dotter

I've recently started migrating all internal services my company uses to Docker in order to minimize overhead when dealing with different requirements and maintenance practices. Being a long time subscriber, WHMCS was also on the list of being migrated. Unfortunately the licencing system WHMCS uses makes migrating a WHMCS installation to a container impossible as the internal IP of the container usually changes after a restart. And if the IP changes, the licence has to be reissued. The reissue process is not a problem in itself, but a container can be shutdown and a new one created as part of an automated migration to a healthy host (think AWS). One even better example (not specific to Docker) is upgrading by using a cold-copy where the same licence principle applies. Searching for similar issues resulted in no hits so I assume this will be a new topic on the WHMCS table. I would like to ask the WHMCS team to comment on this as there are ways to maintain the licencing model while at the same time allowing the use of containers and standby deployments. Thanks for reading.

not the path. but ok, all this on itself is not that important... the problem I see is that if an exploit in WHMCS is discovered, the leaked DB could be used to take advantage over remote installations. it just makes things that much easier.

From what is currently known, everything you shared with WHMCS via email/support tickets is compromised. Remote installations have not been compromised, but very important data (like IP, path) of all remote installations has been made public.

Actually, I went trought the leaked DB and saw a couple of tables that contain what appears as takedown notices and various checks of the validity of remote WHMCS installations. WHMCS cannot take down an altered remote WHMCS installation by themselves. They need somebody on the other side to do this. Just to show what is in one of the leaked tables: http://www.***.com/client/ 94.75.***.*** abuse@***.com 2011-04-23 <- submitted 2012-05-21 <- lastchecked Online Submitted by Matt - Has threatened legal action, was suspended as a result, then implemented license bypass So my conclusion is that they are doing something about this. But again, I don't know what has been going on in the background...

Don't get me wrong, I agree with you that they should have learned all this before today. But really, we're all just making conclusions without any real data. Matt posted something, yeah, but a proper audit takes a little bit longer.

Ok, I get it that there are simpler and then more complicated procedures for cancelling a credit card. But that is your card out there with all the info with it to complete online transactions. My company has clear guidelines of what to do when this happens: 1) protect customers 2) protect ourselves 3) audit I assume WHMCS being proactive and sending the CC info to Visa/Mastercard would protect their customers. Their e-mail says "your card details may also be at risk". Well, card details are out in the wild, not just maybe at risk. Anyway, why/how this happened is beyond the scope of this thread, unless a sysadmin from WHMCS posts an audit report and describes the enhanced security features implemented to prevent this from happening again. I'm not blaming UGNazi. If it weren't for them, WHMCS would not know they have a problem with security. We all learn from mistakes, it is the magnitude of each mistake that defines our future.

I don't want WHMCS to fail. And I'm not entertained by what happened.

WHMCS should send out IMMEDIATELY the list of credit cards that were in the database to the corresponding issuer and make sure those cards are to be cancelled ASAP. My programmers successfully retrieved all CC data from the leaked DB. These cards have to be cancelled ASAP.

I use WHMCS invoices only as proforma invoices. On a daily basis we export all WHMCS invoices to our invoicing system and process them there... This method solved all invoicing problems as we still use WHMCS for basic invoicing, but for the accounting stuff, we use our own solution.

There have been some questions on this topic, but I would like to run the idea once more just to make sure. I have 2 types of clients, prepaid and postpaid. Prepaid clients must pay their invoices before I process anything for them, and postpaid clients have their invoices marked as paid immediately and receive a monthly invoice. The problem is, I don't want postpaid users to receive emails regarding invoice creation and payment, while at the same time I want prepaid users to receive both emails from WHMCS. So I disabled the email "Invoice Created", and setup an action hook when the invoice is created. In that hook, I check the type of customer and then process it as wanted, but of course, I cant send the "Invoice Created" email because it is disabled. I'm seconds away from giving up on solving this problem inside WHMCS and move all invoicing to a custom made external system that will do all that checking, leaving WHMCS to just create those invoices. I just wanted to check that once you mark an email as "disabled" in "Email templates", there is absolutely no way of sending that same email via API or any other way. I'm aware that this question has been posted before, but kindly ask anyone with knowledge about this to clear up this info. Thanks in advance.