New security patch break integration code

[m8internet]

i uploaded the patched file to my WHMCS installation as instructed in binary mode

Where was this instruction?

It wasn't in the txt file that was included in the ZIP file

 

Security Patch - 29th May 2012

Readme

Compatable with WHMCS V4.0 & Later

Instructions: Upload this file to the root WHMCS directory to take effect.

No further steps necessary.

 

I have had to remove the latest file and roll back to the previous working copy

[easyhosting]

Where was this instruction?

It wasn't in the txt file that was included in the ZIP file

 

the readme file states

 

Security Patch - 29th May 2012

Readme

 

Compatable with WHMCS V4.0 & Later

 

Instructions: Upload this file to the root WHMCS directory to take effect.

 

No further steps necessary.

 

 

I have had to remove the latest file and roll back to the previous working copy

 

The patch has been update and does fix the issue, just use the original link to download the patch again

[REVOLUTIONS inc.]

Patch works successfully in both 5.0.3 & 5.1 RC1

 

[zenid1979]

Have uploaded the patch and i get: Language File 'english' Missing on every page.

[SeanP]

Well, this is the email I just sent Matt:

 

==

 

Matt,

 

The issues from last week were embarrassing, to say the least. However, you had my sympathy in this bad situation and I did not address my anger about this.

 

Today (more than a week later) I find a forum post about a patch. I checked from what I could if this was really posted by you and applied the patch. After that YOU broke my WHMCS installation. Customers experience a lot of issues after the patch. So AGAIN I am faced with a lot of angry people. Our WHMCS was down last week for over 24 hours for lack of communication. And now it is down again. My customers are mad, and yes, I am mad.

 

Furthermore TODAY the forum, blog and main site go UP and DOWN. Making me question if the patch was really supplied by WHMCS or by hackers. Result: blocking my WHMCS installations AGAIN.

 

Matt, you have created some **** on our side. Really, you have no idea. And yes, I am pissed off like hell.

 

I really hope you will release a GOOD patch asap and please goddamnit fix the sites. I hate pissed off customers complaining at me for something I cannot control. Hope that pissed off state is clear is my message to you.

 

Erik

 

Little harsh, don't you think? I really doubt WHMCS was glad their hosting provider allowed someone to get access to their data, and cause them all kinds of trouble. In the midst of all of it, they were notified of a security issue and quickly took action to fix it. The bug in the patch was addressed and quickly fixed, as well. Maybe you should have tested the security patch in a QA environment, before rolling it out to all of your production systems. That is system administration 101. Your customers act all pissy to you because you rolled out a patch without testing it in your environment, then you act all pissy to WHMCS. So, you are just as bad as they are. Maybe you should try to put yourself in other's shoes for a little while, and think about how your situation would be, if all these misfortunes happened to your website. What if your website was being hacked, and around the same time you found a security hole in your software that had to be fixed? I hate attitudes like this. Companies like WHMCS give you awesome support, and have no issues 99.9% of the time. However, when the .1% of issues happen, you act like a jerk about it. I bet you never have any issues, and everything on your systems always work 100% of the time. Yeah, right...

Edited May 29, 2012 by SeanP

[easyhosting]

Maybe you should have tested the security patch in a QA environment, before rolling it out to all of your production systems.

I agree in principle, but to do this a user would need a dev licence to test out of a production environment, not all users have this option.

 

if the patch was tested before being released then it would nopt have had negative effects with users and then needed to be fixed itself.

[SeanP]

I agree in principle, but to do this a user would need a dev licence to test out of a production environment, not all users have this option.

 

if the patch was tested before being released then it would nopt have had negative effects with users and then needed to be fixed itself.

 

True, but he said he had 8 different installs of WHMCS on 8 different servers. With that many production installs, a dev/QA environment might be a good option. Especially since WHMCS is offered at a pretty low cost.

[easyhosting]

True, but he said he had 8 different installs of WHMCS on 8 different servers. With that many production installs, a dev/QA environment might be a good option. Especially since WHMCS is offered at a pretty low cost.

 

yes with that many i would have had a dev install to test any addons etc. If you purchase a production licnece direct from WHMCS then you can open a ticket and get a dev licence free, if you get your production licence from a reseller then a dev licence will cost a one off $45

[Erik H.]

Little harsh, don't you think? I really doubt WHMCS was glad their hosting provider allowed someone to get access to their data, and cause them all kinds of trouble. In the midst of all of it, they were notified of a security issue and quickly took action to fix it. The bug in the patch was addressed and quickly fixed, as well. Maybe you should have tested the security patch in a QA environment, before rolling it out to all of your production systems. That is system administration 101. Your customers act all pissy to you because you rolled out a patch without testing it in your environment, then you act all pissy to WHMCS. So, you are just as bad as they are. Maybe you should try to put yourself in other's shoes for a little while, and think about how your situation would be, if all these misfortunes happened to your website. What if your website was being hacked, and around the same time you found a security hole in your software that had to be fixed? I hate attitudes like this. Companies like WHMCS give you awesome support, and have no issues 99.9% of the time. However, when the .1% of issues happen, you act like a jerk about it. I bet you never have any issues, and everything on your systems always work 100% of the time. Yeah, right...

 

Well I guess you are missing the point here a bit (in my honest opinion). So basically you say that it is okay that WHMCS did NOT test the patch but I should do so? I don't know how you are doing but after all that has happened I am worried so when a patch is supplied I will not wait any longer than needed.

 

And if you get DDOS-sed for over a week and have NO solution to resolve it, well sorry, that is no excuse. I cannot close my shops for a week just saying (sorry, DDOS). Having ANY way to communicate, even a simple tweet, would have provided more information but they failed to provide any info.

[Erik H.]

yes with that many i would have had a dev install to test any addons etc. If you purchase a production licnece direct from WHMCS then you can open a ticket and get a dev licence free, if you get your production licence from a reseller then a dev licence will cost a one off $45

 

Missing your point here. We have a dev license. That is totally unrelevant in WHMCS providing a bad patch.

[easyhosting]

Missing your point here. We have a dev license. That is totally unrelevant in WHMCS providing a bad patch.

 

well then you test the patch in the dev install to make sure it works and then you wond have angry clients as you stated because it messed up your production installs.

 

yes the patch should of been tested before released, but still i still test patches on a dev install first just to make sure and for piece of mind

[Erik H.]

well then you test the patch in the dev install to make sure it works and then you wond have angry clients as you stated because it messed up your production installs.

 

yes the patch should of been tested before released, but still i still test patches on a dev install first just to make sure and for piece of mind

 

Okay. So basically you say:

 

- If WHMCS provides an update I should not trust to use it in production, even it is marked a security update.

 

- If WHMCS provides an update I should test it for a longer period with ALL of WHMCS functionality (some hundred functions) and leave the security issue on my live database.

 

- If WHMCS provides an update I should not expect it is compatible with all version, although stated it is compatible with all versions.

 

- Every WHMCS user should have a dev development to test updates/patches done by WHMCS.

 

- If Easyhost knows there is a security hole in their customer database you keep everything online with the risk of being compromised.

 

Strange world... but hey you should be right and I'm not.

[easyhosting]

Okay. So basically you say:

 

- If WHMCS provides an update I should not trust to use it in production, even it is marked a security update.

 

- If WHMCS provides an update I should test it for a longer period with ALL of WHMCS functionality (some hundred functions) and leave the security issue on my live database.

 

- If WHMCS provides an update I should not expect it is compatible with all version, although stated it is compatible with all versions.

 

- Every WHMCS user should have a dev development to test updates/patches done by WHMCS.

 

- If Easyhost knows there is a security hole in their customer database you keep everything online with the risk of being compromised.

 

Strange world... but hey you should be right and I'm not.

 

A security patch will be issued to patch a specific function, so if you have a dev install then it is a good practice to test the patch on the dev install to make sure it fully works on the function ( just like the recent 1 failed to work and had to be fixed and released again).

 

we did this found the error and then waited for the patch fix, then tested this before placing on production install, therefore clients dont complain they cant order and you dont look unprofessional with error messages all over your sites orders system.

Edited May 30, 2012 by easyhosting

[Matt]

Just to clarify here we issued a patch that was designed to work with all releases we've done in the past 3 years. That isn't the easiest way of going about it for sure, but it's the simplest for users to apply. Now I realise that for the first 30-40 minutes of release that did mean there was a compatability issue with v4.5.1, and a domains lookup problem, and ok those should have been caught, but we are trying to get users protected as quickly as we can in a situation like that and so full testing as we would for a normal scheduled release just isn't possible.

 

So apologies again for any problems you experienced, but I hope you can understand that we did test what we released and those things did unfortunately just not get identified.

 

Matt

[ditto]

Hi Matt. Will you please comment on this?: http://forum.whmcs.com/showthread.php?47830-New-security-patch-break-integration-code&p=224753#post224753

 

So now after the patch, our customers can't order any domains with language special characters, because they get "Invalid TLD/Registration Period Supplied for Domain Registration" on cart.php?a=view

 

Are you working on a new patch wich does not break this?

[SeanP]

The patch was one file. Make a backup of the original. If it breaks, rollback the original and report the issue. Then wait for a fix to the patch. It was very easy to rollback, in case it broke something. It apparently didn't break in all versions. I tested it, before applying it to prod, and had no issues.

Edited May 30, 2012 by SeanP

[zenid1979]

Still get the same problem, when i upload the patch my hole WHMCS is not working, i get:

 

Have uploaded the patch and i get: Language File 'english' Missing on every page.

 

Can anybody help? I use latest version 4.5

[easyhosting]

Still get the same problem, when i upload the patch my hole WHMCS is not working, i get:

 

Have uploaded the patch and i get: Language File 'english' Missing on every page.

 

Can anybody help? I use latest version 4.5

 

have up downloaded the patch again as the first one did break some installs, but this was fixed, so just download again from the same link

[zenid1979]

Hi,

 

I have just downloaded from: http://go.whmcs.com/26/secpatch

 

Still the same problem. Patch is from 29-5-2012 time 20:47

[zenid1979]

I have try this today

[bigwetfish]

Subscribing for updates. Anyone put in a ticket yet for this or just posting here?

[Greystoke]

Hi,

 

After installing the latest Patch file, when I go to the language tab in the client area and try and change from English to any other language it doesn't change.

 

It just stays on English.

[disgruntled]

Okay. So basically you say:

 

- If WHMCS provides an update I should not trust to use it in production, even it is marked a security update.

 

- If WHMCS provides an update I should test it for a longer period with ALL of WHMCS functionality (some hundred functions) and leave the security issue on my live database.

 

- If WHMCS provides an update I should not expect it is compatible with all version, although stated it is compatible with all versions.

 

- Every WHMCS user should have a dev development to test updates/patches done by WHMCS.

 

- If Easyhost knows there is a security hole in their customer database you keep everything online with the risk of being compromised.

 

Strange world... but hey you should be right and I'm not.

 

 

 

I really want to say shut the * up.. but i wont that would be RUDE LIKE YOU.. now.

 

The point is simple... TEST THE PATCHES your clients are not the responsibility of WHMCS they are the client of YOU.

 

WHMCS get paid the same fee whether you have 1 client or 100 clients, its no skin off their nose to keep your clients happy. THATS YOUR JOB so protect your own arse and quit bitching about a mistake that was made, dont you think the team have enough to deal with since the breach without getting abuse from ignorant "web hosts"

 

SMFH

[Strother]

Well, this is the email I just sent Matt:

 

==

 

Matt,

 

The issues from last week were embarrassing, to say the least. However, you had my sympathy in this bad situation and I did not address my anger about this.

 

Today (more than a week later) I find a forum post about a patch. I checked from what I could if this was really posted by you and applied the patch. After that YOU broke my WHMCS installation. Customers experience a lot of issues after the patch. So AGAIN I am faced with a lot of angry people. Our WHMCS was down last week for over 24 hours for lack of communication. And now it is down again. My customers are mad, and yes, I am mad.

 

Furthermore TODAY the forum, blog and main site go UP and DOWN. Making me question if the patch was really supplied by WHMCS or by hackers. Result: blocking my WHMCS installations AGAIN.

 

Matt, you have created some **** on our side. Really, you have no idea. And yes, I am pissed off like hell.

 

I really hope you will release a GOOD patch asap and please goddamnit fix the sites. I hate pissed off customers complaining at me for something I cannot control. Hope that pissed off state is clear is my message to you.

 

Erik

 

Erik, Matt and many of us are running businesses, and use this forum as a way to grow and improve. Are you running a business, because that was certainly not a business letter. What was the purpose in sharing your rage with all of us?

[easyhosting]

Erik, Matt and many of us are running businesses, and use this forum as a way to grow and improve. Are you running a business, because that was certainly not a business letter. What was the purpose in sharing your rage with all of us?

 

I have to agree with you on that point and when others suggested he should of tested the patch before making it in production he got more annoyed and angry