gPowerHost

Update: in typical fashion, WHMCS will go to great lengths to explain away bugs as features. It would be nice if they took their customers and their customer's time more seriously. Here was their response: Why not just provide the solution to stop the erroneous dunning message when the error message is presented (privately, in an email)? Or, why not take 20 minutes and fix the logic and check to see if the error is still present? Additionally, I find this telling: How can I "If you choose to not force a run that day..." when that is some super, top secret thing not worthy of telling the customer in the emails that are flooding in claiming there is a problem that was fixed prior to triggering the alert? Additionally, if WHMCS cared about customers not losing revenue then why would they not admit the bug and add it to the stack to get fixed someday? Lastly, We ran this (as it was the only avenue to fix the issue that we could find): php -q /path/to/cron.php -vvv And that command (presumably with three "v"'s for extra verbosity) provides no hint to the solution. This is a second, not as ideal, place they could have presented the secret solution. To recap: There are two places they could paste in the secret solution. Or, instead of taking 3 minutes to do that they could take the 20 minutes and fix the logic. Either way, the bug needs fixing. Until the bug is fixed folks would need to follow my GUI method to fire the cron or, the "secret method": oops, they only talked about the "--force parameter" am I to assume it is to be added like this: php -q /path/to/cron.php -vvv --force parameter . Or what?

Don't waste time searching for a problem that has already been fixed! If your daily WHMCS internal CRON (for daily automated actions) wasn't working correctly--maybe due to the upgrade process falling within the window of when that CRON is to fire--you might start getting more frequent than hourly emails with the subject: "WHMCS Daily System Cron Attention Needed". If you are fairly certain that your setup is actually working try setting: WHMCS->Setup->Automation Settings->Scheduling->Time of Day either permanently or temporarily to the next hour (so, if it is 9:38PM set it to 10PM) wait until 11PM and this may possibly clear up that erroneous, buggy, dunning message that doesn't really check if something is still wrong! If that doesn't do it then you might proceed with what @WHMCS ChrisD suggests here: WHMCS Daily System Cron Attention Needed. We wasted a good bit of time (luckily we had taken a snapshot) unsetting features and trying to divine what was wrong in the complete absence of any detail about what needs attention. There was no detail, as there was no problem, just a buggy WHMCS. Yes, we have reported this as a bug.

If you are on a live installation and want to avoid leaking data via debug, do something like this; In your theme's header.inc between the head sections, add (replacing MY-IP with your actual IP address): {if $ipaddress eq 'MY-IP'}<meta name="test2" content="76e3{$token}"/>{/if} {if $token eq 'MY_TOKEN_HERE'}{debug}{/if} Now view source on your browser and replace MY_TOKEN_HERE with your actual token (less the extra 'be69' characters we threw on the beginning to partially obfuscate the token). You could do the same with just IP address or add it as a second factor in the debug statement, but I find it is now as reliable on some pages. Of course, it is better not to do this on a live site, and don't leave the code there except when you need it (not even over night). Edit Note: $ipaddress is so unreliable you may have to click on a few pages to get it to fire.

Most developer licenses are free. Microsoft offers about $25K worth of software free (for development purposes only). So if you have no idea what the industry is like then it isn't fair to jump down someones throat. I can go on and on as I've been a developer for 36 years and I can list company after company that require the purchase of nothing for developers. This guy HAS a product, and he doesn't like the developer practice. Why get so upset. Let him voice is opinion without oppressing him.

Thanks for the update.

While I'm not pleased with the hackers, annoyed with all of the competitive nay sayers I'm also not pleased with the WHMCS meek behavior. You seem unwilling to use the tools you have to push information out quickly. Yes of course I have rss, but WHMCS is very lazy and indecisive when it comes to how to get the info out. Stop being afraid of what people will think. Really! If you have to release an update daily do so. And use your ability to push the notification out. Otherwise, your coy behavior forces us to scour the internet looking for the latest news. Because we think you are too afraid to be upfront often enough. Take control and start informing us! Stop being afraid of what we will think. If your patch breaks things, like the last one did (credit card captures), correct it the next day. I am getting sick of WHMCS forcing me to go read the lengthy WHT forums because you will not be straight forward. If your PR people are telling you to be silent fire them! Repeat fire them! If you pushed good info out twice daily to the cart you could easily take control and prevent us from waisting our time wondering if the RSS is broken, or if you decided to post elsewhere this time. Or if you are too afraid of the backlash. Do you think all of your customers are stupid and can't think for themselves? We know when nay sayers take a valid point and twist it. But you are the ones forcing us to go read that dribble! All the best, and waiting for you to take control of your company and start leading yourselves, and us out of this mess.

OK well we still have Mass Payments disabled. I guess they have no idea if it is safe to turn it back on.

I'm focusing on mod_security to get through this. Live feeds and my own rules. I have just learned that WHMCS is somehow working with atomic to provide an atomic rules installer, but it is not ready yet. I hope it is not another fee for service thing like Two Factor Authentication. Just saying, I would not need the rules to be updated hourly and have about two dozen custom rules if the code were well though out. But this is horribly frustrating because no sooner do I get a rule, the rule gets hit. We are talking minutes. Rules for new vectors, new attacks follow and are caught for those vectors. If it happens in reverse.... I have no time to attack anyone. This is my new personal nightmare. When will it end?

Earlier today Matt posted http://blog.whmcs.com/security.php?t=80587 recommending that we de-select the "Enable Mass Payment" checkbox in Setup > General Settings > Invoices. Then a patch was released. But the explanation of the quickly following patch says nothing about Mass Payments. It lists many other things. Is this still an open issue, or has the patch v5.2.12 and I assume v5.1.13 resolved the Mass Payments vulnerability definitively? Also, it would be nice if these notices were pushed to the admin area. My WHMCS News Feed's latest message is from Friday, October 18th, 2013. Isn't this the fastest and most direct way to get the word out?

Excellent points! However, the most recent vulnerabilities were not caught with the default cpanel mod_security rules in testing we did. However, the delayed or subscription based gotroot rules do catch the exploit. I spent all day yesterday testing this out. Yes, the default rules do pickup the older hacks, but not the newer ones. Also, I was unable to get custom rules shared in WHT to work on mod_security as we had it. Those rules were crafted differently. I urge everyone to update their mod_security to current, heavily supported and constantly updated rulesets. All the other good-practices aside (but not to be dismissed!! we do them all), only a good ruleset or the patch worked against this vector. Maybe others have different experiences. I got a better nights sleep after updating our rulesets.

I really want to like WHMCS. But from the code snippets I've seen, being a programmer for 36 years, I'm horrified. I hope the put every new feature on hold. I hope they dig deep in their pockets and have the guts to seriously examine their practices and get some help. Focus every ounce of resource they can muster on reviewing, auditing and rewriting. Obviously someone has it out for them. Too bad for us, the customers that have our data compromised and business on high alert. But I have no sympathy for WHMCS, they wrote the code, they should have had the guts to do serious self examination a long time ago. Because blaming hackers is just an excuse. We all have businesses that involve hackers and poorly written code. Having to help our customers steer away from poorly developed or maintained modules or scripts is a daily thing. Thankfully, we have good firewalls and rules to stop most of this stuff, but it is only a matter of time. Please, please, please take this seriously and only look inward for blame. Because until you come clean with yourselves, you aren't going to have a hope. I hope you make it. I hope you hear our pleas and take our businesses seriously.

One more question. I would like to know if it is possible to have multiple instances of the template running on the same WHMCS installation. We plan on using a set of slightly modified templates (one for say hosting, a different one for ssl, another for support etc.) in which a few tweaks could be accomplished (slightly different header, differing menu items) to support our product matrix. Generally, I would just duplicate the template and rename (hosting, ssl, etc.). We plan on using the URL to switch between templates. I ask because with the template editing aspect (backend) I wonder if it would support editing the colors etc. If not any workaround possible? Of course we would only be looking to pay for one license, because we are just one company, using one WHMCS installation. p.s. you have a problem with your submit ticket on your site. The spambot characters don't show up and their is some error about recompiling gd library.

I'd like to order Flex but all of my products are designed for the Comparison ordering template. I can't be sure they will look good using some other ordering template, and with over 150 products I don't want to recode all of them. Any plans to support that template?

Thanks CDJ Hosting. I'm sure the template hasn't been touched as I haven't even gotten that far. I never gave ftp info to our designer yet. We are busy working on products and server side integration. But we are getting close and I hope you might help figure this one out. Here is out cart: https://gPowerHost.com/cart.php add any product and proceed to checkout. I've added back a kinda long security question so you can see what happens. Thanks for your time!

A bug causes: "notes / additional information" and its related text box to overlap "Name Last", "Company Name" and "Email Address" fields in the shopping cart; when these conditions are met: -A Security Question exists longer than approximately 35 characters (regardless of user selection). -The browsing user is not logged in (a logged in user tends to mitigate the effect). -The default Order Form Template is set to: "Comparison" The result would likely scare off shoppers as it looks unprofessional, causes confusion, and provides an unusually small area to type notes. Additionally, better security questions (harder to crack via social engineering/harvesting) tend to be longer. As all of our product descriptions were designed to optimally display best with the "Comparison" template this is not ideal. We have of course worked around the issue by making our Security Questions short and unfortunately somewhat cryptic. Environmental and additional info: -This has existed for all of the last 3 minor versions (and since we initially installed WHMCS). -We have "attacments", crons", "downloads" and "templates_c" located in a non-standard location. -We have the "admin" directory renamed. -We have the following addon active (though disabling seems to have no effect): PayPal Addon, WHMCS Backup addon, WHMCS Pages, and WHMCS Subscriptions -WHMCS Version: 5.2.5 -No customizations exist to code or templates (beyond the creation of a yet unmodified template, which is not selected)