Page 1 of 2 12 LastLast
Results 1 to 40 of 54
  1. #1
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294

    WHMCS Security Advisory TSR-2014-0001

    http://blog.whmcs.com/?t=84387

    WHMCS has released a new update for all supported versions of WHMCS. These updates contain changes that address security concerns within the WHMCS product.

    We recommend you update your WHMCS installation(s) as soon as possible.

    WHMCS has rated this update as having an important security impact. Information on security ratings can be found at http://docs.whmcs.com/Security_Levels


    Releases
    Please update your installation to the one of the following versions:
    v5.2.16


    Patches - What is a Patch?

    Incremental patches can be downloaded by following the provided links below. These patch sets contain only the files that have changed between the previous release and this update. The previous release version that these patch sets are designed for is clearly indicated as the first and smaller number.

    The following incremental patches are available for direct download:
    5.2.15 --> 5.2.16 http://go.whmcs.com/298/v5215_increm...to_v5216_patch
    MD5 Checksum: 706e352796e91c4f27a40470c83125b8

    To apply a patch set release, download the files as indicated above. Then follow the upgrade instructions for a "Patch Set" which can be found at http://docs.whmcs.com/Upgrading#For_a_Patch_Set

    Full Release - What is a Full Release?

    A full release distribution contains all the files of a WHMCS product installation. It can be used to perform a new install or update an existing installation (regardless of previous version).
    5.2.16 - Downloadable from the WHMCS Members Area https://www.whmcs.com/members
    MD5 Checksum: fe2a804ade2bfd69d4107ff8aa1b718b

    To apply a full release, download the files as indicated above. Then follow the upgrade instructions for a "Full Release Version" which can be found at http://docs.whmcs.com/Upgrading#For_...elease_Version


    Important Maintenance Issue Information

    This Advisory provides resolution for the following important maintenance issues:
    Case #2557 - 2Checkout Gateway: Update to currency variable
    Case #2623 - Fix calculations of promotions when more than 50% off
    Case #2739 - Add TLD Specific Fields required for .CN domain registrations
    Case #2874 - Authorize.net Echeck: Fix capture function behaving incorrectly
    Case #3019 - Refine internal criteria for bulk domain lookup
    Case #3030 - Resolve SQL error in Income by Product Report
    Case #3086 - Nominet Registrar: Update to Contact Registration Logic for Individuals
    Case #3116 - Required Custom Fields not validating correctly when using API
    Case #3360 - Resolved issue where one time promotions could be treated as recurring
    Case #3360 - Disable Recur For input box when Recurring is disabled
    Case #3361 - Fix time limited recurring promotions calculating incorrectly
    Case #3388 - Fix Invalid Token Error when applying credit in Original and Portal Client Templates
    Case #3414 - Payflow Pro: Update to store PayFlow Reference in PayFlow Mode
    Case #3617 - Do not CC password reset emails to sub-accounts
    Case #3740 - ProtX VSP Form: Pass correct callback values to debug log
    Case #3801 - Resolved PDF Quotes missing clients name/address
    Case #3802 - Make a quantity of zero remove item from the cart
    Case #3809 - Regular Expression Custom Field Validation failing on single quotes
    Case #3811 - Resolve Invalid Token error when deleting recurring calendar entry
    Case #3814 - Improvements to IPv6 detection and validation logic
    Case #3862 - NameCheap Registrar: Fix incorrect function name call
    Case #3864 - Authorize.net Echeck: Fix storage of bank account details
    Case #3893 - Enom SSL Module: Fix Province is Required Error Message
    Case #3922 - PayPal Express: Remove auto-login from Express Checkout Module

    Security Issue Information

    This Advisory provides resolution for several security issues, all of which were either reported privately via the Security Bounty Program or found internally by the WHMCS Development team as part of the regular on-going internal security audits.

    There is no reason to believe that any of these vulnerabilities are known to the public. As such, WHMCS will only release limited information about the vulnerabilities at this time.

    Once sufficient time has passed, WHMCS will release additional information about the nature of the security issues.
    Case #3637 - Improve Access Controls in Project Management Addon
    Case #3782 - Improve Access Controls in Tickets
    Case #3783 - Improve Access Controls in Invoices
    Case #3784 - Resolve Admin Area SQL Injection Vulnerability
    Case #3839 - Resolve Potential XSS Vulnerability
    Case #3841 - Resolve Potential XSS Vulnerability
    Case #3842 - Resolve Potential XSS Vulnerability
    Case #3843 - Resolve Potential XSS Vulnerability
    Case #3846 - Improve Access Controls in Tickets
    Case #3922 - PayPal Express Checkout Improve Validation
    Case #3931 - Potential header injection via whois lookups
    Case #3932 - Improve sanitization for whois query

    All supported versions of WHMCS are affected by one or more of these maintenance and security issues.

    For information regarding our Long Term Support Policy, read our documentation here:
    http://docs.whmcs.com/Long_Term_Support
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  2. #2
    Join Date
    Jul 2005
    Location
    In the Internets
    Posts
    3,622
    I wonder what will break in today's release.....

  3. #3
    Join Date
    Jan 2010
    Location
    Lithuania
    Posts
    1,089
    Thank you Steven for heads up.
    Time4VPS - flexible, worry-free, fast and affordable VPS hosting in Europe.

  4. #4
    Join Date
    Mar 2011
    Location
    United Kingdom
    Posts
    902
    Quote Originally Posted by stablehost View Post
    I wonder what will break in today's release.....
    Find out after the brake

  5. #5
    Quote Originally Posted by stablehost View Post
    I wonder what will break in today's release.....
    I was wondering the same. We know what it is supposed to fix, can't wait to find out what it breaks.

    *Crosses fingers and uploads to dev install*
    Quality European Web Hosting - LDHosting.com
    High Quality, Affordable Web Hosting Services
    www.ldhosting.com

  6. #6
    Join Date
    Sep 2007
    Posts
    41
    I upgraded, cant see any problem so far.

  7. #7
    thank for your info, just preparing to upgrade whmcs

  8. #8
    Join Date
    Mar 2008
    Location
    Lisbon, Portugal
    Posts
    264
    Quote Originally Posted by stablehost View Post
    I wonder what will break in today's release.....
    Apparently nothing

  9. #9
    Join Date
    Dec 2011
    Location
    Montreal
    Posts
    334
    No problem after update.
    ROWEBCA
    Server Services

  10. #10
    Join Date
    Feb 2012
    Location
    Castle Discordia
    Posts
    231
    Just wondering...does everyone apply these patches on a test install before updating the live version of your whmcs installation? Thoughts?

  11. #11
    Join Date
    Nov 2009
    Location
    /etc/my.cnf
    Posts
    10,041
    I wonder why they need seperate case hashes for these:

    Case #3782 - Improve Access Controls in Tickets
    Case #3846 - Improve Access Controls in Tickets

  12. #12
    Join Date
    May 2009
    Location
    Midworld
    Posts
    1,814
    Thanks, it even seems to work :-)

  13. #13
    Quote Originally Posted by ChickCoder View Post
    Just wondering...does everyone apply these patches on a test install before updating the live version of your whmcs installation? Thoughts?
    Absolutely! Unless you really want to be up all night restoring your prod deployment when something doesn't work

  14. #14
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    This Advisory provides resolution for several security issues, all of which were either reported privately via the Security Bounty Program or found internally by the WHMCS Development team as part of the regular on-going internal security audits.
    I sure hope they plan on giving credit to people... I know we have two flaws reported via the bug bounty program and I'm not going to be happy if they do not give credit where credit is due.

    Going to update our test install and see what's fixed.
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  15. #15
    Join Date
    Apr 2013
    Location
    At My Desk
    Posts
    530
    Quote Originally Posted by ChickCoder View Post
    Just wondering...does everyone apply these patches on a test install before updating the live version of your whmcs installation? Thoughts?

    Not everyone but most do, we test it all first the best we can then update all live sites.
    Stop, Think and then React. Not React, Stop and then Think

  16. #16
    Join Date
    Jun 2011
    Posts
    2,286
    Noticed an issue with the cart, opening a ticket with whmcs now.

  17. #17
    Join Date
    Feb 2012
    Location
    Castle Discordia
    Posts
    231
    Thanks for your input. I'm tempted to update my live install but will take the cautious route as usual and upgrade the dev version first.

  18. #18
    Join Date
    Mar 2008
    Location
    Lisbon, Portugal
    Posts
    264
    Quote Originally Posted by Ethernet Servers View Post
    Noticed an issue with the cart, opening a ticket with whmcs now.
    What is the problem?

  19. #19
    Join Date
    Dec 2010
    Location
    127.0.0.1
    Posts
    5,387
    Quote Originally Posted by ChickCoder View Post
    Just wondering...does everyone apply these patches on a test install before updating the live version of your whmcs installation? Thoughts?
    I don't test them because I don't have a installation however I just update a client's install as he asked us to do it when a update comes out for him. So I find out any issues when I get a ticket haha.

  20. #20
    Join Date
    Dec 2011
    Location
    Montreal
    Posts
    334
    Unfortunately I didn't tested before uploading and I observed that my main website is very slow after update. I checked any network issues but no problem, server is a 0 load, no PHP, Apache problem etc. Do you have the same problem? It is just me? I didn't check deep yet, just first look.
    ROWEBCA
    Server Services

  21. #21
    Join Date
    Mar 2011
    Location
    United Kingdom
    Posts
    902
    @CW Mike Let me know if you get any issues

  22. #22
    Join Date
    Dec 2005
    Location
    I'm Lost...Help
    Posts
    895
    Quote Originally Posted by Rowebca View Post
    Unfortunately I didn't tested before uploading and I observed that my main website is very slow after update. I checked any network issues but no problem, server is a 0 load, no PHP, Apache problem etc. Do you have the same problem? It is just me? I didn't check deep yet, just first look.
    I am seeing the same thing. The admin area loads fine, but anything in the client area is incredibly slow.
    Kevin Kopp - MonsterMegs Business Class Hosting Services
    Pure SSD Powered Shared, Reseller, and Enterprise Hosting Solutions
    US & NL Locations :: [US] PhoenixNAP | [NL] EvoSwitch Datacenters

  23. #23
    Join Date
    Nov 2003
    Location
    Canada
    Posts
    149
    Quote Originally Posted by ChickCoder View Post
    Just wondering...does everyone apply these patches on a test install before updating the live version of your whmcs installation? Thoughts?

    We do testing prior any change and when we are ready to apply the patch/upgrade, a full up to the minute backup is generated and then patch/upgrade is applied.

    Hostlumina - Professional Web Hosting Solutions
    Canadian and US Shared Hosting - Domain Registrations - SSL Certificates
    http://www.hostlumina.com

  24. #24
    Join Date
    Aug 2008
    Location
    England, UK
    Posts
    1,073
    Quote Originally Posted by Ethernet Servers View Post
    Noticed an issue with the cart, opening a ticket with whmcs now.
    What is the issue?
    Last edited by LampNetworks; 01-21-2014 at 11:57 AM.

  25. #25
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,953
    Quote Originally Posted by Rowebca View Post
    my main website is very slow after update
    Quote Originally Posted by Kevin K View Post
    I am seeing the same thing. The admin area loads fine, but anything in the client area is incredibly slow.
    Tested two installs with the patch/update, can't reproduce any slowness.
    Having problems, or maybe questions about WHT? Head over to the help desk!

  26. #26
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    8,910
    Quote Originally Posted by bear View Post
    Tested two installs with the patch/update, can't reproduce any slowness.
    Likewise.

    Applied update to a test server and a production server, no issues so far and everything looks smooth. *fingers crossed*

    Edit:

    To the people experiencing slowness, perhaps clear your template cache?
    Patrick William | RACK911 Labs | Software Security Auditing
    400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com

    www.HostingSecList.com - Security notices for the hosting community.

  27. #27
    Join Date
    Dec 2005
    Location
    I'm Lost...Help
    Posts
    895
    Quote Originally Posted by Patrick View Post
    Edit:

    To the people experiencing slowness, perhaps clear your template cache?
    Ya tried that, same slowness on any page in the client area. I have a ticket win with WHMCS and will see what comes of it.

    Edit:

    I just restarted my internet connection on my pc and now it loads fine. Kinda weird as all other web pages loaded fine, but hey, it's working fine now from what I can see.
    Kevin Kopp - MonsterMegs Business Class Hosting Services
    Pure SSD Powered Shared, Reseller, and Enterprise Hosting Solutions
    US & NL Locations :: [US] PhoenixNAP | [NL] EvoSwitch Datacenters

  28. #28
    Join Date
    Mar 2011
    Location
    United Kingdom
    Posts
    902
    Quote Originally Posted by Kevin K View Post
    Ya tried that, same slowness on any page in the client area. I have a ticket win with WHMCS and will see what comes of it.
    I just checked your client area, seems to be loading just fine for me Kevin.

  29. #29
    Join Date
    Dec 2005
    Location
    I'm Lost...Help
    Posts
    895
    Quote Originally Posted by TekHive View Post
    I just checked your client area, seems to be loading just fine for me Kevin.
    Ya seemed to be an issue with my internet connection. Once I restarted the client area was loading fine. Maybe a bad cache or something, but all seems fine now. Weird thing is I checked the page load with Pindom web page test and it reported the same long load times of around 33 seconds. Now checking with Pingdom it show the normal loading speed.

    @TekHive, thanks for checking it out and letting me know.
    Last edited by Kevin K; 01-21-2014 at 12:35 PM.
    Kevin Kopp - MonsterMegs Business Class Hosting Services
    Pure SSD Powered Shared, Reseller, and Enterprise Hosting Solutions
    US & NL Locations :: [US] PhoenixNAP | [NL] EvoSwitch Datacenters

  30. #30
    Join Date
    Dec 2011
    Location
    Montreal
    Posts
    334
    Quote Originally Posted by bear View Post
    Tested two installs with the patch/update, can't reproduce any slowness.
    Yes you're right, in my case was an add-on that was not any more compatible and after I removed everything is working like it is suppose to work.


    Regards
    ROWEBCA
    Server Services

  31. #31
    Join Date
    Apr 2013
    Location
    At My Desk
    Posts
    530
    Cant see any problems with the update yet.
    Stop, Think and then React. Not React, Stop and then Think

  32. #32
    Upgraded and not facing any slowness.
    ☆☆ AskForHost Web Hosting☆☆
    ►►Buffalo NY USA, Dallas USA, Amsterdam NL EU, London UK EU based Shared and Reseller Web Hosting◄◄
    ►►
    Affordable VPS and Dedicated Server Provider◄◄

  33. #33
    Join Date
    Nov 2003
    Location
    Canada
    Posts
    149
    We just completed our upgrade. No issues in testing nor live environment.
    Hostlumina - Professional Web Hosting Solutions
    Canadian and US Shared Hosting - Domain Registrations - SSL Certificates
    http://www.hostlumina.com

  34. #34
    Join Date
    Jul 2009
    Location
    Kshatriya
    Posts
    2,725
    @whmcs: Please hire a real(not home made) code audit company
    Dewlance® Cheap Windows VPS - Chicago/Orlando/Vegas/AZ - SSD
    WHMCS ReadyMadeKB - Tutorials for cPanel/InterWorx/Softaculous& Growing..
    Super Cheap Annually Shared Hosting - Canada/US/UK

  35. #35
    Join Date
    Nov 2002
    Location
    Portland, Oregon
    Posts
    2,948
    Yep, so far so good over here.
    | John Edel Jetfire Networks L.L.C. Trusted Hosting Solutions
    | Consistent, Reliable, Stable OpenVZ & KVM Virtual Private Servers
    | SpamWall AV & Full SMTP Filtering
    Now an SSLStore Titanium Partner!

  36. #36
    Join Date
    Feb 2012
    Location
    Castle Discordia
    Posts
    231
    All good here after the update too. Breathing a big sigh of relief.

  37. #37
    Upgraded and everything is working fine.
    www.WebHostingPH.com >> Secure, Reliable and Affordable PH Web Hosting Provider

  38. #38
    Join Date
    Jan 2008
    Location
    St. John's, NL
    Posts
    2,114
    For those of you who are experiencing slowness with the client area only, please try removing any third party addons, as it appears that at least one has been confirmed to cause this: http://www.whmcs.com/appstore/1378/H...ification.html
    Cpanel/WHM • PHP • Perl • Ruby • Full Time Support
    LCWSoft - Canada web hosting (based in Newfoundland) since 2007
    Servers based in the US and Canada (Uptime Report)

  39. #39
    Join Date
    Dec 2011
    Location
    Montreal
    Posts
    334
    Quote Originally Posted by larwilliams View Post
    For those of you who are experiencing slowness with the client area only, please try removing any third party addons, as it appears that at least one has been confirmed to cause this: http://www.whmcs.com/appstore/1378/H...ification.html
    They fixed already this, so there is no problem. I already talked with them, and is it fixed, I tested and everything is working perfect.

    Regards
    ROWEBCA
    Server Services

  40. #40
    Join Date
    Apr 2012
    Location
    United States
    Posts
    86
    Upgraded smoothly and everything seems to be fine for me.

    It would be nice if I didn't have to go through all of this every couple of months though.

Page 1 of 2 12 LastLast

Similar Threads

  1. [FEATURED] WHMCS Security Advisory TSR-2013-010
    By Patrick in forum Hosting Software and Control Panels
    Replies: 45
    Last Post: 12-24-2013, 08:14 PM
  2. WHMCS Security Advisory TSR-2013-009
    By WHMCS-Matt in forum Hosting Software and Control Panels
    Replies: 212
    Last Post: 11-27-2013, 02:01 PM
  3. cPanel TSR Advisory TSR-2013-0009
    By Steven in forum Hosting Security and Technology
    Replies: 15
    Last Post: 08-29-2013, 10:41 PM
  4. [FEATURED] WHMCS Security Advisory for 4.x and 5.x
    By WHMCS-Matt in forum Hosting Software and Control Panels
    Replies: 229
    Last Post: 08-06-2013, 06:41 AM
  5. WHMCS Security Advisory
    By TravisT-[SSS] in forum Hosting Software and Control Panels
    Replies: 6
    Last Post: 04-24-2013, 05:36 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •