Jump to content

Found a hole in the license addon that i had not considered.

durangod

By durangod
in Using WHMCS

 Share

Recommended Posts

durangod Senior Member

durangod

Posted
Posted (edited)

As i was converting my script to mysqli library which i use the license addon for this script i noticed there was a hole in the way the addon is set up for most people.

 

Most of us im guessing just have a pretty standard set up, it checks the status and the local license file and returns the status and its go or nogo type of thing.

 

But ask yourself this, what if someone took the license file (the verify file that calls the db) and put a totally blank file in its place. So when it includes the file in your script that your customers have, it just loads and they have successfully bypassed your license verify totally.

 

 

Try it, rename your verify file, and just put a blank php file there and if your software loads then the security has been bypassed.

 

Here is how i fixed mine.

 

First i checked to make sure the file existed.

Then i checked to make sure the file permission had not been changed from 644

 

Then i set a value in the (included) verify file for a hash and i used the server host as the hash value.

 

Then i also set the same hash value using the host in the mother file, and since the verify file is included, just after that include i check the two values and if they do not match then it dies with invalid license file message.

 

And on top of all that i used define in both directions to define a value, so both defines have to be valid or it will fail in either direction, mother to include and include to mother. Then both defines have to exist in order for the status to be displayed. Because what you dont want is the status to be displayed as active and then show a message also that says invalid. So if anything is invalid at all, i dont show the status message, just the fail message.

 

So,

 

If they delete the verify file, we are covered

If they change permissions, we are covered

If they delete the verify file and try to run it on another host, we are covered

 

Both halfs of the hash have to be there and match or it will die.

 

I know the license addon is made for experienced coders, but i didnt see this before and i have had this for quite a while now. And i thought if i did not see this then maybe someone else did not see it either. So i hope this helps..

Edited by durangod
0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept