Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


Kian last won the day on July 6

Kian had the most liked content!

Community Reputation

408 Excellent

About Kian

  • Rank
    Senior Member

Recent Profile Visitors

14786 profile views
  1. I have no direct experience with twenty-one but are you sure that WHMCS gives only 10 records? As far as I know WHMCS doesn't use server-side processing of DataTables hence all rows are accessible from {$invoices}. For example at the moment I am browsing a system where I have almost 4000 invoices. Each of them is accessible from {$invoices}. In fact when I change page limite from "10" to "All" they all show up without any need of ajax POST.
  2. It's DataTables. Simply use pageLenght API.
  3. SELECT t3.date, t3.invoicenum, t2.domain, t3.status FROM tblinvoiceitems AS t1 LEFT JOIN tbldomains AS t2 ON t1.relid = t2.id LEFT JOIN tblinvoices AS t3 ON t1.invoiceid = t3.id WHERE t1.type IN ('Domain', 'DomainRegister', 'DomainTransfer') AND t3.status = 'Paid' AND t3.date >= '2022-03-01' order by t3.date DESC I personally finished checking tens of thousands of domains on several systems using this query. It selects all domains that have been renewed, registered and transfered starting from 2022-03-01. This date should safe to use. In fact I think the faulty version of IBS has been released 40 days ago. You need to get all the returned domains and check them in bulk on internetbs.net. I spent hours trying to understand how to identify potential issues but I wasn't able to do that so I focused on all domains with expiration date set on 2022 and checked them manually one by one 😩 Sorting them by expiration date DESC was very helpful. Sadly I found several domains that haven't been renewed even if end-users paid invoices and WHMCS performed renewals. At least there were less cases than I expected. Special note for .it domains. Unlike other TLDs where you explicitly need to send "Renew Domain" command, .it domains get automatically renewed. To avoid renewing domains that haven't been paid, IBS automatically sends "Delete Domain" command usually 14 days after expiration .This way NicIT (IT Registry) doesn't renew them automatically. With all this mess I am still figuring out what happened to .it domains. Maybe nothing or maybe IBS allowed NicIT to renew them even if they haven't been paid by customers. In conclusion you should update IBS module asap and perform the check I just described but there is a twist. You should do that only if you were running this buggy version of IBS. The problem is that the only way for me to explain how to determine if your IBS module is good or bad, is to describe the exploit 🥶 Okay enough drama for me today. See you 🕳️
  4. Yep, I was just responding to ComfortDrive since he/she suggested you to run a SEO audit. As you probably know better than me a SEO audit doesn't play any role when it comes to things like cPanel SEO, Ahrefs, Semrush etc.
  5. Ahref also has a free version that is good enough to analyse metrics. Same goes for neilpatel.com but... ... there is no audit to check here since cPanel SEO doesn't directly affect your SEO. It's a tool used track keywords, traffic, get recommendations, alerts etc. It will not automagically improve anything. There's no point looking at stats and graphs per se. Such tools only make sense if you have a SEO strategy in mind.
  6. There is another problem. Not only we have/had the exploit but as I can see their module even failed at renewing domains. I am seeing clients realizing they never renewed any domain during the last 40 or more days even if WHMCS performed renewals as normal and invoices have been paid. That said, I highly suggest you to double check manually that all renewals occurred during the last 3 months have been successful. I say 3 months because IBS module doesn't come with versioning so I can't tell the exact date starting from which we had this mess. For sure more than 40 days but it can be more!
  7. IBS released an update that fixes the issue. Download it asap! Trust me 😱
  8. Yes, it must be enabled and configured.
  9. John edited the title of this post so now everyone knows the name of the module in question. Balls of steel 😱😁 I'll do it but I suspect that WHMCS is not affected by this issue. Anyway I'll send you all details including the super-easy fix via DM and Bugcrowd so that you can take a look. I will not say anything here to avoid having people exploiting the bug.
  10. Hi guys, I just spot a critical and dangerous vulnerability in a third-party component of WHMCS. I would like to share info but the thing is that as soon as I reveal details, all lamers will start exploiting it. I'm pretty sure that no one other than me and my clients know anything about it. Let me give you a bit of context: I underline that this is NOT caused by WHMCS but by a widely used third-party component When I say "critical" I mean that you can lose real money and cause enormous legal troubles The issue has been already reported by me a month ago to the developer in question but no fix so far Only few minutes ago I discovered how it can be exploited to cause harm I have already shared updated details with the developer in question. They are checking it The fix is pretty easy. It takes few seconds. I just finished securing a dozen of my clients I think I'll stay quiet for now so that the developer can do his job but the fix will require providers to perform an update. We all know most people ignore software updates unless there is a security issue. So what if the developer refuses to admit the issue? Should I post something here our tell the story to people like @WHMCS John @WHMCS ChrisD so that I can go back to my business? p.s. As soon as the update is available, I'll post here without mentioning the name of the module... this way you simply need to update all modules you have 🤣 Edit: I sent a DM to John to make sure WHMCS is not affected. I'm 99% sure that it is all right but I can't see encrypted files (have no time to decrypt it) so let's wait 🤞
  11. On TicketOpen (action hook) send additional emails by including PHPMailer (vendor folder).
  12. Hi, you can reissue the license anytime from Modules > Billing Extension > Manage page. You need to press the following button:
  13. Disabling right-clicking serves no use and has nothing to do with security. First thing first, when I browse your website I already own a copy of your theme information (HTML, CSS, javascript, libraries, assets...). I don't need right-click to get eveything my computer "sees". I just need to press File > Save Page As. This way I'll have a folder that runs on my computer with an exact copy of your website. Alternaivelly I can use source view, dev console or any other tool that every browser has. Secondly anyone with a bit of sense can re-enable right-click with few lines of javascript via console. It takes seconds. Not to mention there are tens of plugins that allow to re-enable the possibility to use right-click (sorry for the pun) in one click. Third. Did you know that anyone can download/view every file of your Smarty template by simply visiting it? Try opening /templates/{YOUR_TEMPLATE}/clientareahome.tpl. Most people don't know that and it's funny 😛 Sometimes you can spot things that should stay reserved. For example in invoicepdf.tpl I often see insults towards WHMCS developers, swear words and so on. Many belive that comments in tpl files are hidden from public view. Given that you can't prevent people from downloading your code, don't waste time fighting right-click. The only outcome is frustration for your customers.
  14. As Denniss suggested, InvoiceCreationPreEmail is a better option. This way you can remove dates from items before WHMCS sends the invoice via email to customers. InvoiceCreation works too but triggers when customers have already received PDF that still has dates.
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated