whats happened to the support???

[Infopro]

yes, very true.... i certainly would not post on these forums again due to the condescending nature and comments of infopro

 

 

Show me condescending if you would.

 

Please accept my apologies if you don't like my replies, but, stating the obvious is not being condescending at all.

 

 

Thanks in advance.

[bear]

defends the product

And that's unexpected from an employee of the partnered company?

due to the condescending nature and comments of infopro

While it took me a little to get used to his manner of posting, I get it. He's direct and stern, and not everyone is used to that sort of thing on forums. It may not be what you're used to (not directed at anyone in particular there), that lack of hand holding, but he doesn't mince words. I support his efforts, since I believe I can see the bigger picture here.

 

(bear was slow posting that)

[simplyd]

Show me condescending if you would.

 

Please accept my apologies if you don't like my replies, but, stating the obvious is not being condescending at all.

 

 

Thanks in advance.

 

you said in reply to my original post

 

"Who upgrades a production website without testing the new software in advance? "

 

Insinuating that i am stupid or something?... anyway, this is my last post im not coming back.

 

thanks

[Infopro]

I was being condescending in my insinuation, really?

 

You may have missed this post:

 

Agreed. Although the question was rhetorical of course.

 

 

I am insinuating nothing here. I'm simply pointing out that there was no need for anyone to experience any downtime. Blowing up your production site without testing first, and then waiting for several days to get a reply to a ticket for a fix could have been avoided.

 

Again, please accept my apologies here if I've offended you in some way. Let's try this another way...

 

The title of your thread here:

whats happened to the support???

 

My reply:

 

What happened to testing first before upgrading your production site?

 

It's a valid question, any way you word it.

[simplyd]

like i said, cheerio and good luck

[Infopro]

like i said, cheerio and good luck

 

 

Wait, I forgot to ask you for your ticket ID!

 

I'd like to see what i can do about escalating it for you so that you can get your site going again.

 

Thanks in advance.

[easyhosting]

In the interim, here's where you can report cPanel/whmcs to the BBB for lack of response:

https://www.bbb.org/consumer-complaints/file-a-complaint/get-started

 

 

I will reply to same as i did in your repeated post here

 

http://forum.whmcs.com/showthread.php?71247-Slow-Support&p=308651#post308651

 

WHMCS is a UK business so you cannot complain through BBB.

[brianr]

I am insinuating nothing here. I'm simply pointing out that there was no need for anyone to experience any downtime. Blowing up your production site without testing first, and then waiting for several days to get a reply to a ticket for a fix could have been avoided.

 

(Snip)

What happened to testing first before upgrading your production site?

 

It's a valid question, any way you word it.

 

There are two different upgrade types we're talking about here. First, the "security patch", and the 2nd is a version upgrade.

 

The reason I separate them into two categories is simple. Failing to apply a security patch in a timely manner may (and I'll get back to "may" later) open up your easily-googleable WHMCS installation to attack, or worse, data compromise. The "may" part of this is while I think I can safely say "will" here, often there is little information published as to what kind or type of security issue the patch is meant to address, so determining the severity in a real-installation is difficult. (Eg. if it's a SQL injection vulnerability, but you have good mod_sec rules, the severity isn't really as high.) On the other hand a version upgrade is, by nature, more optional and one can take more time to determine if/when to deploy it, in most cases. (Unfortunately WHMCS doesn't tend to back-port any bug fixes, so the level of urgency is variable.)

 

Either way, if we follow the instructions from WHMCS here (http://docs.whmcs.com/Upgrading), there's a fundamental difference between those instructions and your "advice" that I think Matt and crew should correct ASAP. For snapshot purposes, the current top steps of the upgrade procedure are below:

 

Performing an Upgrade

 

The steps needed to upgrade WHMCS can vary from version to version and so full steps, including any template changes required for each version are included in the Release Notes below. However, the general process for upgrading always remains the same:

1. Begin by taking a full backup of your WHMCS system - both files and database using a tool such as phpMyAdmin

2. Now download the latest WHMCS version either from our client area (Upgrading#Downloading_the_Latest_Version) or from the provider of your license

3. Next, unzip the contents of the WHMCS zip file download to a folder on your computer

4. Now if you have customised your WHMCS admin folder name, you should rename the admin folder in the new files to match

5. Upload the new files to your existing installation folder replacing any existing folders & files

 

The critical step missing from the procedure is the following (insert this as step 1):

 

1. Perform the upgrade procedure first on a development or test instance, and test thoroughly. Be sure to test all admin control panel functions including ticketing, ordering, reports, configuration, automation, cron, and make sure login still works. Testing the client side functionality should include testing new and existing client orders, domain checking, knowledge base, ticketing (new and updates), invoices, payments, emails, and the ability to log in. Remember to test all addons as well. A 315-step checklist is available in the members download area.

 

Seriously!?

 

Maybe this might fly for a major major upgrade, but who in their right mind would go through all that to test a 1 file security patch. The answer: anyone who tried to apply the last patch. And THAT is a very sorry state of affairs.

 

On a more serious note -- if I pay WHMCS for the upgrade service, are they going to test it on a Dev instance for me first? Or if they put it right into production, are they going to test to make sure everything is working? Or will they do what most of the users here will, install and expect it to work right?

[pRieStaKos]

This is why i got 2 licenses: one stable (released to customers) and one dev (for updrage/test/dev purposes)

 

[Infopro]

...

Seriously!?

 

Maybe this might fly for a major major upgrade, but who in their right mind would go through all that to test a 1 file security patch. The answer: anyone who tried to apply the last patch. And THAT is a very sorry state of affairs.

 

An upgrade or even a 1 file patch is a change. Changes should be tested against your current setup. Yes, seriously. WHMCS is a very complex piece of software.

 

I've got no real comment to make on your suggested, more detailed, documentation changes other than to say that if you think that sort of detailed hand holding is required, ask about having the docs updated. You bet.

 

On a more serious note -- if I pay WHMCS for the upgrade service, are they going to test it on a Dev instance for me first? Or if they put it right into production, are they going to test to make sure everything is working? Or will they do what most of the users here will, install and expect it to work right?

 

Please feel free to open a ticket and ask about the specifics if you wish. If I go by the Upgrade Services site details, it seems to state they'll be updating your live site, make sure everything works, and even preserve template customizations (where possible).

http://www.whmcs.com/services/upgrade-service/

 

Seems reasonable to me.

 

 

On the other hand, I prefer to manage my own software. To insure that I have no downtime on my live sites, I test first. I would certainly hold off on the live site upgrades/changes until I checked these forums to see if others got updated ok, or not.

[LDHosting]

I would certainly hold off on the live site upgrades/changes until I checked these forums to see if others got updated ok, or not.

 

Infopro,

 

Given that the last security update had the following security level, how long would you recommend waiting and checking forums before applying the patch?

 

Critical

 

A critical rating applies to vulnerabilities that allow remote, unauthenticated access and code execution, with no user interaction required. These would allow complete system compromise and can easily be exploited by automated scripts such as worms.

[Infopro]

Going by the posts on the forum in recent days, you wouldn't be waiting long. Certainly, by the time you've got done testing your development install to see if anything breaks, as there will be users who did not test first, posting about what they found broken on their live installation.

 

Your question is not an honest question of course, but there's an answer for you.

[LDHosting]

So, if you don't already have a dev licence, the advice would be to remain unpatched for 24-48 hours while waiting for support to get back to you with the dev licence. Then remain unpatched for another day or so whilst you thoroughly test the patch in a development area?

 

Now assuming that you discover a bug whilst testing in your development install, what is the recommendation then? To remain unpatched whilst reporting the bug and waiting for support, or to patch anyway despite knowing that it will break your live installation?

 

Forgive me if I sound frustrated, Infopro. We found ourselves in this very unenviable position. Granted, I committed the unforgivable sin of patching our installation without testing given that it was flagged as critical with the above description of that security level. We then discovered that credit cards were no longer being processed by the cart and contacted support, that ticket was open for 7 days and the final response was that they would not correct it in our version (5.0.4) and that our only option was to upgrade to 5.2.3. We had backups and could have rolled back, but that would have meant leaving our installation open to the vulnerability again.

 

Even if I had followed your advice to the letter and tested the security patch fully before applying it (and therefore found the bug in testing), I would have been left with the choice of:

 

a) Leave the live installation open to a critical vulnerability for a week whilst discussing things with support and then testing a full upgrade to 5.2.3

 

b) Patch anyway to secure the live site, knowing that it will break part of the cart.

 

How is that seen as acceptable?

[Infopro]

I think you already know that WHMCS is very complex and updating should not be taken lightly. Looking at some other popular scripts that are, IMHO, not as complex as WHMCS, what do they suggest?

 

http://codex.galleryproject.org/Gallery2:Upgrading

The upgrade process should be very safe. But just in case, it's a very good idea for you to make a backup. So before you perform this upgrade you should backup the database just in case. If something goes wrong you can always restore the database and try again. If you've made modifications to your copy of the Gallery 2 code, you should back up your changes also in case the update overwrites some of them.

 

Sounds friendly enough. But what if I'm a photographer and have 1000's of photos in my gallery? I'm not trusting any comment that tells me "The upgrade process should be very safe, but..."

 

http://docs.joomla.org/Upgrade_Instructions

 

2) Make a copy of your live site.

 

10) Check your live site to make sure it is working correctly.

 

But, I've had this Joomla site running for 5 years, 1000's of posts and users. There is no way I'm updating that live Joomla site without testing it first on a stage.

 

http://codex.wordpress.org/Updating_WordPress

 

WARNING: The upgrade process will affect all files and folders included in the main WordPress installation. This includes all the core files used to run WordPress, two plugins (Akismet and Hello Dolly) and two themes (Twenty Twelve and Twenty Eleven). If you have made any modifications to those files, your changes will be lost.

 

Take a Backup

 

Disable Plugins

 

 

I would find out the hard way if I updated my live, very popular, wordpress site without testing first.

 

http://www.vbulletin.com/docs/html/main/upgrade

http://www.vbulletin.com/docs/html/main/upgrade_testsite

 

When a new version of vBulletin comes out, there's always a clamour for people to be one of the first up and running with the latest version. While in the case of bug fixes, the need to upgrade quickly is understandable, too often people don’t consider what effect an upgrade will have on their site. The following is aimed at providing enough knowledge to be able to create a test 'mirror' of a site so that a test of an upgrade (or any change for that matter!) can be made.

 

Step 1 - Update URLs and Backup your database!

 

 

https://www.phpbb.com/support/documents.php?mode=install#update

 

Please Note: That before updating we heavily recommend you do a full backup of your database and existing phpBB3 files! If you are unsure how to achieve this please ask your hosting provider for advice.

 

Those are several very popular sites and forums I would assume some of you use as well. These are not "my" recommendations. Those sites and forums, depending on your point of view, may or may not be anywhere near as important to you as your WHMCS installation that you do business with.

 

 

So why would you want to update that without testing it first, too?

[BILLT]

Going by the posts on the forum in recent days, you wouldn't be waiting long. Certainly, by the time you've got done testing your development install to see if anything breaks, as there will be users who did not test first, posting about what they found broken on their live installation.

 

Your question is not an honest question of course, but there's an answer for you.

 

Infopro you are so busy defending a poorly coded security patch and software update and implying that everyone else but you are just a bunch of dumb a**'s on this forum. I have come to a conclusion that you are one arrogant S*B and as some form of representative of the new WHMCS merger. You are and will continue to drive customers away from WHMCS with your presence here. (I came to this conclusion by reading through your 140+ post)

 

I decided to do some testing that WHMCS should have done before releasing this crap.

 

1st test: fresh install of 5.1.3. tested working, applied 5.1.4 patch same errors most reported

2nd test fresh install of 5.2.1 same errors reported here by most users, also beta testers are posting that this was not the same as what they tested

3rd test fresh install of 5.2.2 still too many errors for a live server

4th test fresh install of 5.2.3 this release still has many errors reported here , and seems more being reported

 

If I follow your suggestion I would still not have installed a security patch or upgrade to a supposed stable release and wasted days testing poorly written supposed stable releases......

 

exactly how did WHMCS release this poorly coded patch and upgrade? did they skip testing all together?

 

if we go by your statements, WE SHOULD spend days testing security patches then WAIT FOR THE DUMB A**'s to do the updates and see what issue need to be fixed, before the almighty self proclaimed hosting expert says we should then install the update.

 

now with WHMCS saying that they will be releasing updates on a 30 day cycle. Maybe that will be a better thing less things can be broken at one time. I know if I had to do extensive testing on every single security patch released by every company I would never have time for my customers.

 

I should not have to do this sort of testing for every security patches, upgrade yes but for security patch no. this should have been tested by WHMCS. but then a security patch should not break as many things as it did. If this the quality of work WHMCS plans to put out as stable releases. I see them loosing more customers with each release, and even more when you (Infopro) respond to these post.

 

I have used the integration/install service and they will give you a site with issues telling you everything is fine

 

It is clear that 5.2.x was not ready for release. much less at the same times as a critical security patch.

Maybe if WHMCS would not have rushed out an upgrade at the same times as a security patch they were not ready for we would not have this issue.

 

If they had just focused on releasing the security patch, maybe support times would be better. Or even taken an extra day testing the patch in house before releasing it.

Edited April 15, 2013 by BILLT

[Infopro]

Infopro you are so busy defending a poorly coded security patch and software update and implying that everyone else but you are just a bunch of dumb a**'s on this forum. I have come to a conclusion that you are one arrogant S*B and as some form of representative of the new WHMCS merger. You are and will continue to drive customers away from WHMCS with your presence here. (I came to this conclusion by reading through your 140+ post)

 

...

 

Well, I'm not implying anything here, other than what I've already commented on. I'm not defending anything either. You are certainly free to read thru my comments and come to any conclusion you wish about me, any thread I've made comments in speak for themselves.

 

I can't defend the patch, or the other updates, I have nothing to do with them you'll be happy to know I'm sure. Still, the point being made here should be clear I think. And, you are 100% correct when you state:

...some testing that WHMCS should have done before releasing this crap.

 

I cannot defend that either, I have nothing to do with QA testing.

 

All the same, testing software before rolling it out onto your live site is very important. I didn't call you any names or try and insult you here at all either.

 

you are one arrogant S*B

 

I disagree with you.

[LDHosting]

Infopro, I don't dispute that you should be taking backups before doing anything. If you read my post above ( #38 ) you will note that we did have backups. Infact, I even had a backup of the backup, just in case. So we had the ability to roll back almost immediately.

 

However, you keep skipping over a particular point:

 

Even if I had followed your advice to the letter and tested the security patch fully before applying it (and therefore found the bug in testing), I would have been left with the choice of:

 

a) Leave the live installation open to a critical vulnerability for a week whilst discussing things with support and then testing a full upgrade to 5.2.3

 

b) Patch anyway to secure the live site, knowing that it will break part of the cart.

 

If I follow your suggestion I would still not have installed a security patch or upgrade to a supposed stable release and wasted days testing poorly written supposed stable releases......

 

As a genuine question; What should we have done in our situation? Should we have patched, knowing that it was going to break part of the cart process, or remained unpatched for a week whilst trying to resolve the bug with support? The way I see it, we were damned if we did, damned if we didn't and no amount of us pre-testing the patch in a dev environment would have changed that.

[BILLT]

LDHosting I agree with you on this.

 

For upgrades I agree that testing should be done until you are satisfied that it is stable. Upgrades are optional

 

Security patches are not optional and should not require extensive testing, but then they should not be breaking anything either. WHMCS should have seen these issues before releasing it.

[Infopro]

How would they know that "you" as in a WHMCS Administrator had register_globals enabled, for one example of something that broke stuff?

 

However, you keep skipping over a particular point:

...

As a genuine question; What should we have done in our situation? Should we have patched, knowing that it was going to break part of the cart process, or remained unpatched for a week whilst trying to resolve the bug with support? The way I see it, we were damned if we did, damned if we didn't and no amount of us pre-testing the patch in a dev environment would have changed that.

 

I don't think, for my part, that I'm skipping over anything. I even mentioned the importance of security earlier on in this thread.

 

It's not a genuine question though, I think you know that. It's a question for the ages we all have to ask ourselves at some point. One example of many serious things going on at any given moment:

http://www.thewhir.com/blog/sshd-rootkit-in-the-wild

 

Whats the genuine question there? Weeks went by, people's entire servers were at risk, not just their WHMCS installations. "What should we have done in our situation?" Indeed, that is a question that gets asked. You can't just go on vacation for a bit until things blow over, you keep moving, and you do everything you can.

 

That is your answer then. And that includes testing patches meant to keep you secure. That is to say, everything except calling me an arrogant SOB for suggesting that "you" should have tested more, WHMCS should have tested more, no one should not have updated a live site, without testing more. And if you did, roll it back so that you can stay in business, first. And then come put in a ticket to alert support that the patch is crap. As needed.

 

Leaving your site broken for days while you wait for your turn in the ticket system just seems wrong to me. Please do feel free to disagree if you like.

[LDHosting]

I'm not talking about a misconfiguration here, I'm talking about a coding issue with the patch which is something only the WHMCS devs can change. We do not and have never had register_globals enabled.

 

I have never suggested that you are arrogant, infact I think I have been pretty polite in each of my posts. If you feel that any of my posts here have been rude, please point them out so that I can correct my wording in future and also give you my apologies.

 

Perhaps leaving the cart credit card process broken for days was wrong, however as we actually value our customer's data, that seemed like the better option than leaving a critical vulnerability open which could have compromised the entire install and put our customer's details out in the wild. No information was given by WHMCS as to the actual vulnerability, other than it was of 'critical' importance and so I had to assume the worse end of the scale.

 

Did leaving the cart not processing credit cards hurt us? Yes it did.

Would I choose to take a dip in sales again rather than roll-back and risk compromising customer data? In a heartbeat.

 

The fact still remains that WHMCS should not have left us, or any other customer for that matter, in that position. Had they have tested the patches, they wouldn't have done. Even if I had of tested the patch in a dev environment, I would STILL have been left with the same unenviable choice. I'm sorry that you can't understand why suggesting that it is somehow the customer's fault for being left in that impossible position would be frustrating and leave a sour taste in that customer's mouth.

 

My genuine question to you (and yes, it was a genuine question) was to ask how you feel I could have avoided being left with those 2 choices.

 

Clearly, we are never going to agree here and so I think the best thing that I can do is to step away from this thread. Thanks for your input, Infopro. Certainly, no-one can dispute your fierce loyalty for your employers.

Edited April 15, 2013 by LDHosting

[BILLT]

Clearly, we are never going to agree here and so I think the best thing that I can do is to step away from this thread. Thanks for your input, Infopro. Certainly, no-one can dispute your fierce loyalty for your employers.

 

Well said. I feel the same way. I also have never had register_globals enabled.

 

With a user tag line/job of being a "Product Evangelist" (the practice of relaying information about a particular products to others with the object of conversion)A public face for WHMCS. I would expect nothing less, well maybe "RAW-RAW SIS BOOM BA WHMCS ALL THE WAY!!!"

This kind of reminds me of the guys from Parallels when they bought out HELM and took over that forum.

 

I think "WHMCS WE HAVE A PROBLEM HERE" would be the better position to take.

Edited April 15, 2013 by BILLT

[Infopro]

If you'll indulge me just a moment more here please, thanks in advance.

 

I'm not talking about a misconfiguration here, I'm talking about a coding issue with the patch which is something only the WHMCS devs can change. We do not and have never had register_globals enabled.

 

I have never suggested that you are arrogant, infact I think I have been pretty polite in each of my posts. If you feel that any of my posts here have been rude, please point them out so that I can correct my wording in future and also give you my apologies.

 

You did not, you have been quite polite here and I appreciate that more than you know.

 

Perhaps leaving the cart credit card process broken for days was wrong, however as we actually value our customer's data, that seemed like the better option than leaving a critical vulnerability open which could have compromised the entire install and put our customer's details out in the wild. No information was given by WHMCS as to the actual vulnerability, other than it was of 'critical' importance and so I had to assume the worse end of the scale.

 

Did leaving the cart not processing credit cards hurt us? Yes it did.

Would I choose to take a dip in sales again rather than roll-back and risk compromising customer data? In a heartbeat.

 

The fact still remains that WHMCS should not have left us, or any other customer for that matter, in that position. Had they have tested the patches, they wouldn't have done. Even if I had of tested the patch in a dev environment, I would STILL have been left with the same unenviable choice.

 

I completely understand. I think the email about the issue could have been worded better, the situation handled better.

 

I'm sorry that you can't understand why suggesting that it is somehow the customer's fault for being left in that impossible position would be frustrating and leave a sour taste in that customer's mouth.

 

My genuine question to you (and yes, it was a genuine question) was to ask how you feel I could have avoided being left with those 2 choices.

 

I never suggested any such thing though. You have to do whats best for you. But, I'm not going to leave my site broken and come over to these forums to complain that its broke and then wait days for a ticket that I bumped multiple times out of anger over slow ticket response times, slowing me down even more, either. I think we can all agree there has been some of that going on, do all those folks know they could have rolled back? I don't know.

 

 

Clearly, we are never going to agree here and so I think the best thing that I can do is to step away from this thread. Thanks for your input, Infopro. Certainly, no-one can dispute your fierce loyalty for your employers.

 

I think you and I agree on more than you think. Including stepping off this thread. I should have kept my mouth shut and let it do what threads do here. But, the idea of leaving a site broken for days just confused me enough into wanting to speak up in some way to try and help somehow. My mistake, I'm not here to do that sort of thing, it's just my nature to try and help.

 

Well said. I feel the same way. I also have never had register_globals enabled.

 

Hi Bill, me either. But I linked to a thread here earlier with multiple users who did and is why I mentioned it several times.

 

With a user tag line/job of being a "Product Evangelist" (the practice of relaying information about a particular products to others with the object of conversion)A public face for WHMCS. I would expect nothing less, well maybe "RAW-RAW SIS BOOM BA WHMCS ALL THE WAY!!!"

This kind of reminds me of the guys from Parallels when they bought out HELM and took over that forum.

 

That's a great description to be honest, but not quite the case where I'm concerned. I'm not allowed to have pompoms at work.

 

I think "WHMCS WE HAVE A PROBLEM HERE" would be the better position to take.

 

That is my position, Bill. Has been all along and in fact is one of the reasons I'm here on these forums. I help with the spam problems, forum issues and as you see now, sometimes unintentional in house trouble maker.

 

I am also of the position that no one should be waiting days to get their WHMCS back up and running because an upgrade went south. That's where I came in on this one, this is where I bale.

 

Thanks guys.

[Bubka3]

How is this thread not locked?

 

I never suggested any such thing though. You have to do whats best for you. But, I'm not going to leave my site broken and come over to these forums to complain that its broke and then wait days for a ticket that I bumped multiple times out of anger over slow ticket response times, slowing me down even more, either. I think we can all agree there has been some of that going on, do all those folks know they could have rolled back? I don't know.

Please stop assuming things. I doubt any of the users who you responded to did that. The bigger point here is patch install and break stuff, but be more secure, OR rollback and leave a nice big security hole? Which one is it?

 

(PS: Yes, I let the forum guinea pigs test it first, I'm just wondering what your recommendation is. Surely someone from management has instructed you what to say on this.)

Edited April 16, 2013 by Bubka3

[vec]

lock the thread... +1 for me

[Infopro]

How is this thread not locked?

 

 

Please stop assuming things. I doubt any of the users who you responded to did that. The bigger point here is patch install and break stuff, but be more secure, OR rollback and leave a nice big security hole? Which one is it?

 

(PS: Yes, I let the forum guinea pigs test it first, I'm just wondering what your recommendation is. Surely someone from management has instructed you what to say on this.)

 

You really think someone instructs me to say what I do? Thanks for the smile this late in the day.

 

Insult me again and you'll be banned, not able to reply to my next post pointed directly at you.

 

 

Thanks!