Page 1 of 2 12 LastLast
Results 1 to 40 of 56

Thread: WHMCS safe?

  1. #1

    WHMCS safe?

    Is it safe to use WHMCS or go with WHMAP or something similar?
    Do you need to know much about programing to use whois.cart?

    I like that whois.cart is a one time fee but is it simple to get going?

    Thanks!
    Ian

  2. #2
    Join Date
    Dec 2004
    Location
    Clemson
    Posts
    172
    I've never had any trouble with the first two. They seem to have well written code. If you are worried about client data, then pick up an SSL certificate
    Brett Meadors

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by YMHBrett View Post
    I've never had any trouble with the first two. They seem to have well written code. If you are worried about client data, then pick up an SSL certificate
    Are you kidding? there are several sql injection exploits in whmcs (not the new beta). Definitely not coded well.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #4
    Join Date
    Dec 2003
    Location
    NY & PA
    Posts
    848
    Quote Originally Posted by Steven View Post
    Are you kidding? there are several sql injection exploits in whmcs (not the new beta). Definitely not coded well.
    I will agree to this...

    I would go with WHMAP as there script is written very well and brandee always alert customers to any problems unlike WHMCS who just hides the fact there script is poorly written.
    Robert Merrihue - President/CEO
    http://www.bethehost.com
    Where resellers become a host on servers we own and operate.
    Web Hosting Since 2000 *** 12+ Years in the hosting industry

  5. #5
    Join Date
    Jun 2004
    Location
    U.S.A
    Posts
    1,463
    I always have been and always will be a WHMCS supporter. They are there when you need them and they continue to offer awesome features. The coding may be messy, but they admitted to their mistake and are fast to take the steps to correct compromising issues.

  6. #6
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by MikeWalczak View Post
    I always have been and always will be a WHMCS supporter. They are there when you need them and they continue to offer awesome features. The coding may be messy, but they admitted to their mistake and are fast to take the steps to correct compromising issues.
    We have no proof that the issues were completely fixed, we just got their word to go on.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  7. #7
    Join Date
    Oct 2005
    Location
    Surrey BC
    Posts
    1,319
    I personally believe all web based billing solutions are scarry especially when it comes to domain names. Since most domain reseller will have their user name and password in the software all it take is one exploit/access to lose all domains at your domain registrar.


    + NOW WE'RE MAKING RECORDS, NOW WE'RE MAKING TAPES

  8. #8
    Join Date
    Jun 2004
    Location
    U.S.A
    Posts
    1,463
    Quote Originally Posted by Steven
    We have no proof that the issues were completely fixed, we just got their word to go on.
    And since its coming form a company I've been working with for years, a company who develops software for thousands of users, that word is good enough for me. They have a lot on the line for them and I know they wouldn't just brush off such a compromise without doing their best to address it.

    This isn't me saying I dont care if my WHMCS gets compromised, its me saying I trust that the developers will do their best to keep us safe.

  9. #9
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    :| "Trust", if they were doing their best they would have had it secure in the first place. Their own code would have been audited by 3rd parties prior to being released -- rather than after it gets nulled.

    We'll see when the next version of WHMCS becomes available on the net via pirated software forums, sadly.
    David
    Web hosting by Fused For businesses with more important things to do than worry about their hosting.

  10. #10
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Quote Originally Posted by Steven View Post
    Are you kidding? there are several sql injection exploits in whmcs (not the new beta). Definitely not coded well.
    Quote Originally Posted by Steven View Post
    We have no proof that the issues were completely fixed, we just got their word to go on.
    When was this? Do you have a link to this?

  11. #11
    Join Date
    Aug 2007
    Posts
    410
    I have never heard of anyone ever being hacked due to a security hole in WHMCS.

    And Steaven, How do you know there are SQL injection vulns in WHMCS?

  12. #12
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    Quote Originally Posted by Soskel34 View Post
    I have never heard of anyone ever being hacked due to a security hole in WHMCS.

    And Steaven, How do you know there are SQL injection vulns in WHMCS?
    Because he watched an exploit take place live. WHMCS has *major* security vulnerabilities -- any user on the internet can login as an administrator into any WHMCS system with little effort.

    Check your http logs, if you use WHMCS you've most likely been exploited.
    David
    Web hosting by Fused For businesses with more important things to do than worry about their hosting.

  13. #13
    Join Date
    Aug 2007
    Posts
    410
    Please...

    Of the thousands(hundreds?) of hosts that use WHMCS, I am sure if they are being hacked, people would notice.

  14. #14
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    Quote Originally Posted by Soskel34 View Post
    Please...

    Of the thousands(hundreds?) of hosts that use WHMCS, I am sure if they are being hacked, people would notice.
    Have you seen the recent thread regarding WHMCS' security issues? It certainly is a valid concern.

    http://www.webhostingtalk.com/showthread.php?t=661878
    Last edited by layer0; 01-27-2008 at 03:53 AM. Reason: included thread link

  15. #15
    Join Date
    Oct 2002
    Location
    no
    Posts
    557
    Quote Originally Posted by Soskel34 View Post

    And Steaven, How do you know there are SQL injection vulns in WHMCS?
    even Matt (WHMCS-Matt) accepts there are SQL injection vulnerabilities in the WHMCS system.

  16. #16
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Quote Originally Posted by David View Post
    Because he watched an exploit take place live. WHMCS has *major* security vulnerabilities -- any user on the internet can login as an administrator into any WHMCS system with little effort.

    Check your http logs, if you use WHMCS you've most likely been exploited.
    David, is it serious enough that you plan to find another billing solution?

    I am curious as to what hosting providers like yourself plan to combat this.

  17. #17
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    Amex,

    It's quite serious & I do intend most likely finding an alternate solution. In the meantime it's a temporary waiting game until I get to see the code behind 3.6.x and whether or not it has been sorted. I have someone who does intend on building a competing billing solution with security in mind but it's far off yet, sadly.

    Security through obscurity rarely works, in this case that was proven once again. You can't encrypt a product, sit back & pray it won't get decrypted. Not as if most of these exploits weren't publicly available anyways as they seem to be basic SQL injections (ugh *shakes head in disgust*) from a lack of input sanitation..

    In the meantime, we tiptoe through a minefield. Obviously, we've made changes to minimize the remote exploitation potential but there's little that can be done to secure a publicly available system -- except disable signups or switch to a new system suddenly. Given the migration size & damage either could do -- neither are an option.

    While I've been looking into existing publicly available solutions like Ubersmith, their lack of PHP5 availability has scared me away. Custom I go & I suspect I'll never look back.
    Last edited by David; 01-27-2008 at 05:03 PM.

  18. #18
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by Soskel34 View Post
    I have never heard of anyone ever being hacked due to a security hole in WHMCS.

    And Steaven, How do you know there are SQL injection vulns in WHMCS?


    how do I know? because myself and others actually created Proof of concepts that WORK! I cannot post them here as they would just get deleted, but you can either believe me or, you can choose not to, V3.5.0 has multiple sql injection vulnerabilities. One is in the login page of whmcs itself.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  19. #19
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Quote Originally Posted by David View Post
    Amex,

    It's quite serious & I do intend most likely finding an alternate solution. In the meantime it's a temporary waiting game until I get to see the code behind 3.6.x and whether or not it has been sorted. I have someone who does intend on building a competing billing solution with security in mind but it's far off yet, sadly.

    Security through obscurity rarely works, in this case that was proven once again.
    Anything can be hacked though, right?

    Is the issue really the seemingly lack of response by WHMCS?

  20. #20
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by amex View Post
    Anything can be hacked though, right?

    Is the issue really the seemingly lack of response by WHMCS?
    Anything can be hacked yes, but there are blatant coding mistakes which shouldn't happen.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  21. #21
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    Quote Originally Posted by amex View Post
    Anything can be hacked though, right?

    Is the issue really the seemingly lack of response by WHMCS?
    Of course, skilled people will get into any system if they try. Web hosting in itself is one of the IT fields with the *most* liability for the least gain (at least shared hosting).

    The lack of response by WHMCS wasn't the underlying issue. The underlying issue was the $#!T code to begin with. We all knew (long before this) that there were exploits lying in wait for it & given the past code that I had viewed myself from earlier nulled releases I was expecting the worst to begin with.

    While there's things you can do to minimize the damage that a potential attacker does, quite frankly you would be an idiot to even consider using WHMCS in a live environment at the moment. Anyone using it now should really consider their alternatives -- and no, whmap / clientexec and the likes are not viable alternatives, sadly.
    David
    Web hosting by Fused For businesses with more important things to do than worry about their hosting.

  22. #22
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Quote Originally Posted by David View Post
    We all knew (long before this) that there were exploits lying in wait for it & given the past code that I had viewed myself from earlier nulled releases I was expecting the worst to begin with.
    If people knew that this was coming, wouldn't they jump ship beforehand?

    Quote Originally Posted by David View Post
    Anyone using it now should really consider their alternatives -- and no, whmap / clientexec and the likes are not viable alternatives, sadly.
    Are there any other alternatives? Modernbill?

  23. #23
    The claims here are completely exagerated and aimed to scare people. Anyone with any coding knowledge (which clearly David isn't one of them) and anyone who has seen the actual issue knows that the SQL injection doesn't allow a straight bypass login to the admin area. It's not that badly coded!

    And also, the majority of people have magic quotes enabled on their servers which of course means data is auto escaped anyway.

    I feel the issue has been dealt with very well by WHMCS. They responded quickly, they've got a new version out in BETA within a couple of weeks addressing the issues. And the stable will be out next week. Can't ask for more than that. People like David certainly don't help though.

    Now that ClientExec has just been hacked, talk will shift over to them aswell - www.webhostingtalk.com/showthread.php?t=666892 - these things happen in this day and age on the internet. Become popular and you become a target.

    WHMCS will come through this and with the improvements, it will be more secure than before which is best all round for everyone.

  24. #24
    Join Date
    Sep 2003
    Location
    UK - Scotland
    Posts
    528
    hi

    Clientexec.com website was defaced - Ce software itself is perfectly fine and separate.

    thanks
    Brian - clientexec.com support manager

  25. #25
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    acebeat,

    You can't be serious, can you? I can't tell whether that's sarcasm or not -- or whether it was just dripping with stupidity.
    Last edited by David; 01-27-2008 at 05:41 PM.

  26. #26
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by acebeat View Post
    The claims here are completely exagerated and aimed to scare people. Anyone with any coding knowledge (which clearly David isn't one of them) and anyone who has seen the actual issue knows that the SQL injection doesn't allow a straight bypass login to the admin area. It's not that badly coded!

    And also, the majority of people have magic quotes enabled on their servers which of course means data is auto escaped anyway.

    I feel the issue has been dealt with very well by WHMCS. They responded quickly, they've got a new version out in BETA within a couple of weeks addressing the issues. And the stable will be out next week. Can't ask for more than that. People like David certainly don't help though.

    Now that ClientExec has just been hacked, talk will shift over to them aswell - www.webhostingtalk.com/showthread.php?t=666892 - these things happen in this day and age on the internet. Become popular and you become a target.

    WHMCS will come through this and with the improvements, it will be more secure than before which is best all round for everyone.
    Why speak, when you have no knowledge of what happened. We witnessed first hand events of a hack. The attacker joined our chatroom, and exploited one of our members whmcs while present in the chatroom.

    Think of it like this.

    5 incorrect password logins in the access logs... after the 5th the attacker has admin access while the logs say otherwise.

    Regarding sql injection, its badly coded enough that someone could change the admin password.

    Another well known member of this board PM'ed me who had witnessed the same attack.
    Last edited by Steven; 01-27-2008 at 05:48 PM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  27. #27
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Is it just me or do I not see a word about this on the WHMCS forums?

  28. #28
    Join Date
    Mar 2004
    Location
    Seattle, WA
    Posts
    2,561
    I also agree that WHMCS is not safe, sadly and we're already considering alternatives.
    ColoInSeattle - From 1U to cage space colocation in Seattle
    ServerStadium - Affordable Dedicated Servers
    Come visit our 18k sq ft. facility in Seattle!
    Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers

  29. #29
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    Quote Originally Posted by amex View Post
    Is it just me or do I not see a word about this on the WHMCS forums?
    Every post regarding it has been removed & frequently.
    David
    Web hosting by Fused For businesses with more important things to do than worry about their hosting.

  30. #30
    Join Date
    Jun 2006
    Location
    Amex & Amex
    Posts
    1,276
    Quote Originally Posted by David View Post
    Every post regarding it has been removed & frequently.
    Now why would that be.....

  31. #31
    Quote Originally Posted by amex View Post
    Are there any other alternatives? Modernbill?
    Plenty. If you think modernbill is more secure, think again. The private key is stored in the database. The private key is encrypted with a 4 digit number called a LEK pin, which also happens to be stored in the database in plain text. So basically, if you db is compromised, you are screwed.

    Any product which requires you to run batch payments manually by entering in a real password is one you want to go for. I used clientexec version 1, which they had setup this way. Not sure if it still is that way, but that is what I look for in a billing product. Even if the entire program is decoded and the hacker has your database, or has the admin login to your live installation, they shouldn't be able to retrieve the credit card information

  32. #32
    Join Date
    Mar 2004
    Location
    Seattle, WA
    Posts
    2,561
    Quote Originally Posted by randombit View Post
    Plenty.
    More specifically....
    ColoInSeattle - From 1U to cage space colocation in Seattle
    ServerStadium - Affordable Dedicated Servers
    Come visit our 18k sq ft. facility in Seattle!
    Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers

  33. #33
    awbs, whmautopilot, blesta, clientexec, accountlab, ubersmith...

  34. #34
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    accountlab? clientexec? whmap? awbs?
    You consider these more secure? /me sighs.

    ubersmith -- maybe. So far, they're looking the best out of all of the solutions.

    blesta? appears to be a beta product, if the code behind the scenes is great then it's an option though. But it'd need audited first.
    David
    Web hosting by Fused For businesses with more important things to do than worry about their hosting.

  35. #35
    Join Date
    Mar 2004
    Location
    Seattle, WA
    Posts
    2,561
    David,

    It seems you are saying that none of the public billing managers are safe to use...
    ColoInSeattle - From 1U to cage space colocation in Seattle
    ServerStadium - Affordable Dedicated Servers
    Come visit our 18k sq ft. facility in Seattle!
    Managed Private Cloud | Colocation | Disaster Recovery | Dedicated Servers

  36. #36
    WHMCS is the way to go, for my webhosting company I have been useing it from the get go. It has been secure for me, so I would go with WHMCS. If you have an proublems they have very fast support.

  37. #37
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    Quote Originally Posted by VN-Ken View Post
    David,

    It seems you are saying that none of the public billing managers are safe to use...
    Clientexec's site was defaced yesterday by the same guy who defaced WHMCS & exploited Kayako earlier. Accountlab is built by the same people as Fantastico, that's enough on the topic... My whole point is that companies need to stop hiding behind encrypted code & praying no one ever gets to read their sloppy mess.

    WHMCS is not a viable solution for anyone, this is billing data we're dealing with here.
    Last edited by David; 01-28-2008 at 05:16 PM.
    David
    Web hosting by Fused For businesses with more important things to do than worry about their hosting.

  38. #38
    Quote Originally Posted by David View Post
    accountlab? clientexec? whmap? awbs?
    You consider these more secure? /me sighs.

    ubersmith -- maybe. So far, they're looking the best out of all of the solutions.

    blesta? appears to be a beta product, if the code behind the scenes is great then it's an option though. But it'd need audited first.
    I'm not going to comment on the individual security of any of the other products because the only ones I have used are clientexec, whmap and modernbill. The guy asked for alternatives and I provided them. If you have some huge vendetta against whmcs, then perhaps your time could be better spent programming a competing alternative then bashing them?

  39. #39
    Join Date
    Jul 2005
    Posts
    95
    vendetta?

    Its facts mate, there were HUGE security vulns in WHMCS ( < 3.5.1), and frankly, the coding was poor to even allow the vulns to be there.

    I agree with David, developers should bite the bullet and release code, AT LEAST have it audited by an external company.

    -Benji
    <<< Please see Forum Guidelines for signature setup. >>>

  40. #40
    Join Date
    Oct 2003
    Location
    Chattanooga
    Posts
    8,985
    Quote Originally Posted by randombit View Post
    If you have some huge vendetta against whmcs, then perhaps your time could be better spent programming a competing alternative then bashing them?
    I don't have a vendetta against WHMCS, I've got issues with horrible code handling insanely important data. With that said, I like Matt, he offers great support and is quite inexpensive.

    But what he doesn't offer is a secure billing solution.
    David
    Web hosting by Fused For businesses with more important things to do than worry about their hosting.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •