IMPORTANT: Make sure your crons/domainsync.php isn't publicly accessible

[Redsign]

If your crons folder isn't outside of your public_html folder, or you don't secure the folder to disallow external access; anyone can visit a certain url and view all the domains registered in your system..

 

Either move the crons folder out of public_html and change the config.php file to point to the path of your WHMCS install, or add an .htaccess file containing:

 

deny from all

[zelatech]

i also did this after upgrading, good post.

[mrl14]

If this is the case, whmcs should patch this security whole and automatically include an .htaccess file or make sure this file is inaccessible from the browser.

[Redsign]

To follow this up.. why does the file need to output to the browser in the first place?

[Blueberry3.14]

Thank you for this. I guessed at using "$crons_dir" in the config file. I'll find out in the morning if that's correct. :-/

[Redsign]

You'll need to update the path of the cron instead of setting anything in the config file.

[Blueberry3.14]

You'll need to update the path of the cron instead of setting anything in the config file.

 

Thanks for that!

[ganesh.rao]

You can also use mod_security to restrict the URL from unauthorized IP addresses. Make an exception to your system IPs and 127.0.0.1

[alinford]

The crons config.php is encrypted. Where do I put the path info?

[bear]

In the cron itself, in your hosting account.

[Dean - ITDept.net]

If your crons folder isn't outside of your public_html folder, or you don't secure the folder to disallow external access; anyone can visit a certain url and view all the domains registered in your system..

 

Either move the crons folder out of public_html and change the config.php file to point to the path of your WHMCS install..

 

Now I am confused. According to whmcs docs:

 

The "crons" folder currently contains the domain synchronisation file so this should also be moved outside the public accessible folder tree to prevent outside users from triggering it.

 

WHMCS allows you to do this. If you do move the folders, then you must tell WHMCS where they have been moved to by editing the /crons/config.php file and specifying the path to the WHMCS root directory, for example:

 

I'm confused. Since config.php is in the crons folder then system would have to know where the crons folder is in order to read the new path in config.php. If the system knows where config.php is then it knows where domainsync.php is and no new path is required. So what is going on here? Is there any advantage to moving domainsync.php only and just changing path in config.php keeping it in its default location?

[onpointsystems]

That is a good question Dean, I am still trying to figure out where to i tell WHMCS where the crons folder has been moved to. Hopefully some one can provide a clear understanding of this as is appears others have made the change but no details.

[onpointsystems]

Ok, I have some clarification on this process. The domainsync.php file is called when you create a cron job in the server. Example, if you move the crons folder to /home/username/crons then when you create the cron job to run x hours/days the command would be something like php -q /home/username/crons/domainsync.php

 

In the domainsync.php all you have to change as stated in the documentation is where your WHMCS installation is located. Example: $whmcspath = '/home/username/public_html/whmcs/';

 

So the only thing that needs to know where the crons folder exist is the cron job you create to execute the domainsync.php file. I hope this clarifies the question because it really helped us. Again I thank the WHMCS support team for clarifying this.

[losvre]

Ok, I have some clarification on this process. The domainsync.php file is called when you create a cron job in the server. Example, if you move the crons folder to /home/username/crons then when you create the cron job to run x hours/days the command would be something like php -q /home/username/crons/domainsync.php

 

In the domainsync.php all you have to change as stated in the documentation is where your WHMCS installation is located. Example: $whmcspath = '/home/username/public_html/whmcs/';

 

So the only thing that needs to know where the crons folder exist is the cron job you create to execute the domainsync.php file. I hope this clarifies the question because it really helped us. Again I thank the WHMCS support team for clarifying this.

 

The $whmcspath = '/home/username/public_html/whmcs/'; goes to crons/config.php according to:

 

http://docs.whmcs.com/Further_Security_Steps#Move_the_crons_folder

[onpointsystems]

That is correct losvre. I made a typo while writing the reply.:

 

Ok, I have some clarification on this process. The domainsync.php file is called when you create a cron job in the server. Example, if you move the crons folder to /home/username/crons then when you create the cron job to run x hours/days the command would be something like php -q /home/username/crons/domainsync.php

 

In the /crons/config.php all you have to change as stated in the documentation is where your WHMCS installation is located. Example: $whmcspath = '/home/username/public_html/whmcs/';

 

So the only thing that needs to know where the crons folder exist is the cron job you create to execute the domainsync.php file. I hope this clarifies the question because it really helped us. Again I thank the WHMCS support team for clarifying this.

[Dean - ITDept.net]

Thanks for the update. I am running on a windows server and was using http in scheduled tasks. I'll have to make some changes and run the cron script directly from the php executable.

[WHMCS Chris]

We recommend moving the cron folder outside of public access already:

http://docs.whmcs.com/Further_Security_Steps#Move_the_crons_folder

 

It would negate having to apply any .htaccess rules or enlisting any by default.

[UH-James]

Surely this is the sort of thing that should be done by default?

[onliner]

EASY WAY:

 

 

1) Move 'crons' folder located at

 

'/whmcs/crons'

 

to

 

/home/username/

 

 

2) Update file 'config.php' from same folder with your actual whmcs path as

 

$whmcspath = '/home/username/public_html/whmcs/';

 

 

3) Create cron (cPanel) pointig to moved cron location as

 

php -q /home/username/crons/domainsync.php

 

 

That's it!