Requiring admim approval for new client

[zondotca]

Is it possible to require admim approval for new client before they become active?

 

Asking because I am getting a lot of bogus clients, sometimes they order sometimes not but they seem to be throwing a bunch of php code at the user name or other fields as a way to gain access.

[bear]

they seem to be throwing a bunch of php code at the user name or other fields as a way to gain access.

Have you updated to the latest version yet? There was an exploit that was patched rather recently that involved that very thing.

[WHMCS Chris]

Bear is referencing the below blog posts:

http://blog.whmcs.com/?t=79427

http://blog.whmcs.com/?t=79527

 

Additionally, you can enable the below functions:

 

A) Disable client registration unless they purchase a product

B) Enable max mind fraud prevention

 

This is not in lieu of keeping software up to date. Nor is it aimed at protecting against such activities. The above steps are to avoid fraud customers & fake sign ups.

[zondotca]

Yes I have patched.

[zondotca]

Additionally, you can enable the below functions:

 

A) Disable client registration unless they purchase a product

 

I have searched but unable to find where to disable client reg without purchase. Please direct me.

 

Thanks

 

- - - Updated - - -

 

Found it in General Settings/Other

[searley]

Can a customer that has been marked as having a fraud order with maxmind login??

[zondotca]

Requiring an order with new client registration doesn't really help. The account is still created and the fraudster then changes the user details using the breakin-code.

 

It would be good if an account could be on hold until approved by an admin and not created immediately.

[bear]

Requiring an order with new client registration doesn't really help. The account is still created and the fraudster then changes the user details using the breakin-code.

That's not the only way that exploit can be used, but I agree. It will, however, possibly slow down the kiddies that are using it.

It would be good if an account could be on hold until approved by an admin and not created immediately.

Though I don't know I'd personally use that, you might add that as a feature request by using that link on the left side of the forum pages: "got an idea".

[WorldWideWebDev]

I see from posts that some users are trying to avoid the exploits. As WHMCS is normally an Automated system for an Internet Business, and due to vulnerabilities in the system which turn up , i'm happy to lock it down, give up on automation and use it for customers which i allow in, and for customers who become pre approved. Im not worried about the inconvenience as this is relatively nothing compared to someone who manages an exploit and gets all the domain registrar passwords, client details, login passwords, email passwords, credit card details, domain register connection details, paypal logins, etc. We are always told, to patch and update to avoid these things, yet more exploits keep popping up. Thats to be expected and I don't know what exploit is next. But someone should be telling us what, if anything we can do to avoid them all together. screening all the new accounts would be a start. If the details are not legitimate, they're out immediately. Sound ok to me. If you don't want this option, its ok to got with the way it is now. Problems solved? or am i missing something??

[WorldWideWebDev]

Ok, after much investigation , and im sure i haven't done enough, the exploits to our systems seem numerous and not just related to tickets and user logins. I think the list of exploits should be outlined somewhere for us to know and bne prepared for. Is there a place in these forums where these things are listed?