Jump to content


  • Content count

  • Joined

  • Last visited

  • Days Won


tap0le last won the day on October 28 2018

tap0le had the most liked content!

Community Reputation

11 Good

1 Follower

About tap0le

  • Rank

Recent Profile Visitors

1,270 profile views
  1. They were hacked through the use of one of their own custom templates. All their modules are vulnerable, and all companies that use them are as well. There's no validation for running the code. (Not restricted to only be run internally by whmcs. It's a simple line of code you add to the php files to ONLY allow them to be called as the result of an action in whmcs. Most of their files in their modules do not include this validation.) Almost all the php scripts can be called by a simple curl command from anywhere. Their client x template goes even further, and allows you to upload a php script and run it remotely.
  2. The hackers didn't do anything to the modules, but they did reveal vulnerabilities in them. For instance, in almost all the modules, they fail to validate the php files, and they can be executed directly.
  3. Man, this post seriously turned into a crazy debate. I honestly just wanted to share with the community and ask WHMCS to take the listings down for now. I'm honestly impressed WHMCS did take them down. Like @brian! said, they aren't liable for the modules or damage they may cause, but taking them down once they are aware is the responsible thing to do. And they did that.
  4. There was proof of it. That's what is contained in the pastes that were removed. It was proof and additionally instructions on how to take advantage of the vulnerabilities. (they only showed one module, and threatened to show the other vulnerabilities if WGS didn't fix them) Thank you. It's much appreciated!
  5. Well I guess I'll look for instructions on reporting them. Lol i didn't mean they are on top of their software as a whole, just the security aspects of it. Usually.
  6. Edit: I realize I said something that conflicts with this, saying once it's fixed it's too late. I didn't mean that. I was getting frustrated and that just came out.
  7. You are all missing my point. I'm not saying they are responsible for the addon. I'm saying they have a responsibility to the community to remove content once it has been brought to their attention to cause mass harm. I'm not saying they legally have this responsibility, but ethically. As for disclosure: The difference with WHMCS is they actually fix their security holes. When it actually comes to their software they are on top of it. Like i said in my first posts, the hacker should make aware the party in which they hacked, give them time to fix it, then release the info on the vulnerabilities at a specified time whether or not it's fixed. This is how the industry works. It's standard practice.
  8. I completely disagree. Once it's fixed it's rather too late. How will potential victims know NOT to use said software? Also, the hackers' methods were awful, but it's much better to know then not know. Hackers are necessary. I've paid hackers to hack our site. But security researchers follow ethical boundaries, which these hackers did not.
  9. If Ferrari knows of the issue and for some reason is allowing Samsung to sell phones out of their giftshop, I'd I'd say yeah they are partially responsible.
  10. My mistake, I didn't realize the first link contained that info. I went back and checked and see that it did include WGS' config file. I agree, their clients should not be put at a deficit due to their poor security. I am one of their clients. I understand removing the link, but the standard courtesy is to notify that you've modded someone's post. I do feel that all their modules should be suspended from being sold in the marketplace, as they are still vulnerable. For the record, I don't support how the hackers handled this. They should never have exposed private information or dumped databases. They should've given the information to WGS, waited a period of time giving them a chance to rectify, and released the information on the vulnerabilities to the public and nothing more.
  11. The first link i gave didn't actually disclose any sensitive information, and honestly the community has a right to know. Anyone who wants to know more, just conact me. I'll share what WHMCS is censoring.
  12. Really, you're going to remove from my comments and give no notification or acknowledgement of this? I should've figured you don't care about your users either WHMCS.
  13. WHMCS Administration: Please remove all WHMCS Global Services' modules from your marketplace. About a week ago, WGS sent out an e-mail telling it's clients to run a php script to patch an issue with their license server. It ended up not being from WGS. It was a hacker, who had gained access to their system. WGS' client database has been leaked, along with their creditcard hash, and instructions on how to hack ANY host which uses "ClientX" theme. It includes a list of the hosts which use this theme. License servers have been down as well for WGS, so if you are paying for their modules, you can't use them anyways. Here are some pastes which show the hackers' activity, WGS response, and a timeline for this entire event. <removed from community by moderation team> Please, any hosting companies that use their services, delete the modules from your system. You are at risk.
  14. tap0le

    Many of the new fa fonts broken

    Let's not turn this in to an argument guys. This is a bug report. We can all agree it needs to be fixed. This isn't a debate on whether or not it's important for a certain company because of their revenue. It's a very visually ugly bug and needs to be squashed. Yes most of us can just fix the issue on our own, but the point is it's WHMCS responsibility.

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated