Jump to content

Was my installation compromised?

Morty

By Morty
in Feedback

 Share

Recommended Posts

  • Replies 71
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

WHMCS Chris Senior Member

WHMCS Chris

Posted
Posted

Hey guys,

 

As always, the development team springs into action when something like this occurs. Upon further investigation an update will be released. The blog will be the most up to date, however as always WHMCS will send out email notifications if, and when an update is made available.

0
Link to comment
Share on other sites
spinnas Junior Member

spinnas

Posted
Posted
I have a lot invested in WHMCS and would like for things to work out but my team has been discussing not being able to use WHMCS anymore because of the downward trend in the product quality.

 

The recent security vulnerabilities that were discovered were the result of incredibly amateur coding mistakes. 2 vulnerabilities were discovered 2 days apart. It's great that they were patched relatively quickly, but unfortunately the vulnerability was already public and still leaves us vulnerable and gives us a lot of work to have to keep patching.

 

Flaws happen in software but it is getting too frequent and the vulnerabilities are pretty basic issues that 1. shouldn't have been implemented into the code in the first place and 2. should have been audited.

 

Why are there no audits of the WHMCS software and what is being done to prevent this in the future? There's a lot of outrage in the web hosting community and it seems that someone should at least come forward and say what is being done to better the security of WHMCS. All we've gotten so far is patches and really impersonal blog posts from Mat that don't allow comments so no discussion can be had.

 

anddd yet another exploit has been found again today. Come on now... http://blog.whmcs.com/?t=80587

 

+1

This really starting to become concerning for our business and many others. October has been a disaster for WHMCS and believe a full audit on the core code of the software needs to be done (if it already hasn't).

I am starting to weigh up alternatives.

0
Link to comment
Share on other sites
BryanB Senior Member

BryanB

Posted
Posted
Hey guys,

 

As always, the development team springs into action when something like this occurs. Upon further investigation an update will be released. The blog will be the most up to date, however as always WHMCS will send out email notifications if, and when an update is made available.

 

Honestly Chris, that's not good enough anymore. We need a statement from someone other than "whoops, here's a patch" - How about here's what we did wrong and here is what we are going to do to be better about security in the future? These are amateur exploits and it's a slap in the face that Matt or anyone from WHMCS hasn't stepped up yet to admit that they are screwing up big time with a plan to change things in the future.

1
Link to comment
Share on other sites
malfunction Senior Member

malfunction

Posted
Posted

They seem to be getting their code audited already :( but I think at this point a code audit is just a band-aid. I mean it's got to be done to stop the bleeding and buy some time, but really this thing needs a complete rewrite. 8-10 year old not-very-well-written-in-the-first-place PHP code doesn't cut it in any modern application, but for a client billing application chock full of passwords and credit card numbers it's worse than useless.

0
Link to comment
Share on other sites
xeqution Senior Member

xeqution

Posted
Posted

^ absolutely agreed, this is becoming quite a joke...

 

You do realise that you are not only affecting the income of WHMCS, but you are affecting 1000's of hosting businesses out there that rely on your product. I am pretty sure every user that you survey asking "What should WHMCS do" would say that we would rather see WHMCS rewritten to be secure then include more features....

0
Link to comment
Share on other sites
vec Senior Member

vec

Posted
Posted

are you even a user of the software... I seem to see allot of first time people commenting and I normally see that as trolling from other companies

 

+1

This really starting to become concerning for our business and many others. October has been a disaster for WHMCS and believe a full audit on the core code of the software needs to be done (if it already hasn't).

I am starting to weigh up alternatives.

0
Link to comment
Share on other sites
bugster Member

bugster

Posted
Posted

yep, exactly. I can see in the activitylog table where theyuploaded the files that they used to access the database and the config file. This is the first time that I've had a problem with whmcs being hacked but it is enough for me to start looking for alternatives. I spent most of today resetting passwords and sending out notices to customers, not fun.

0
Link to comment
Share on other sites
spinnas Junior Member

spinnas

Posted
Posted
are you even a user of the software... I seem to see allot of first time people commenting and I normally see that as trolling from other companies

 

I've been using this software for a couple years now and this the first time I'm seriously reconsidering (even after last years hacking debacle) it which is why I signed up to vent my frustration.

0
Link to comment
Share on other sites
Chrisw Senior Member

Chrisw

Posted
Posted

Do not listen to othellotech. He has good intent but doesn't understand the issue here and used a generic thought for his reply. The reason you had the malicious $license code in your configuration.php is directly related to the WHMCS exploits in most cases and the code injected was a backdoor.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept