Critical issue backporting

[twhiting9275]

Here's the deal guys,

 

The recent (massive) exploit released into the wild, due to your own inept code has been tracked back as far as 4.1, and probably goes back to product inception. While, certainly, nobody can maintain code forever, you, as a company, owe it to your customers to provide critical fixes like this, not just on a "latest version" basis, but on an as affected basis here. Whether the customer is a current customer (can you blame them if they're not, really), or not, whether they're running the latest version (again, with all the garbage introduced, can you blame them if not), or not. When it comes to fixing massive security holes, this needs to go back to the actual product that this was released in. No questions, no exceptions

 

Now, me, I'm not affected, as I'm all up to date, but, again, there are people who you've alienated over the years with your massive, gaping security issues, with your massive bugs introduced (ie: 5.2). You need to start taking responsibility for your actions here, not just brush it off with the "pay us more for an update" attitude.

[Damo]

I was going to ask if you woke up on the wrong side of bed today, but after scanning over your past posts to date, I see that this is pretty much the type of post you seem to make.

 

WHMCS have released patches for their supported versions and did it promptly. To expect and demand (yes I too can use bold inappropriately like you) that they patch every version ever released is just ridiculous. They have a documented and published end-of-life (EOL) cycle where products are no longer supported.

 

You'd be pretty hard pressed to have the likes of Microsoft release a patch for Windows 3.x or Win95 today. Why? Because that product has reached EOL. Even versions of Internet Explorer are no longer patched for security.

 

If you're not happy with the product, or with the organisation behind it, then stop using it and move along.

 

Exploits, patches and software releases are not personal so try not make it that way. There is zero benefit from an emotively laced post with non-quantifiable terms like "gaping security issues", "over the years", "massive bugs".

 

I personally have never seen your claimed "pay us more for an update" attitude. We use WHMCS to operate a part of our business, we pay for service and support in an ongoing manner to ensure development continues. That's a sensible business model.

[openmind]

Here's the deal guys,

 

The recent (massive) exploit released into the wild, due to your own inept code has been tracked back as far as 4.1, and probably goes back to product inception. While, certainly, nobody can maintain code forever, you, as a company, owe it to your customers to provide critical fixes like this, not just on a "latest version" basis, but on an as affected basis here. Whether the customer is a current customer (can you blame them if they're not, really), or not, whether they're running the latest version (again, with all the garbage introduced, can you blame them if not), or not. When it comes to fixing massive security holes, this needs to go back to the actual product that this was released in. No questions, no exceptions

 

Now, me, I'm not affected, as I'm all up to date, but, again, there are people who you've alienated over the years with your massive, gaping security issues, with your massive bugs introduced (ie: 5.2). You need to start taking responsibility for your actions here, not just brush it off with the "pay us more for an update" attitude.

 

So what would you suggest? Please enlighten us with your wisdom...

[SeanP]

There is no way they can patch and maintain updates for every version they have ever made. That is ridiculous. Software, such as WHMCS, needs to be updated regularly to ensure it is secure to the latest standards of the day. People need to keep up, and update their sites to supported versions of software. Granted it can be a lot of work, and you might have issues with upgrades, but that is all part of being in the world of technology. If I run my web site on some really old outdated version of Apache, and get hacked, is it Apache's fault? Staying on an old and unsupported version of a billing application (that handles payments and credit card transactions) is a really bad idea, and can cost you your business.

Edited October 4, 2013 by SeanP

[liveuk]

Love a bit of BOLD text on a morning before coffee

[twhiting9275]

You'd be pretty hard pressed to have the likes of Microsoft release a patch for Windows 3.x or Win95 today.

If a massive hack came out that could take down Win XP, you'd better believe that they'd release a patch. That's the same, exact thing that this released vulnerability can do, and, even worse.

 

 

Exploits, patches and software releases are not personal so try not make it that way. There is zero benefit from an emotively laced post with non-quantifiable terms like "gaping security issues", "over the years", "massive bugs".

I'll call things as I see them, thank you. I did get a chance to view the exploit, and believe me, calling it anything else is unconscionable.

 

 

I personally have never seen your claimed "pay us more for an update" attitude.

So, where's the update for 4.x, 3.x, 2.x, etc? That's exactly the kind of attitude you claim "I've never seen"

 

 

So what would you suggest? Please enlighten us with your wisdom...

It really doesn't take much to fix a bug like this, ironically. Go through previous versions (4.x, 3.x, etc), patch it, announce, and move on.

 

 

There is no way they can patch and maintain updates for every version they have ever made.

Updates? Absolutely correct, you can't. When you're talking critical issues that can take your entire system down, that's a completely different story.

 

 

Software, such as WHMCS, needs to be updated regularly to ensure it is secure to the latest standards of the day.

If you haven't seen the recent exploit, please, don't comment. This wasn't updated to 'standards of 2006'. No, really. It's not the customer's fault that the inept design of the code brought about such a critical flaw in the system

 

 

People need to keep up, and update their sites to supported versions of software.

That's not always going to happen, and WHMCS needs to respect this. Again, for mere bugfixes, non critical stuff, I'd say you're 1000% right (yes, there's an extra zero in there deliberately ). However, for something this drastic (yes, this exploit was highly critical, highly drastic), you're not. The software developer has an obligation to fix this, going back to inception.

[SeanP]

I don't know of a major software developer that continues to support every version of software they have ever made, and releases patches (even critical security patches) for every version they have ever made. There comes a time when software gets old, and needs to not be used anymore. I totally understand the frustrations with this latest security hole, and am completely in the same boat with everyone else (I use WHMCS to run my entire business). However, I am realistic in knowing that I can't run some crazy old version of software, and still expect the developer to write code for it anymore. You at least have to be using a fairly recent release of ANYTHING to expect that kind of support. I do think critical patches need to be released for something like the last 3 major releases, but not for version 1.0 or something like that.

[rodeoXtreme]

Although I am not a code writer; but since Windows and IE were mentioned as a software that would have critical patches - Do Tell? Because according to M$ website

 

Windows XP SP1 All Support expired on October 10, 2006,

Windows XP SP2 Support Expired July 13, 2010.

 

Information take from here

 

http://windows.microsoft.com/en-us/windows/products/lifecycle

 

End of Support includes no security or performance patches. Before someone says "who still uses XP?" My daughter has one that she plays with.

 

Based on the analogy, M$ in fact does not provide security patches on EOL, End of Support software.

 

If I use M$ Windows XP and IE 3 and I get hacked; shame on me; not M$.

 

If someone is still using WHMCS 4 and they have not upgrade and they are compromised; they have alot of explaining to do to their Merchant Provider because PCI says you cannot use EOL applications within areas that contain cardholder data without proper patches and pass quarterly vulnerability scan.

 

The PCI Council has announced that any Systems which are no longer supported by the Vendor are to cause a Fail for PCI Compliance. This is based on the fact that since these systems no longer have regular vendor patching cycles, they are at an increased risk of potentially being compromised, thereby leading to further risk of credit card compromise.

 

...an ASV, must report any End-Of-Life Systems as a Fail for PCI. You can however, ask your Acquiring Bank for an "exception", as they ultimately have the responsibility to decide if they are willing to accept the risk to cardholder data. In this case, when submitting your PCI Reports, you can ask for a temporary exception, letting them know of your planned upgrade or migration schedule.

 

Just my thoughts. Just saying.

[alinford]

I am not sure how far back they should go, but...

 

WHMCS did custom code for me in August of this year that they now refuse to patch with the 5.2.8 fix, as they are no longer doing any custom coding and have ceased support any any custom coding they did in the past, even if it was only 45 days ago. My custom coding included one of the files that was in the 5.2.8 patch, and even though they only gave gave me an encrypted version, they will still not patch it.