Page 1 of 2 12 LastLast
Results 1 to 40 of 46
  1. #1
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910

    WHMCS Security Advisory TSR-2013-010

    Looks like WHMCS updates were pushed out including a security update:

    http://blog.whmcs.com/?t=83303
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  2. #2
    Join Date
    May 2013
    Location
    United States
    Posts
    180
    Thanks, I got the email. I updated my WHMCS right away

  3. #3
    Join Date
    Dec 2005
    Location
    England, UK
    Posts
    630
    Did anyone check the patch contents? I seem to have a "5.2.15" folder inside the "whmcs" folder. I don't think that was intentional?
    SupportPal - Smart self-hosted help desk software
    Supporting multiple channels, including Twitter and Facebook. WHMCS integration available.
    LicensePal - Discounted popular web hosting software licenses
    cPanel, InterWorx, SolusVM, CloudLinux, Blesta, Softaculous, Installatron, and much more!

  4. #4
    Join Date
    Aug 2012
    Location
    UK
    Posts
    260
    Quote Originally Posted by LP-Jay View Post
    Did anyone check the patch contents? I seem to have a "5.2.15" folder inside the "whmcs" folder. I don't think that was intentional?
    Same here, wondering the same.
    Patrick ~ INIZ

  5. #5
    Quote Originally Posted by LP-Jay View Post
    Did anyone check the patch contents? I seem to have a "5.2.15" folder inside the "whmcs" folder. I don't think that was intentional?
    I can't see how it would have been intentional. But those guys really can't seem to get anything right. Just once I'd like to see a properly disseminated patch that not only fixes the issue but also doesn't create new issues.

    M

  6. #6
    Join Date
    Dec 2005
    Location
    England, UK
    Posts
    630
    Quote Originally Posted by Vivid View Post
    Same here, wondering the same.
    They both have different sets of files too...
    SupportPal - Smart self-hosted help desk software
    Supporting multiple channels, including Twitter and Facebook. WHMCS integration available.
    LicensePal - Discounted popular web hosting software licenses
    cPanel, InterWorx, SolusVM, CloudLinux, Blesta, Softaculous, Installatron, and much more!

  7. #7
    Join Date
    Jul 2005
    Location
    In the Internets
    Posts
    3,622
    Looks like they tar'd the patch wrong... who knows.


  8. #8
    Indeed.
    There are two version of a file paypal.php for example
    whmcs\modules\gateways\callback\paypal.php
    whmcs\5.2.15\modules\gateways\callback\paypal.php
    with different sizes.
    PlotHost - Cheap Web Hosting Plans since 2008
    24/7 Support | 99.9% Uptime | 15 Days Money Back
    Shared & Reseller Plans - Check our hosting OFFER !

  9. #9
    Join Date
    Feb 2012
    Location
    Castle Discordia
    Posts
    231
    I saw that too. Definitely not updating until the latest patch is patched.

  10. #10
    Join Date
    Jul 2005
    Location
    In the Internets
    Posts
    3,622
    People are reporting bricked WHMCS's after installing, I assume due to incorrect files in the patch. I would advise to wait until they fix this.

  11. #11
    Join Date
    Jul 2005
    Location
    In the Internets
    Posts
    3,622
    Quote Originally Posted by PlotHost-Max View Post
    Indeed.
    There are two version of a file paypal.php for example
    whmcs\modules\gateways\callback\paypal.php
    whmcs\5.2.15\modules\gateways\callback\paypal.php
    with different sizes.
    Yet, there's nothing in the changelog about PayPal.

  12. #12
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,951
    Comparing the two, in the WHMCS/admin/cron has this:
    // * Version: 5.1.15 <<<really?
    // * BuildId: 3 *
    // * Release Date: 26 Nov 2013

    Same file in the 5.2.15 folder:
    // * Version: 5.2.15
    // * BuildId: 1
    // * Release Date: 23 Dec 2013
    Having problems, or maybe questions about WHT? Head over to the help desk!

  13. #13
    Join Date
    May 2013
    Location
    United States
    Posts
    180
    Quote Originally Posted by LP-Jay View Post
    Did anyone check the patch contents? I seem to have a "5.2.15" folder inside the "whmcs" folder. I don't think that was intentional?
    If your current WHMCS is 5.2.14, then you have to upload the files inside 5.2.15
    I have updated my WHMCS and everything is working fine.

    I'm not too sure about the files outside the 5.2.15 folder.

  14. #14
    Join Date
    May 2013
    Location
    Florida
    Posts
    418
    Quote Originally Posted by stablehost View Post
    People are reporting bricked WHMCS's after installing, I assume due to incorrect files in the patch. I would advise to wait until they fix this.
    Yes, here too. Billing is available but the admin login becomes unavailable after the patch is applied.
    Webhostpython.com - Reliable Shared, Reseller, and KVM VPS Hosting Services.
    Dual Octa Core Xeon E5 Servers. RAID10 Storage. Enterprise DDOS Protection. Pure SSD Plans
    24/7 Support | Live Chat | In-House Support Staff | 1-800-929-9061 | Dallas, TX

  15. #15
    Join Date
    Dec 2005
    Location
    England, UK
    Posts
    630
    Looks like they fixed it now, downloading the patch again no longer has the 5.2.15 folder.

    Strange that they never checked the contents of it before releasing it.
    SupportPal - Smart self-hosted help desk software
    Supporting multiple channels, including Twitter and Facebook. WHMCS integration available.
    LicensePal - Discounted popular web hosting software licenses
    cPanel, InterWorx, SolusVM, CloudLinux, Blesta, Softaculous, Installatron, and much more!

  16. #16
    As has now been posted on our blog, within a few minutes of publishing the announcement, it was discovered that the incremental update files were contained within a subfolder as you are referring to here. The release was updated to remove the subfolder and MD5 checksum updated.

    Per the blog: http://blog.whmcs.com/?t=83303

    5.2.14 --> 5.2.15 Patch http://go.whmcs.com/290/v5214_increm...to_v5215_patch
    MD5 Checksum: 709126303a0296ea41e6984c84aa42fa *

    The latest full release can be downloaded as always from our members area at https://www.whmcs.com/members

    Sorry for any inconvenience.

    Matt
    WHMCompleteSolution
    The Complete Client Management, Billing & Support System
    www.whmcs.com

  17. #17
    Join Date
    Sep 2007
    Posts
    41
    They fixed ZIP file, 1st one was 1,3 MB (with folder 5.1.15 and different files with same name) and new one is 532 KB

    After i uploaded 1st one, admin login becomes unavailable.

    I will try new one.

  18. #18
    Join Date
    Feb 2006
    Location
    Buffalo NY
    Posts
    1,348
    Quote Originally Posted by WHMCS-Matt View Post
    As has now been posted on our blog, within a few minutes of publishing the announcement, it was discovered that the incremental update files were contained within a subfolder as you are referring to here. The release was updated to remove the subfolder and MD5 checksum updated.

    Per the blog: http://blog.whmcs.com/?t=83303

    5.2.14 --> 5.2.15 Patch http://go.whmcs.com/290/v5214_increm...to_v5215_patch
    MD5 Checksum: 709126303a0296ea41e6984c84aa42fa *

    The latest full release can be downloaded as always from our members area at https://www.whmcs.com/members

    Sorry for any inconvenience.

    Matt
    How has there been so many mistakes in packaging patches lately?
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Let's Encrypt Sponsor.

  19. #19
    Join Date
    Jan 2006
    Location
    127.0.0.1
    Posts
    681
    Updated, and seems OK on my end.

  20. #20
    Join Date
    Dec 2005
    Location
    England, UK
    Posts
    630
    Quote Originally Posted by tinoandrijic View Post
    They fixed ZIP file, 1st one was 1,3 MB (with folder 5.1.15 and different files with same name) and new one is 532 KB

    After i uploaded 1st one, admin login becomes unavailable.

    I will try new one.
    I may be wrong, but it seems like the files in the root folder were for 5.1.15 rather than 5.2.15, so you may need to use the full package to make sure all the files uploaded are for the same version. Just uploading the new patch will mean some files are outdated.
    SupportPal - Smart self-hosted help desk software
    Supporting multiple channels, including Twitter and Facebook. WHMCS integration available.
    LicensePal - Discounted popular web hosting software licenses
    cPanel, InterWorx, SolusVM, CloudLinux, Blesta, Softaculous, Installatron, and much more!

  21. #21
    Updated ... everything Ok.
    PlotHost - Cheap Web Hosting Plans since 2008
    24/7 Support | 99.9% Uptime | 15 Days Money Back
    Shared & Reseller Plans - Check our hosting OFFER !

  22. #22
    Join Date
    Aug 2002
    Location
    Past North
    Posts
    728
    Updated patch now works correctly.

  23. #23
    Join Date
    Jul 2008
    Location
    Manhattan, NY Seattle,WA
    Posts
    1,393
    Yeah after trying it out all admin pages just went blank. Will try the new version now.
    Last edited by Purevoltage; 12-23-2013 at 02:10 PM.
    Sales/Support - sales @ purevoltage.com / 1-855-787-8658
    PureVoltage.com Premium Colocation, Dedicated & VPS Hosting, along with Remote Hands NY
    Enterprise Hardware with 6 Global Locations - Seattle | Dallas | Chicago | Los Angeles | New York | Amsterdam

  24. #24
    Join Date
    Aug 2002
    Location
    Past North
    Posts
    728
    Download the patch again. Its been updated. Do you have a backup copy of your WHMCS install?

  25. #25
    Join Date
    Sep 2007
    Posts
    41
    Quote Originally Posted by LP-Jay View Post
    I may be wrong, but it seems like the files in the root folder were for 5.1.15 rather than 5.2.15, so you may need to use the full package to make sure all the files uploaded are for the same version. Just uploading the new patch will mean some files are outdated.
    No, there was additional folder 5.2.15 (not 5.1.15 as i mistake wrote) but they fixed patch zip file now and all is ok.

  26. #26
    Join Date
    Apr 2013
    Location
    At My Desk
    Posts
    530
    Yes we had this 5.2.15 inside, now its gone on new update but less files than the first one ? WHMCS are F---ing useless they never get anything right and we are meant to trust them.

    going to leave update for a while see what happens.
    Stop, Think and then React. Not React, Stop and then Think

  27. #27
    Join Date
    Dec 2005
    Location
    England, UK
    Posts
    630
    Quote Originally Posted by tinoandrijic View Post
    No, there was additional folder 5.2.15 (not 5.1.15 as i mistake wrote) but they fixed patch zip file now and all is ok.
    The files in the "whmcs" folder (excluding the "5.2.15" folder) appear to be for 5.1.15 as Bear pointed out. Hence if you uploaded those files and there isn't the same file in the real 5.2.15 patch, the file will be outdated.

    If you did upload the original patch, I would think it's best and safer to upload the full release.
    SupportPal - Smart self-hosted help desk software
    Supporting multiple channels, including Twitter and Facebook. WHMCS integration available.
    LicensePal - Discounted popular web hosting software licenses
    cPanel, InterWorx, SolusVM, CloudLinux, Blesta, Softaculous, Installatron, and much more!

  28. #28
    Join Date
    May 2013
    Location
    Florida
    Posts
    418
    Quote Originally Posted by victormeldrew View Post
    Yes we had this 5.2.15 inside, now its gone on new update but less files than the first one ? WHMCS are F---ing useless they never get anything right and we are meant to trust them.

    going to leave update for a while see what happens.
    If they are so useless and you can't trust WHMCS, I suggest you find a different billing system. I don't like to eat cow manure but you won't catch me eating it while I talk crap about it. It's so easy to sit on the other side of the fence and play cheerleader.
    Webhostpython.com - Reliable Shared, Reseller, and KVM VPS Hosting Services.
    Dual Octa Core Xeon E5 Servers. RAID10 Storage. Enterprise DDOS Protection. Pure SSD Plans
    24/7 Support | Live Chat | In-House Support Staff | 1-800-929-9061 | Dallas, TX

  29. #29
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,387
    Updated my client's install, not sure if anything is broken until I get a ticket "Urgunt priority".

    Well the client side works on it, order form is fine. Only time will tell.

  30. #30
    Join Date
    Apr 2013
    Location
    At My Desk
    Posts
    530

    Talking

    Quote Originally Posted by Webhostpython View Post
    If they are so useless and you can't trust WHMCS, I suggest you find a different billing system. I don't like to eat cow manure but you won't catch me eating it while I talk crap about it. It's so easy to sit on the other side of the fence and play cheerleader.
    loll no need to spit your dummy out, and yes your right and we leaving them.

    Going to start using notepad instead.
    Stop, Think and then React. Not React, Stop and then Think

  31. #31
    Join Date
    Feb 2006
    Location
    Buffalo NY
    Posts
    1,348
    Quote Originally Posted by Webhostpython View Post
    If they are so useless and you can't trust WHMCS, I suggest you find a different billing system. I don't like to eat cow manure but you won't catch me eating it while I talk crap about it. It's so easy to sit on the other side of the fence and play cheerleader.
    Arguably the most bizarre analogy I've ever heard. Also one of the hardest to digest (literally and that it was difficult to parse that statement).

    It's not as simple as "We're changing our billing platform" for all providers. It's not like we're migrating a handfull of services / customers.
    Cody R.
    Hawk Host Inc. Proudly Serving websites since 2004.
    Let's Encrypt Sponsor.

  32. #32
    Join Date
    Dec 2011
    Location
    Surrey, BC
    Posts
    445
    Updated two different installs and everything seems to be working fine so far.

  33. #33
    Had no problems, fortunately, though this, according to their blog, may be the last update before 5.3 is released.
    Nividium
    Affordable, Reliable & High Performance Web Hosting Since 2011
    Google PageSpeed | Softaculous | SSD Drives | 24/7/365 Technical Support | Instant Activation

  34. #34
    Join Date
    Dec 2007
    Location
    LocalHost
    Posts
    1,303
    updated without any issue
    YagHost - Pure SSD Hosting | Since 2007 | Average Response Time: 15 min
    Web Hosting | Reseller Hosting | Managed VPS Hosting
    99.9% Server Uptime Guarantee | 24/7 Rapid Response Tech Support | 30 Day Money Back Guarantee
    LopHost.com - Web Hosting Tutorials

  35. #35
    Join Date
    May 2010
    Location
    Planet Earth
    Posts
    1,588
    Updated without any issue. Seems that everything is working fine without any issue and we will not need any patch for this patch.
    Modelwebhost.com
    [US/UK] Shared Hosting, Reseller Hosting, Master Reseller Hosting
    WHMReseller | Softaculous | WHMCS | Dedicated IP | SSL
    We accept Paypal, 2checkout, Credit Cards, Payza, OKPAY and Bank payments

  36. #36
    Join Date
    Jul 2009
    Location
    Kshatriya
    Posts
    2,725
    Bug in Affiliate Signup.tpl

    - If you are using a Portal template then your Client can't activate Affiliate account because of WHMCS Developer does not update AffiliateSignup.tpl and update only default template.


    - About Security Advisory: v5.1.15 don't need to do anything?(need to apply this security patch?)

  37. #37
    Join Date
    Oct 2010
    Posts
    4,694
    Quote Originally Posted by DewlanceHosting View Post
    - About Security Advisory: v5.1.15 don't need to do anything?(need to apply this security patch?)
    5.1.x is now EOL (as of earlier this week), so no more patches - security or otherwise - will come out for it. The TSA said that this security issue applies to all versions preceding 5.2.15, so you may take it that 5.1.15 is affected but has not been patched. Users on 5.1.x should update to 5.2.15.
    James

    Interested in which hosts I'd recommend? Unmanaged VPS Reviews | Managed VPS Reviews

  38. #38
    Join Date
    Mar 2006
    Location
    Servers
    Posts
    1,588
    Updated and no problem at all. Seems with the new clean version of the WHMCS patch.
    QHoster.com - Web Hosting with DDoS Protection | Shared & Reseller in Europe/North America
    Linux/Windows RDP VPS 13 Locations : UK, US (5 states), Mexico, Canada, Bulgaria, Lithuania,
    Italy, France, Germany,Netherlands, Switzerland, Rissia, Singapore | OpenVPN/PPTP Enabled
    INSTANT | PayPal, Skrill, Payza, Bitcoin, WebMoney, Perfect Money, Ukash, CashU, paysafecard

  39. #39
    Join Date
    Feb 2007
    Location
    United Kingdom
    Posts
    1,245
    Updated yesterday with no issues
    Hosting Community Talk - A new community orientated Webhosting discussion, guides, and industry news forum. Why not JOIN TODAY!
    My North Wales - A Community/Tourism discussion forum for residents and visitors to North Wales, United Kingdom.

  40. #40
    Join Date
    Jan 2013
    Posts
    379
    Does anyone facing problem with Quotes ? I'm not sure was it before this patch or not. All my quotes, I don't see client's name and address. Its just , ,

Page 1 of 2 12 LastLast

Similar Threads

  1. cPanel TSR-2013-0011 (Security) Announcement
    By Patrick in forum Hosting Software and Control Panels
    Replies: 7
    Last Post: 12-18-2013, 06:16 PM
  2. WHMCS Security Advisory TSR-2013-009
    By WHMCS-Matt in forum Hosting Software and Control Panels
    Replies: 212
    Last Post: 11-27-2013, 02:01 PM
  3. cPanel - TSR-2013-0010 Announcement (Security Updates)
    By Patrick in forum Hosting Security and Technology
    Replies: 5
    Last Post: 10-26-2013, 03:48 PM
  4. cPanel TSR Advisory TSR-2013-0009
    By Steven in forum Hosting Security and Technology
    Replies: 15
    Last Post: 08-29-2013, 10:41 PM
  5. cPanel Security Disclosure TSR-2013-0007
    By Technolojesus in forum Hosting Security and Technology
    Replies: 12
    Last Post: 06-26-2013, 09:05 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •