Web Hosting Talk : Web Hosting Main Forums : Hosting Software and Control Panels : Big hole in WHMCS, unbilled accounts created

[RSanders]

Hello,

We've been having problems with the latest version of WHMCS giving out free accounts. Fortunately, an existing customer called and asked why a new sign up wasn't charged.

If you have your packages set to 'Pro Rata' and have 'Automatically setup the product as soon as the first payment is received' your user will get a free account for the first pro-rate+month and no fraud checking.

This is known by WHMCS and they are calling it user error so far. You can find this in their forums and I am sure I am not the only one with a support ticket.

I have also confirmed this with 'un-named host' and was able to duplicate the problem on their system and get a free account. I have called the host and notified them of this vulnerability in their system. They are a colocation client of ours for several years, so we have a trust relationship. I would not recommend trying this with a random host.

I have also reverted to the standard install templates and themes to make sure this wasn't self induced. I do not know the scope of the problem, if all new install or only upgraded, certain environmental variables and so on.

When you check out as a user, you will see
Subtotal: $0.00 USD
Total Due Today: $0.00 USD
Total Recurring: $8.95 USD Monthly

Since your balance is $0, you are never sent to Credt Card payment or go through any of your fraud prevention. As long as 'Automatically setup the product as soon as the first payment is received' you now have an instant free account. If the account requires review, you may or may not find an admin who has even noticed he isn't getting paid.

If pro-rating is disabled the system seems to return back to normal, but once you have more than a few hundred accounts doing your billing daily becomes an issue of it's own.

I hope this information helps protect some other hosts in here. If your in this situation please check your install. We are fortunate only a small handful of our low cost clients have been migrated to WHMCS which has minimized our losses.

Thanks,
Rob

[hostingvince]

Hi Rob,
I am still considering the switch to WHMCS, so have only just begun to look into it on their forums.

One thing that I had a reply about was indeed auto account activation, for which they replied "Orders always have to be manually approved"

Therefore, I am somewhat confused why you have a problem as their reply suggests no customers will be able to use the hosting account anyway?

- Vince

[RSanders]

Yeah, sure...

Go ahead and give it a shot. Order the basic hosting, change nameservers (if you buy a domain it does not pro-rate it) and sign up. The only real info you need to use is your email access, as all of the maxmind fraud and telephone verification are bypassed. If you disable pro rate in the product, then maxmind fraud and telephone verification are re-enabled as it is actually going to purchase something.

http://www.managedway.com/

You'll get your log in details in a few seconds, go ahead and log into your account. As long as you don't try to abuse the issue I'm happy to provide proof of concept on our live systems.

Also, heck, if you put in your real info I'll leave the account. Happy holidays.

[RSanders]

How to reproduce this in your WHMCS

Prorata Billing Tick this box to enable
Prorata Date 1 Enter the day of the month you want to charge on
Charge Next Month 14 Enter the day of the month after which point the following month will also be charged for with the first payment

So, we enable prorata
We set our Prorata Date to 1, so we bill on the first
We set our Next Month to 14, so if someone orders after the 14th it charges them the prorata for the month and then the full amount for the following month.

This is where it is broken. If you sign up after the Next Month day (i.e. 14th) then it calculates the total due as $0 and makes the next payment 01/01/2010

Now, if you set 'Next Month' to 0, so that it only prorata the month and does not include the next month it will charge and work.

The problem is in the prorata calculations when charging a prorata and following month.

This is confirmed with two independent installs.

Thanks,
Rob

[Hostwire.com]

I can confirm that there is definitely a bug in WHMCS that does not properly calculate services when Prorate is enabled. When the prorate option is set to 0 it calculates for the current month, but change that to say 14 to prorate after the 14th of the month it does not calculate. WHMCS v. 4.1.1

[RandomLittleHost]

I suspect you've got something screwy in your setup. However I set the dates on Prorated billing (on latest WHMCS version), as an end user I'm always seeing a cost involved for the package being purchased.

Having said that, I still have problems with the WHMCS prorata setup which I've tried to resolve through their forums (without success).

[Nick H]

There is an error in your settings somewhere. I use proration in my setup as well and there is no issue whatsoever with it.

[RSanders]

It seems they posted a patch without updating their site.

Log into your client area and get 4.1.2 incremental. Unlike the last update, I didn't have to spend two days rebuilding my templates. This applied cleanly right over top of my 4.1.1. I did make a rsync -ab backup. Here is a changed file list.

find . -name \*~
./clientarea.php~
./modules/gateways/callback/paypal.php~
./modules/gateways/callback/2checkout.php~
./modules/registrars/resellone/resellone.php~
./modules/registrars/opensrs/opensrs.php~
./submitticket.php~
./cart.php~
./admin/clientsaddons.php~
./admin/clientshostinglist.php~
./admin/massmail.php~
./admin/orders.php~
./admin/quotes.php~
./upgrade.php~
./supporttickets.php~
./domainchecker.php~
./includes/api/gettickets.php~
./includes/api/getticket.php~
./includes/api/updateclient.php~
./includes/api/getclientsdetails.php~
./includes/api/domainwhois.php~
./includes/api/addclient.php~
./includes/api/capturepayment.php~
./includes/gatewayfunctions.php~
./includes/invoicefunctions.php~
./includes/orderfunctions.php~
./includes/whoisservers.php~
./includes/processinvoices.php~
./includes/quotefunctions.php~
./login.php~
./templates/portal/supportticketslist.tpl~
./templates/portal/clientareaproducts.tpl~
./templates/portal/viewticket.tpl~
./templates/default/supportticketslist.tpl~
./templates/default/clientareaproducts.tpl~
./dbconnect.php~
./dl.php~
./viewinvoice.php~
./dologin.php~

[Hostwire.com]

Quote:

Originally Posted by Rob Phlox

It seems they posted a patch without updating their site.

Log into your client area and get 4.1.2 incremental. Unlike the last update, I didn't have to spend two days rebuilding my templates. This applied cleanly right over top of my 4.1.1. I did make a rsync -ab backup. Here is a changed file list.

find . -name \*~
./clientarea.php~
./modules/gateways/callback/paypal.php~
./modules/gateways/callback/2checkout.php~
./modules/registrars/resellone/resellone.php~
./modules/registrars/opensrs/opensrs.php~
./submitticket.php~
./cart.php~
./admin/clientsaddons.php~
./admin/clientshostinglist.php~
./admin/massmail.php~
./admin/orders.php~
./admin/quotes.php~
./upgrade.php~
./supporttickets.php~
./domainchecker.php~
./includes/api/gettickets.php~
./includes/api/getticket.php~
./includes/api/updateclient.php~
./includes/api/getclientsdetails.php~
./includes/api/domainwhois.php~
./includes/api/addclient.php~
./includes/api/capturepayment.php~
./includes/gatewayfunctions.php~
./includes/invoicefunctions.php~
./includes/orderfunctions.php~
./includes/whoisservers.php~
./includes/processinvoices.php~
./includes/quotefunctions.php~
./login.php~
./templates/portal/supportticketslist.tpl~
./templates/portal/clientareaproducts.tpl~
./templates/portal/viewticket.tpl~
./templates/default/supportticketslist.tpl~
./templates/default/clientareaproducts.tpl~
./dbconnect.php~
./dl.php~
./viewinvoice.php~
./dologin.php~

Applied and it works now! No more Prorata issues with version 4.1.2

[RSanders]

WHMCS support did get back with me, and it seems this is also in relation to the new year (2010). They have also confirmed that 4.1.2 incremental patch was to resolve this.

If you use WHMCS, make sure you are on 4.1.2 or you will find yourself with a lot of free accounts like us. On their site, they still list 4.1.1 as stable which probably is confusing more than us in this thread.

[Host Red Dragon]

If you subscribe to whmcs announcement forum you will get a notification when ever they release a new version/update.

[RSanders]

Quote:

Originally Posted by HostOrca

If you subscribe to whmcs announcement forum you will get a notification when ever they release a new version/update.

Yes, along with every other dribble of marketing material. I already get 300-400 non-spam emails a day, I don't really need to know about McAfee and Softwhatever.
McAfee PCI Compliance Service for WHMCS users
Softaculous Release WHMCS Module
VPS.NET Module - Testers Needed

I guess it's my mistake in assuming they would keep their site updated, as that's the first place I look.

[vpshostingtv]

I have a question:
Do you suggest to install WHMCS in root with same folder name or better to rename to something like billing...?
I've just download the 4.1.2 with so I supoose not having this bug?

[RSanders]

Quote:

Originally Posted by vpshostingtv

I have a question:
Do you suggest to install WHMCS in root with same folder name or better to rename to something like billing...?
I've just download the 4.1.2 with so I supoose not having this bug?

Yes 4.1.2 seems to work well.

I rename mine, and I think you will find it is common. Also, you may wish to change the admin directory name as well. This is documented at WHMCS.

If this is your billing on your site, name it billing.

Thanks,
Rob

[citycm]

Quote:

Originally Posted by Rob Phlox

Yes 4.1.2 seems to work well.

I rename mine, and I think you will find it is common. Also, you may wish to change the admin directory name as well. This is documented at WHMCS.

If this is your billing on your site, name it billing.

Thanks,
Rob

Not sure if you're aware of this, but your SSL Certificates are showing as $0.00. Sorry, I know it's unrelated but thought it might be worth mentioning.