Jump to content

Discusting WHMCS behaviur

slim

By slim
in Feedback

 Share

Recommended Posts

slim Senior Member

slim

Posted
Posted

After the hacking of the WHMCS site a few months ago, WHMCS team should have spent all their time on security - To ensure that their own internal systems were secure and that their customers information was secure.

 

They failed, and WHMCS was hacked with a criticle security hole in 5.2.7 (and other earlier versions).

 

Now, less than a month later, the exact same thing has happened AGAIN - Another massive security hole has been announced by a third party.

 

This is simply unacceptable. WHMCS should have spent the last month looking through the code, ensuring it was secure and issuing patches as they found problems. If they looked at their own code, they would have found this issue before it was announceed by localhost.

 

Instead, we have reactionary responces - They wait for localhost to announce a problem, then they fix it.

 

THIS IS NOT GOOD ENOUGH BY ANY ONES STANDARD.

 

Charge double for WHMCS - I could care less. If its secure, im willing to pay.

 

Im not however willing to stand by and watch my business goto **************** because you couldnt be bothered to secure your code.

 

This is bullshit and needs to be sorted.

Link to comment
Share on other sites
  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

zoilodiaz Senior Member

zoilodiaz

Posted
Posted
After the hacking of the WHMCS site a few months ago, WHMCS team should have spent all their time on security - To ensure that their own internal systems were secure and that their customers information was secure.

 

They failed, and WHMCS was hacked with a criticle security hole in 5.2.7 (and other earlier versions).

 

Now, less than a month later, the exact same thing has happened AGAIN - Another massive security hole has been announced by a third party.

 

This is simply unacceptable. WHMCS should have spent the last month looking through the code, ensuring it was secure and issuing patches as they found problems. If they looked at their own code, they would have found this issue before it was announceed by localhost.

 

Instead, we have reactionary responces - They wait for localhost to announce a problem, then they fix it.

 

THIS IS NOT GOOD ENOUGH BY ANY ONES STANDARD.

 

Charge double for WHMCS - I could care less. If its secure, im willing to pay.

 

Im not however willing to stand by and watch my business goto **************** because you couldnt be bothered to secure your code.

 

This is bullshit and needs to be sorted.

 

Completed agree, WHMCS is playing with us, these is not a game and we are the only affected. WHCMS is the most hacked billing system in the history.

Link to comment
Share on other sites
Damo Senior Member

Damo

Posted
Posted

In the history?

 

Get a grip!

 

If you're that unhappy then vote with your feet and find another system.

 

No software application is fool proof, regardless of the types of exploits found, but when identified they are addressed.

 

I would like to whmcs be more active in their communication though. And I suspect that they'll be making an announcement about recent events.

 

For the present time we are staying with whmcs.

Link to comment
Share on other sites
twhiting9275 Senior Member

twhiting9275

Posted
Posted

No software application is fool proof, regardless of the types of exploits found, but when identified they are addressed.

No, they're not. Not properly

Writing a 'hack' to address serious security concerns is not properly addressing the situation. It's more like putting a band-aid on a gaping bullet wound.

 

To add to this, the amount of time it took to 'address' this situation is deplorable. These individuals fail to realize that they kept sites down for the entire time this was done. If you didn't shut your site down, disabling access to it, then you have no place in the industry. THAT is just how serious this is.

 

The fact of the matter is that this is happening far too often, and I can guarantee we WILL see more of this, until the code is professionally audited and fixed. The problem? Some of this garbage has been in there since day 1, years ago.

 

I suspect that they'll be making an announcement about recent events.

Theyalways do, and they always say some garbage about

We're sorry about blah blah blah blah blah

 

It's past the time for apologies. Matt and the cPanel crew need to focus on actually providing a proper, stable, secure​ product if they intend to keep themselves on top of the market

Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted
This is how they fix the bugs.

Moderation and fixing bugs are not related.

Threads get closed if they're rude and antagonistic. We're all angry and frustrated here, but if you remain civil, the thread should remain open. Discuss, don't attack.

Link to comment
Share on other sites
alinford Senior Member

alinford

Posted
Posted
Odds are they're not a native English speaker. I'd venture a guess in saying you'd have at least as many spelling issues in his native language. ;)

Ohhhhhh. Got it. I assumed from the posts that he/she/it was infallible. I will stop assuming I know everything, and will try to handle myself a little better on this forum. Thanks for checking me.

Link to comment
Share on other sites
slim Senior Member

slim

Posted
  • Author
Posted

I’m Australian - and I was mighty pissed when I read my business email at about 10pm at night after about 20 bourbons and found that there was ANOTHER critical issue and that my servers were sitting out there potentially unprotected for hours and hours.

 

So, spelling went out the window.

 

WHMCS know the localhost crew have the source code - so they are going to release exploit after exploit after exploit unless WHMCS fix the issues proactively. Localhost probably has his next exploit ready to go in 3 weeks’ time.

Link to comment
Share on other sites
mlew2 Senior Member

mlew2

Posted
Posted

At times like this I think spelling goes out the window for just about anybody, we got his/her point and that is all that counts in my eyes anyways

 

After that number of drinks I would be writing backwards I think......if at all :D

Link to comment
Share on other sites
panacheweb Senior Member

panacheweb

Posted
Posted
I’m Australian - and I was mighty pissed when I read my business email at about 10pm at night after about 20 bourbons and found that there was ANOTHER critical issue and that my servers were sitting out there potentially unprotected for hours and hours.

 

So, spelling went out the window.

 

WHMCS know the localhost crew have the source code - so they are going to release exploit after exploit after exploit unless WHMCS fix the issues proactively. Localhost probably has his next exploit ready to go in 3 weeks’ time.

 

I would suspect they are going to stepping up their attacks on whmcs.. at this point I think it's time whmcs did get an audit done.. I'm sure cpanel is looking at the raw code and asking themselves WTF..

 

At this point I'm considering my options even if it costs me more money...

 

I'm sure localhost has the decryption software that is out there and has already decoded the updates and are scratching their heads and wondering to themselves what the crap. Probably while having a good laugh...

 

so my question is.. how is it the update that was released never included a fix to the dbfunctions.php file that was talked about in the hack... but a bunch of other files were fixed... if anyone has a good answer... am I missing something here??

 

If security was a concern of whmcs.. they would stop all feature requests.. and go back over their core code and fix it properly. How hard is it to really fix things properly???

Link to comment
Share on other sites
Alex - Arvixe Senior Member

Alex - Arvixe

Posted
Posted
In the history?

 

Get a grip!

 

If you're that unhappy then vote with your feet and find another system.

 

No software application is fool proof, regardless of the types of exploits found, but when identified they are addressed.

 

I would like to whmcs be more active in their communication though. And I suspect that they'll be making an announcement about recent events.

 

For the present time we are staying with whmcs.

 

In most cases I'd agree but with WHMCS it seems to be one after the one non-stop. They really should invest into a 3rd party security audit and begin with patching anything that comes up.

 

At the same time I do give WHMCS a big thumbs up for the very quick patches to any critical security issues that do go public.

Link to comment
Share on other sites
AffordableDomainsCanada Senior Member

AffordableDomainsCanada

Posted
Posted

Less trade shows and more support, and fixes. All this money being spent on going to trade shows, yet we cant get a stable and secure product in which we paid for!

 

Im frustrated with the lack of support regarding the iWHMCS addon. What a rip off, havent been able to use it cause io7 and iWHMCS just crashes..

 

Lets get this stuff fixed!!!

Link to comment
Share on other sites
Walter Blanco Junior Member

Walter Blanco

Posted
Posted
I’m Australian - and I was mighty pissed when I read my business email at about 10pm at night after about 20 bourbons and found that there was ANOTHER critical issue and that my servers were sitting out there potentially unprotected for hours and hours.

 

So, spelling went out the window.

 

WHMCS know the localhost crew have the source code - so they are going to release exploit after exploit after exploit unless WHMCS fix the issues proactively. Localhost probably has his next exploit ready to go in 3 weeks’ time.

 

everybody has the source code.

 

It took me 5 minutes to locate and download the full source code for 5.2.7 and also some ioncube decoders, just google it.

 

It's not my intention to promote piracy, it's already available, at this time letting legitimate license owners know there is an unencoded version out there might not affect whmcs sales, but will bring more eyes to the code, there are a lot of naughty eyes on the code, let's add some "good guys" to the equation, searching for holes and reporting them to whmcs instead of exploting them and damaging business

Link to comment
Share on other sites
slim Senior Member

slim

Posted
  • Author
Posted

All I’m saying is that the bad guys have the code - If there are holes in it, they are going to publish exploits. They have proven this twice in a month now.

 

WHMCS has two choices…

 

1. Sit down and go through their own code and identify the obvious issues and release patches - in a hurry.

2. Do nothing and have more clients get hacked, more of us having sleepless nights etc.

For one of my businesses I only swapped over from MB4 -> WHMCS a month ago after years of procrastination.. It’s been a nightmare ever since.

Link to comment
Share on other sites
WorldWideWebDev Member

WorldWideWebDev

Posted
Posted (edited)

Here's my Cents worth, Not ten.. Everyone here seems to an extent nonchalant and blasé about these security risks.

Damo "If you're that unhappy then vote with your feet and find another system" its not always that easy. And if you know of one thats fantastic, please let us know..

I move on. WHMCS patches seem to have been knee jerk reactions all along. To think that some of us have critical business information, Credit details, domain passwords, hosting information and passwords, pay pal info and personal client details. Who here is angry about this? I sure am and everyone should be. How can any of us be to any extent accepting that this information, details, phone numbers whatever can get out? Wake up, this is serious stuff. And ill tell you what, if my host got hacked and leaked my information out, there would be some serious repercussions. Now tell me, how many people on this forum are here to play with a stupid failing WHMCS who don't care and on the other hand, how many are running legitimate business who thought they had a good product and have been shocked, scared and let down? I'd guess the blasé ones are here for the fun and the angry ones have something to lose. How many people here actually feel safe?? That should be the question and how many of your customers are safe? If only one of these stupid hackers gets in to a small business and defaces, scams email and clocks up some expenses against Registrars and ourselves , who pays? THERE IS A LOT MORE AT STAKE HERE than some people wish to admit. If banks cant get their **************** together with all the millions they spend, what hope have we?The hackers are only going to get better at what they do, the situation is only going to get worse. Wanna bet on that?

Edited by WHMCS TedX
Removed vulgarities.
Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept