RE: Security Status Update - Posted Oct 18

[justhost]

Does anyone know if the recent post "Security Status Update" is a new Security Issue or if it is the same one we applied the patch for at 5.2.8? I am wondering if we should be blocking access to our whmcs profile for now?

 

If anyone has an idea please let me know?

[PascM]

You should block access to your WHMCS for now! It's a new one

[wsa]

This crazy man no update yet is like they love making peoples lost money

[jetdino]

i hope there any ETA.

[wsa]

http://blog.whmcs.com/?t=80223

[FrankAU]

Just received a email to update to 5.2.9

 

Will it fix the issue from 5.2.8? This is getting crazy

[wsa]

this all they fix http://docs.whmcs.com/Changelog:WHMCS_V5.2#Version_5.2.9

[indepth]

Just did the update, still showing version 5.2.8 in System information box...

But init.php show 5.2.9

 

Is it just me?

[wsa]

try help > Check for update that work of me

[FrankAU]

All good mine shows 5.2.9

[indepth]

fixed... htb sugestion did it

[TheHostingHeroes]

I know its a pain when hackers go out looking for issues in popular systems to cause mayham, but lets be thankful this is not MS, as we would of waited weeks/months for that patch, not hours! So I thank WHMCS for working on a patch immediately after being notified!

 

Looking at the change log, it does seem that other things have been addressed to stop future attacks which I am impressed with WHMCS for.

[divisionx]

There should not be any SQL injection vulnerabilities in the code. This is utterly basic security protocol and easy to avoid by good coding practices. It is also trivial for any good coder to fix it. I will take a wild guess that WHMCS cookies are not checked for SQL injection and that will be the subject of the next wave of hacks.

[jozeph]

I am studying a possibility to stop to use WHMCS due to all these security issues. WHMCS looks like a swiss cheese with ALL these bugs. I think that WHMCS's programmers are all amateurs. An application like WHMCS, where a lot of companies depends its to work/run. I can't imagine the lost in case of vulnerabilities.

[ocosa]

I'm pretty sure WHMCS this time around hears everyone loud and clear.

[zoilodiaz]

I'm pretty sure WHMCS this time around hears everyone loud and clear.

 

Im not sure about that, bugs steel coming from time to time and we are not talking about new bugs, these bugs have been there from a lot time. the option from move from whmcs is not a easy task, let see what will happen with 5.3

[tsiedsma]

I think they should release the source code and stop hiding their horrible coding. This would at least allow those of us that know PHP the opportunity to fix the code ourselves. I don't think they should be allowed to hide behind ioncube encoding anymore. They used to say the reason it was encoded was to be able to provide better support, but in reality it's to hide the horrible horrible code underneath.

[niels]

IMHO part of the problem is that WHMCS is not expensive enough. To generate revenue they're forced to add a lot of new features with each release and don't take sufficient time to re-write/optimise/secure existing functionality.

 

WHMCS is having a "Windows Vista" moment and needs to take the time to come up with "Windows 7". I'm not sure however that they have deep enough pockets and/or a loyal enough following to pull that off.

[tsiedsma]

I hate these comparisons to Microsoft or Windows. This is a PHP script, it's not even an application. It doesn't follow PHP best practices, they are using functions and extensions that are deprecated in PHP 5.5 and are creating internal work arounds to Register Globals which has been deprecated in PHP 5.3 and removed in PHP 5.4. If PHP removed something because it is a security risk, what makes it a good idea to create your own version and incorporate it into a script you sell to thousands of people?

 

I'm fed up with all of the security exploits and lack of proper updates and support from WHMCS. They either need to turn things around really quick or they are going to start losing lots of customers. The competition has taken notice of these issues and are looking more and more attractive every day.

[niels]

I didn't make a comparison between two pieces of software or two companies. I made a comparison between two situations.

 

Anyway, take your pick of other PHP scripts or applications if you prefer. It's quite common for a piece of software to go through extensive code-refactoring, if only to update it to current "best practices". The time for WHMCS to do so is now is all I was saying.

[tsiedsma]

That wasn't directed at you, just my own rant really. I've seen it in other threads where people compare WHMCS to MS or Windows.

 

Also, a good read here about this latest exploit and what others are saying.

http://www.webhostingtalk.com/showthread.php?t=1314649

[jozeph]

While all you are discussing about WHMCS, a NEW UPDATE was RELEASED. This is INCREDIBLE!!!!!!!!!!!! New (OLD) bugs fixed...

 

I really think that WHMCS should use a FRAMEWORK (ZendFrameWOrk ou ANY OTHER).

[tsiedsma]

Which update are you referring to? 5.2.10 was released last night.