Jump to content

Was my installation compromised?

Morty

By Morty
in Feedback

 Share

Recommended Posts

  • Replies 71
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

olijo Member

olijo

Posted
Posted

Today i discover the exploit and the "fix" in the blog, how is it possible whmcs don't send an email to all customer to report the problem. Because you don't have the fix ? I prefer disable all whmcs install instead of having all of my business ruined...

This month we had 5 security patch ! Hey guys, what are you doing seriously !

Sure cPanel will appreciate this quality of work...

0
Link to comment
Share on other sites
djpete Senior Member

djpete

Posted
Posted

I have done this as explained here...

 

As you may be aware, a security issue has been published within the last hour which allows for information disclosure.

 

We are aware of the issue and are investigating it, and will be issuing a fix for this issue along with any others we discover during our targeted investigation shortly. In the meantime disabling the Mass Payment feature voids the immediate threat.

 

You can do this by de-selecting the "Enable Mass Payment" checkbox in Setup > General Settings > Invoices and saving.

 

Please watch our blog, facebook and twitter feeds to receive the latest updates.

0
Link to comment
Share on other sites
malfunction Senior Member

malfunction

Posted
Posted
When it makes it possible to log in as an admin, and use that access to do so. That's one way.

OK so if you set write permissions on /downloads there's a file browse/upload form is there? I don't allow write access there (or unauthorized folks to roam around with admin privileges) so I've never seen that. Would make sense if that's how it works though, upload a PHP shell script through that and it's game over.

 

This post seems to suggest anther vector though http://forum.whmcs.com/showthread.php?80410-Was-my-installation-compromised&p=343690#post343690 which is rather alarming I have to say.

 

Just trying to get a handle on how to mitigate all this, the lack of disclosure and transparency from WHMCS is quite shocking. Better information to be had on WHT...

0
Link to comment
Share on other sites
tomb Senior Member

tomb

Posted
Posted (edited)

Oh man, I am getting really upset about this software policy!

 

I can’t agree BryanB more on that. We are doing serious business with WHMCS. It’s not game! A official roadmap or statement for future security measurements is essential. Hot fixes should be more exception than rule! WHMCS should spend more time on quality instead of providing us with new features. I don’t have time to check Facebook, Twitter and Blog section all the time.

 

With the latest patch releases we don’t have enough time for testing new releases. I hope the new patch doesn't break our system. Thinking about alternatives too.

Edited by tomb
spelling
0
Link to comment
Share on other sites
tomb Senior Member

tomb

Posted
Posted
I see that v5.2.11 incremental has now been published, however it unfortunately does not update the reported version for the installation and still shows 5.2.10 after the upgrade

 

confirmed. whmcs_v5211_incremental doesn't update the reported version. It's still showing 5.2.10

1
Link to comment
Share on other sites
Dicko_md Member

Dicko_md

Posted
Posted

Hi

 

Does any one else have the issue where its still saying the old version number after updating to 5.2.11 ?

 

I uploaded the zip file and overwritten them. I have done by extracting the zip file after rezipping with correct admin folder name and then I did this manually to make sure I did it right.

 

Thanks

 

Martyn

0
Link to comment
Share on other sites
Si Senior Member

Si

Posted
Posted (edited)

5.2.12 patch applied.

 

Now I get: Your Version 5.2.12

Latest Version 5.2.11

You should upgrade to the latest version.......

 

UPDATE: Must have just needed refreshing......showing correct now

Edited by Si
0
Link to comment
Share on other sites
tomb Senior Member

tomb

Posted
Posted

Thanks WHMCS!! They've just updated the Security Advisory Blogpost.

 

Don't be confuse. Now we are on 5.2.12

 

 

 

http://blog.whmcs.com/?t=80615

 

UPDATE: We've identified a missing file in 5.2.11 which causes the version number not to increment. All security related enhancements are present. We will be updating this post again with version 5.2.12 which will contain the complete change set. Thank you for you patience.
0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept