Hack attempts

[ScrltOTara]

So, the past few days I'm getting a bunch of new sign ups who then immediately try to change their user details to SQL code. Is this the new security issue?

[PhilB]

No; this is the exploit that was fixed with the release of 5.2.8 and 5.1.10 and is just people running that old exploit script against your installation. The current hole is arguably considerably worse. Taking the details of the exploit at face value, your current best bet is to disable all third party access to your billing system by using an IP restricting or credential requiring .htaccess in the whmcs directory until it's patched.

 

NB; putting the install into maintenance mode is likely not a sufficient mitigation. Block access to it entirely unless you have the expertise to safely mitigate it with an application layer firewall.

Edited October 19, 2013 by PhilB

[WorldWideWebDev]

Do this, it stuffs them after they have taken the time to sign up, go through using the two factor authentication, etc etc Make sure you have been to General Settings / Other and tick the boxes that prevents clients from changing their own details.

[TABLE=class: form, width: 100%]

[TR]

[TD=class: fieldlabel, align: right]Locked Client Profile Fields[/TD]

[TD=class: fieldarea, bgcolor: #EFEFEF, align: left]Select any fields below that you want to prevent clients being able to edit from the client area:

[TABLE=width: 100%]

[TR]

[TD=width: 25%] First Name[/TD]

[TD=width: 25%] Last Name[/TD]

[TD=width: 25%] Company Name[/TD]

[TD=width: 25%] Email Address[/TD]

[/TR]

[TR]

[TD=width: 25%] Address 1[/TD]

[TD=width: 25%] Address 2[/TD]

[TD=width: 25%] City[/TD]

[TD=width: 25%] State/Region[/TD]

[/TR]

[TR]

[TD=width: 25%] Postcode[/TD]

[TD=width: 25%] Country[/TD]

[TD=width: 25%] Phone Number[/TD]

[/TR]

[/TABLE]

[/TD]

[/TR]

[/TABLE]

I guess you can let them change their phone number.. That outta give them the irrates!