pierre Posted October 5, 2012 Share Posted October 5, 2012 Re: http://forum.whmcs.com/showthread.php?60646-WHMCS-Security-Alert "simply delete the /modules/gateways/boleto/ folder entirely after which you will not be at risk." Done. Should the boleto.php file above that dir i.e. inside /modules/gateways be deleted too ? At best it is now unnecessary ? (Could not post under that thread as it is closed). 0 Quote Link to comment Share on other sites More sharing options...
hanguyen Posted October 5, 2012 Share Posted October 5, 2012 Yes, deleting everything there. You should be all safe! 0 Quote Link to comment Share on other sites More sharing options...
bear Posted October 5, 2012 Share Posted October 5, 2012 We'd done this for everything we're not actively using or planning to use in the future. There was one a while back that got us thinking of that, and since it doesn't break anything (but may leave holes as this did), we pared it all back. Gateways, registrars and so on. Easy enough to add it back if you need one. 0 Quote Link to comment Share on other sites More sharing options...
hanguyen Posted October 5, 2012 Share Posted October 5, 2012 Right, only store what you're using. Keeping many unused files is a very bad security practise as many doors are open for robbers 0 Quote Link to comment Share on other sites More sharing options...
othellotech Posted October 5, 2012 Share Posted October 5, 2012 We'd done this for everything we're not actively using or planning to use in the future. There was one a while back that got us thinking of that, and since it doesn't break anything (but may leave holes as this did), we pared it all back. Gateways, registrars and so on. Easy enough to add it back if you need one. Exactly - we delete them all at every install/upgrade and then put back the ones we use, most of which we've rewritten anyway. 0 Quote Link to comment Share on other sites More sharing options...
WHMCS CEO Matt Posted October 5, 2012 WHMCS CEO Share Posted October 5, 2012 Done. Should the boleto.php file above that dir i.e. inside /modules/gateways be deleted too ? At best it is now unnecessary ? No it is not necessary to delete the boleto.php file from /modules/gateways/. Just the directory as instructed. Removing gateway, server or registrar module files you don't use is fine, but also unnecessary. Matt 0 Quote Link to comment Share on other sites More sharing options...
daz29 Posted October 6, 2012 Share Posted October 6, 2012 Thanks for releasing a quick-fix, I did delete the whole directory.. Was this found by WHMCS themselves or do the 'rats' know how to exploit it too? ie is it in the open? just curious... 0 Quote Link to comment Share on other sites More sharing options...
Vox Posted October 6, 2012 Share Posted October 6, 2012 is it in the open? just curious... Considering that no login is needed for either of the threads that this is posted in (News & Announcements and Feedback) I guess its safe to assume that it is "out there"....... 0 Quote Link to comment Share on other sites More sharing options...
battisti Posted October 8, 2012 Share Posted October 8, 2012 the patch basicaly is a verify of access rights. if ( !isset($_SESSION["uid"]) && !isset($_SESSION['adminid']) ) { header("Location: ../../../clientarea.php"); exit; } $GATEWAY = array(); But in many cases the we send for our client the link to open direclty the boleto, in this case use only $GATEWAY = array(); these will prevent the auto load variable Its the real problem, auto load variable. 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.