Jump to content

Vander Host

Member
  • Content Count

    21
  • Joined

  • Last visited

Community Reputation

1 Neutral

About Vander Host

  • Rank
    Junior Member

Recent Profile Visitors

432 profile views
  1. Just got approached by a similar security researcher. I've examined the three references in this post, namely: https://docs.whmcs.com/Further_Security_Steps#Defending_Against_Clickjacking https://owasp.org/www-community/attacks/Clickjacking https://documentation.cpanel.net/display/EA4/Advanced+Apache+Configuration Any more clues what exact directive needs to be added? As it happens we use WHM and Virtualmin and I'm pretty familiar with NGinx conf files, and Apache and so on, but all three references fail to actually tell you what to do.
  2. Sounds like that would disable core functionality?
  3. As a consultant installing WHMCS for other the very first question they ask me is about these automated emails for domain synchronisation. I struggle to explain this to them: > Setup > Staff Management > Administrator Roles and untick "System Emails (eg. Cron Notifications, Invalid Login Attempts, etc...)" but this will stop more than just the domain sync emails. Hopefully, one day, there will be a magic button where we can put this off.
  4. Yep. Crowd sourcing feature requests are only useful up to a certain point. I'm not sure how WHMCS handles security notifications, but my community at Github likes a personal email to the owner of the solution.
  5. Hi @WHMCS John Thanks so much for the reply. I just voted. > help us understand our user's priorities. Of course user priorities is a great way to drive your product forward. But don't you think security priorities should be top of mind too? Would you really want your users to tell you your product lacks fundamental security on the login screen before implementing such change? The problem with this hack is any VIP client's system could get brute forced guessed, giving the hacker a change to further exploit another system. By the time the host figures out something is wrong, huge damage could have occurred. The host might not even ever know how the system was compromised. What I'd also like to highlight here is some "security researcher" warned us about this problem. So in fact, most likely the weakness is already out in the wild. And now this "security researcher" is asking us for a bribe to make the problem "go away". My opinion is forget user priorities and bump this up a level to security priorities. thanks, Eugene - user since 2007.
  6. Any updates on rate limit failed client logins? We're being targeted by "security researchers" and this is one of their concerns. Any suggestions for plugins from marketplace? In my opinion it's a bit strange that admin logins are rate limited, but not client logins. Surely this programming code exists and can implemented for the client area? Bug : no rate limit at form login Description in login page : https://.../clientarea.php there is no rate limit for brute force attack on password which allow attacker to do as much he can from requests for guessing the user password. How to reproduce 1.go to https://.../clientarea.php 2.put any user or password and intercept request with burp suite 3.send the request to intruder and click add in the password form 4.now put list of password can use thousand of password to brute force 5.will notice in all request has the same status there is no rate limit in this form Solution add rate limit in this form ********************************************************************************************************
  7. How was this resolved? Our our system this is suddenly happening for most users, out of the blue! Edit: Ticket created #SVP-216525 It's happening for some (older) users but not newer ones. Also we upgraded from 8.4.0 to 8.4.1 yesterday so maybe... this is the problem.
  8. Thank you! Similar problem, client had placeholder VPS domain name, similar to new one I wanted to register.
  9. Hi there, Many clients are sending us PDF documents. How can I enable image previews? On tickets we see this: "No Image Preview Available" Happy to pay for development time.
  10. Please would you provide updated documentation for removing these ns1 fields?
  11. Referring to these two WHMCS API Calls: https://developers.whmcs.com/api-reference/getclients/ "Obtain the Clients that match passed criteria" https://developers.whmcs.com/api-reference/getclientsdetails/ "Obtain the Clients Details for a specific client" Note this function returns the client information in the top level array. This information is deprecated and may be removed in a future version of WHMCS. What if I wanted to make one API call, to say get all client details that also includes the telephone number? The first API call, GetClients, only returns a severely limited subset of data. The second can return everything but I can to call it per client? What is I have 1000s of clients, does this mean I need to make a 1000 API calls? Any tips?
  12. I see this topic was extensively discussed in 2017: In that post a lot of tug of war between best practices, shared hosting security etc. I'm not interested in any preachings about security. 1. I have a shared server based on WHM/cPanel. I will be hosting my WHMCS on this shared server. In fact it's running there already. 2. Am I missing something or is the WHMCS documentation making it very clear that one can just add `allow_url_fopen` quite easily to any shared site? https://docs.whmcs.com/PHP_Upgrade_Guide 3. If it's not easy, that steps are missing in the above guide? Other people who have tried to document doing this for a single site appears to go at great length fiddling and copying INI's across etc. Is this setting a mamoth task on a shared server? https://domainregister.international/index.php/knowledgebase/297/How-to-enable-allow_url_fopen-for-a-single-site-in-cPanel.html 4. When following the WHMCS guide, and actually trying to execute this in cPanel, these new lines seem oddly out of place (and also, I still get allow_url_fopen warnings). Please provide some guidance because I can't be without automatic updating and I can't move away from this shared server either.
  13. Hi John, > WHMCS staff did not recommend removing or deleting files en-mass. To be clear, correct, yes, indeed, WHMCS did not say I must delete everything and start from scratch. As mentioned before I chose this path after receiving the standard reply from the help desk. It worked out well doing that because I I knew immediately where to find 95% of my customizations, except for the theme. Anyway I've ditched the theme and will go with 2021 because it's too complicated to keep the software current and have a custom theme. > uploading a fresh set of the WHMCS files, overwriting the existing files. This is another potential cause of this error Ok great as long as they now have the same information with regards to the Geolocation, which, for the benefits of our other readers, is Geolocation Hook For WHMCS https://www.docs.modulesgarden.com/Geolocation_Hook_For_WHMCS This is what caused the problem in the first place.
  14. I get this warning on a fresh installation: Warning: The WHMCS Base URL definition is missing from your active template. Please refer to https://docs.whmcs.com/WHMCS_Base_URL_Template_Variable for more information and details of how to resolve this warning. See screenshot with error. There is pretty good documentation about this here: https://docs.whmcs.com/WHMCS_Base_URL_Template_Variable It's also pretty clear what to do, make sure that directive is in the `head.tpl`. Fact is, fresh installation, happens with both Template Six and 2021. Any clues?
  15. Thanks @WHMCS John please communicate with your internal staff ticket # ERV-955284 and educate them. Their incorrect template response meant I annihilated a multi year installation and had to reconfigure and recopy a bunch of files and I'm still busy picking up the pieces as we speak.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated