Petition to WHMCS - Please rewrite using good code!

[tsiedsma]

Hello everyone, I'm sure you're aware of all of the recent security issues related to WHMCS. The problem with these issues isn't that someone decoded the encrypted files or identified exploitable code, it's that the code was written so poorly to begin with.

 

The coding standards used in WHMCS are very old and very much against best practices. They even went so far as to create a work around to Register Globals that PHP removed from the software for security reasons. Doing this has lead to a couple of the exploits that we've all been dealing with.

 

It is of the opinion of many qualified people that in order for WHMCS to resolve this issue once and for all, a complete code rewrite must be performed. You can't simply search and replace to fix the underlying issues. Everything is very much intertwined and linked together.

 

I know you agree with me when I say that all I want is a usable system. Something with enough features to allow my business to grow and thrive in this competitive market we are all in. I also want something secure enough that I can sleep at night without fear of someone exploiting a vulnerability in the software I use to house all of my customer and server data.

 

Join me in my efforts and tell WHMCS that you want the same thing. Vote up this feature request and maybe, just maybe they will listen to us.

 

https://requests.whmcs.com/responses/abandon-all-new-features-and-focus-on-a-core-rewrite-using-sane-secure-code

[tsiedsma]

Welp, they killed my feature request. I guess that tells us what they think of us...

 

Goes to an error page now.

 

It was well written, non insulting and was a nice request to secure the software. It had support from users on WHT as well as here.

What gives WHMCS?

[Keiro]

Fortunately for me, I've moved off of WHMCS.

 

No way in hell am I moving back to WHMCS. And I won't offer WHMCS licenses to my clients.

 

I voted for this. I was expecting them to accept the feature request. Not delete it and remove it from view.

 

That simply tells me that they don't give a **************** about us, the people that use their software. Their actions will come back to bite them in the rear, sooner or later.

 

Sooner or later, someone will sue WHMCS, and they will be found liable.

[WHMCS Chris]

Hello,

 

I've removed the feature request as the feature request system is not designed for that. The request to have a completely rewritten piece of software in a short time is simply an impossible feat - there are nearly 500,000 lines of code. However, WHMCS has began rewriting the core of the code in 5.3. The unfortunate aspect is that software in general will always be faced with vulnerabilities. If you follow any exploit report websites, you'll see this on an extremely regular basis. Even companies like PayPal and Oracle still battle this.

 

To assume that WHMCS itself does not care about the customers, or the security of the software its providing is difficult to accept. Historically, we can see that immediately when something is known we have provided software updates mitigating the issue in a very short amount of time. It's quite unfortunate that some individuals do not follow responsible disclosure procedures as their intent appears to be terroristic in nature.

 

We have, and continue to work with a number of third party vendors for responsible disclosures as well as our own internal audits (hence the regular updates over the past 6 months), and the push to rewrite the core in 5.3.

 

I am going to close this thread not for need of further discussion, but rather move it to a more appropriate forum - if you wish to continue this, feel free to email me directly chris[at]whmcs.com.

 

We will be making a public statement in the near future which will likely address the majority of questions.