Results 1 to 15 of 15
  1. #1
    Join Date
    May 2006
    Posts
    1,398

    [Billing manager] Security Risk

    If you have whmcs, login, go to configurations> servers and view source in your browser. Shows all your server passwords in plain text.

    Sure someone has to get in but otherwise they should not be able to retrieve the plain text password.

    Still a security risk....

  2. #2
    Join Date
    Dec 2003
    Location
    Chicago, IL
    Posts
    169
    Fantastic.

  3. #3
    All billing softwares have similar security issues. For example: they kept the password of your domain reseller account in a database by without encrypting. If anyone hacked your hosting account when you may lost all of your registeted domains(hosting is not much important. Because you can restore all of the data from backup. But if you lost the control of your domain reseller account and domains removed or transfered when you cannot get them back and your company will crash).
    DomainCart - Domain and Hosting Shopping Cart with Integrated Bootstrap Hosting Template.
    www.domaincart.net - Demo

  4. #4
    Join Date
    Jan 2003
    Location
    U.S.A.
    Posts
    3,911
    Its fine...

    WHMCS will be coming out with v3.7 soon and it will have a ton of more features! The only issue is the security issues will still exist. The only way to fix the problem is to most likely recode the whole WHMCS and it will only get harder with each feature added.

  5. #5
    If you have clientexec, go to admin > servers and shows your password in plain text on the screen. you don't even have to view source. plesk, directadmin, teamspeak, all shown in ClientExec. so that is worse!

    this is nothing spec to whmcs and not a risk, it's the way all billing systems handle server passwords. lgoin to the systems is secured so the info inside it is safe.
    Last edited by acebeat; 03-20-2008 at 06:52 PM.

  6. #6
    Join Date
    May 2006
    Posts
    1,398
    Quote Originally Posted by acebeat View Post
    If you have clientexec, go to admin > servers and shows your password in plain text on the screen. you don't even have to view source. plesk, directadmin, teamspeak, all shown in ClientExec. so that is worse!

    this is nothing spec to whmcs and not a risk, it's the way all billing systems handle server passwords. lgoin to the systems is secured so the info inside it is safe.
    Anytime your passwords are exposed in plain text it is a risk.

    Sure thats how billing softwares handle server passwords and such but there has to be a better way. For example I would be more happy with WHMCS if it would store the password encrypted in the db, there is no way to login whm from it, and the only thing it could do is make the plans after sales. That would be better.

    Personally I think that is all this kind of software should do - add clients, nothing more.

  7. #7
    Join Date
    Apr 2004
    Posts
    47
    Quote Originally Posted by felosi View Post
    Anytime your passwords are exposed in plain text it is a risk.

    Sure thats how billing softwares handle server passwords and such but there has to be a better way. For example I would be more happy with WHMCS if it would store the password encrypted in the db, there is no way to login whm from it, and the only thing it could do is make the plans after sales. That would be better.

    Personally I think that is all this kind of software should do - add clients, nothing more.
    It's not that serious. If you use a one way hash to encrypt the password in the database, the script cannot retrieve it to connect to the remote server. If it is encrypted with a key, the key has to be stored somewhere in the script or database. A better solution for you, if you are concerned, would be to create an .htaccess file for the admin files, granting access by ip address & user/pass.

  8. #8
    Join Date
    Feb 2003
    Location
    Canada
    Posts
    958
    Quote Originally Posted by deseek View Post
    It's not that serious. If you use a one way hash to encrypt the password in the database, the script cannot retrieve it to connect to the remote server. If it is encrypted with a key, the key has to be stored somewhere in the script or database. A better solution for you, if you are concerned, would be to create an .htaccess file for the admin files, granting access by ip address & user/pass.
    Ideally the script would store/use ssh keys and restrict the use of the key on each server with the 'from' directive before the key.

  9. #9
    Join Date
    Feb 2004
    Location
    Your Screen
    Posts
    3,998
    How else would you suggest the password be shown? Telepathically?


    Bailey
    Let's Connect on Twitter! @thatsmsgeek2u || Fighting mediocrity one thread at a time.

  10. #10
    Join Date
    Jun 2004
    Location
    New York, NY
    Posts
    372
    Quote Originally Posted by felosi View Post
    If you have whmcs, login, go to configurations> servers and view source in your browser. Shows all your server passwords in plain text.

    Sure someone has to get in but otherwise they should not be able to retrieve the plain text password.

    Still a security risk....
    Misleading topic, that's a feature.
    All My Data From small shared web hosting accounts to powerful dedicated servers.
    Now offering Affordable UNIX shells and IRCd hosting!

  11. #11
    Whilst not encouraging someone still has to login and see that its not really a security risk since you have to be logged into the software to see it.
    Data Republic - UK Managed Servers - Server Management - Managed Backup/R1Soft
    Follow us on Twitter to get exclusive sales & updates.
    R1Soft Agents Monthly !

  12. it would be quite simple really to stop this, there are javascripts that encode source code so people can just right click and steal your website template (providing its just simple html/div encoding not calling the template from php) whmcs could easily implement that on the page so the source code password is hidden but you still see it on screen, to further enchance this they could have a hide/unhide feature, while you dont need the password you click hide, when you need to see it click unhide simple.


    and as the for the database encryption, if whmcs arent encrypting the databases im moving away from them asap i dont want to put the risk of clients accounts becoming compramised or my accounts or any domain accounts, im looking to develop our own in house solution

  13. #13
    Quote Originally Posted by orangewebhosting0net View Post
    as the for the database encryption, if whmcs arent encrypting the databases im moving away from them
    Server passwords are encrypted in the database along with clients passwords also.

    Users wanted a quick and automated way to login to their servers main control panel from WHMCS and that's what we provide by having a form which includes the login details.

    The login to the WHMCS admin area is already secured and you can secure it furthur by renaming the admin folder to something only you know and adding .htaccess protection like a user suggested earlier.

    As a user commented earlier, the title of the thread is very misleading as this isn't something WHMCS specific and not a direct risk - hopefully it will be changed...

    Matt
    WHMCompleteSolution
    The Complete Client Management, Billing & Support System
    www.whmcs.com

  14. #14
    Join Date
    Sep 2004
    Location
    Chennai , India
    Posts
    4,608
    Quote Originally Posted by Matt.G View Post
    Its fine...

    WHMCS will be coming out with v3.7 soon and it will have a ton of more features! The only issue is the security issues will still exist. The only way to fix the problem is to most likely recode the whole WHMCS and it will only get harder with each feature added.
    Matt you can limit the features and concentrate more in security part. Features can be custom build, but security is one which is threaten to ones business.

  15. #15
    Join Date
    Oct 2002
    Location
    State of Disbelief
    Posts
    22,953
    Since this is present in most (if not all) billing manager scripts, the subject was edited.
    Having problems, or maybe questions about WHT? Head over to the help desk!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •