    Good for you, what, you want a cookie?
    The fact remains though, despite your ignorance of the issues, Matt is the one that is responsible for this fiasco, and all the ones previous. He's been let off with a simple slap on the wrist by people like you so many times it's not funny. Nobody is holding people accountable for their actions here, nobody.
    Tom Whiting, WHMCS Guru extraordinaire
    Linux problems? WHMCS Problems? Give me a shout
    Check out my WHMCS Addons

  23. #23
    Join Date
    Oct 2003
    Posts
    9,264
    Quote Originally Posted by twhiting9275 View Post
    Nobody is holding people accountable for their actions here, nobody.
    It's a free market, go pick an alternate software choice. Problem solved

  24. #24
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by twhiting9275 View Post
    And just because you're gullible enough to believe them doesn't mean you are.


    Good for you, what, you want a cookie?
    The fact remains though, despite your ignorance of the issues, Matt is the one that is responsible for this fiasco, and all the ones previous. He's been let off with a simple slap on the wrist by people like you so many times it's not funny. Nobody is holding people accountable for their actions here, nobody.
    Please stop talking about things you know nothing about.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  25. #25
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Quote Originally Posted by David View Post
    Roger that.



    No intention whatsoever of derailing the thread, I just wanted to know why your feelings about WHMCS suddenly changed. WHMCS needs a full blown code rewrite, and that'll take quite a few months. Their bounty program is a damned good move (albeit belated).

    These are all steps in the right direction and are all great improvements across the board.
    Our opinion has changed because, of how they act. I looked David@WHMCS in the face and told him, "Hey, there is a vulnerability in ...." and he went and found/confirmed it while I was sitting there. To me that is responsible. He could have said no no, not possible like other companies have done.

    Really, for the most part if you report something to them they do act on it.

    Take this for example:
    https://www.google.com/#q=site:whmcs.com+safeornot.com
    These guys have been reporting for years, even before they started crediting.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Page 1 of 4 1234 LastLast

Similar Threads

  1. How should WHMCS respond to recent attack?
    By alnitech in forum Web Hosting Lounge
    Replies: 14
    Last Post: 05-23-2012, 02:38 PM
  2. Recent Security Threat
    By MACH9Servers in forum Web Hosting
    Replies: 7
    Last Post: 04-25-2012, 10:34 AM
  3. Replies: 0
    Last Post: 05-15-2010, 02:06 AM
  4. Need someone to check my server security (A recent DDoS took down my site)
    By Phatmat in forum Systems Management Requests
    Replies: 6
    Last Post: 07-26-2009, 03:29 PM
  5. Bush's statement after recent events in Iraq.
    By Acroplex in forum Web Hosting Lounge
    Replies: 11
    Last Post: 04-13-2004, 07:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •