Jump to content

10-25-2013 Security Advisories Clarification

gPowerHost

By gPowerHost
in Feedback

 Share

Recommended Posts

gPowerHost Junior Member

gPowerHost

Posted
Posted

Earlier today Matt posted http://blog.whmcs.com/security.php?t=80587 recommending that we de-select the "Enable Mass Payment" checkbox in Setup > General Settings > Invoices. Then a patch was released. But the explanation of the quickly following patch says nothing about Mass Payments. It lists many other things. Is this still an open issue, or has the patch v5.2.12 and I assume v5.1.13 resolved the Mass Payments vulnerability definitively?

 

Also, it would be nice if these notices were pushed to the admin area. My WHMCS News Feed's latest message is from Friday, October 18th, 2013. Isn't this the fastest and most direct way to get the word out?

0
Link to comment
Share on other sites
sohouk Senior Member

sohouk

Posted
Posted

I think it is essential that such information is pushed to the Admin area.

We don't use Facebook or Twitter and I've only read the blog because it was mentioned here. I never usually visit it assuming (wrongly) it comes through to the admin home screen.

 

Putting it in a place where everyone goes seems much more sensible rather than relying on a client checking the blog daily and providing two other methods that some don't use.

 

Trevor

0
Link to comment
Share on other sites
brian! Senior Member

brian!

Posted
Posted
I think it is essential that such information is pushed to the Admin area.

We don't use Facebook or Twitter and I've only read the blog because it was mentioned here. I never usually visit it assuming (wrongly) it comes through to the admin home screen.

 

Putting it in a place where everyone goes seems much more sensible rather than relying on a client checking the blog daily and providing two other methods that some don't use.

it was suggested in another thread to subscribe to IFTTT.com and using the recipe from below, you will receive an email whenever a post is made to the whmcs blog - though in my case, i've set it up only to send an email when a post is made in the WHMCS security blog.

 

I can tell you that I received emails from IFTTT long before I received an email from WHMCS - so it is worth considering.

 

http://forum.whmcs.com/showthread.php?80622-How-to-Receive-an-Instant-Email-whenever-WHMCS-adds-a-new-blog-post

 

I don't think subscribing to the News & Announcements thread is worthwhile as you will only receive an update daily (24 hours could be a long time when it comes to security updates!), and also not all blog posts are posted there.

0
Link to comment
Share on other sites
Blueberry3.14 Senior Member

Blueberry3.14

Posted
Posted
You can also Subscribe to the Announcements Forum and get daily email notifications. To do that, click thru here:

News & Announcements Subscription Settings - WHMCS Forums

 

That would be an excellent idea, except that there's absolutely nothing in the News & Announcements forum about this latest issue/exploit. The last post in there is from Matt on 10/18/13, regarding the 2nd of (so far) 3 exploits this month.

 

Communication has always been a weak point with WHMCS.

0
Link to comment
Share on other sites
Infopro Senior Member

Infopro

Posted
Posted
That would be an excellent idea, except that there's absolutely nothing in the News & Announcements forum about this latest issue/exploit. The last post in there is from Matt on 10/18/13, regarding the 2nd of (so far) 3 exploits this month.

 

Communication has always been a weak point with WHMCS.

 

I believe the posts on the blog are to reflect the posts in the Announcements forum at all times. I look into this and make it happen.

0
Link to comment
Share on other sites
Blueberry3.14 Senior Member

Blueberry3.14

Posted
Posted
I think it is essential that such information is pushed to the Admin area.

We don't use Facebook or Twitter and I've only read the blog because it was mentioned here. I never usually visit it assuming (wrongly) it comes through to the admin home screen.

 

Putting it in a place where everyone goes seems much more sensible rather than relying on a client checking the blog daily and providing two other methods that some don't use.

 

Trevor

 

You can very easily subscribe to the blog via RSS and/or email, and using IFTTT you can set up a means to receive Tweets. You can get their Facebook page updates through RSS also. There are ways to receive the information, assuming the information IS made available.

 

Many companies/vendors/etc post status and security updates through Twitter, Facebook, the company blog... social media is pretty much the means for information any more, and easier to receive for most people than email (email can be blocked, etc). I don't mean to lecture you, but you do your company a disservice if you don't monitor Facebook and Twitter. Not saying you have to be logged in and refresh the pages...both have options to be notified when a post/tweet is made, and you can get an email notification from that if you configure it so. On Facebook hit "like" then "get notifications" (then set up Facebook to email you if you like).

 

RSS can go to your phone, Facebook notifications as well, same with Twitter. There ARE ways (again, assuming the information is put out there to begin with, which is MY biggest complaint about WHMCS).

 

As for having the information pushed to the admin area, that functionality is already there (though it's not working, at least not on 5.1.13 for me). One of the available admin area widgets is "WHMCS News Feed."

 

http://docs.whmcs.com/Widgets "WHMCS News Feed - All the latest news & updates from WHMCS straight to your WHMCS dashboard." It just needs to be enabled for the admin account you login under, if it's not already.

 

However, it also doesn't seem to be configured correctly from the source (or at least it's not working for me, I'm re-downloading ALL 5.1.x files to make sure). The widget pulls the news from this page:

 

http://www.whmcs.com/feeds/news.php (which the blog feed, and was last updated 10/18/13), yet it's not displaying correctly in my admin area (although the "Follow us on Twitter" link is, so the widget is OK, but the source feed is screwed up).

 

- - - Updated - - -

 

I believe the posts on the blog are to reflect the posts in the Announcements forum at all times. I look into this and make it happen.

 

It is; the last post (blog and forum announcements) about any security issue was 10/18/13, 7 days ago.

 

There's also the whmcs_news widget for the admin area, but as I just posted about (in reply to another user in this thread) that seems to be broken. I'm making sure it's not a problem on my side by re-downloading all the files for my version.

 

- - - Updated - - -

 

GMTA. I had dome the exact same thing except it goes to my pushover account as a high priority alert, so it pushes to my phone etc.

 

RSS still works, too. Notifications to your phone and all that.

whmcs_news_feed.png

0
Link to comment
Share on other sites
zomex Senior Member

zomex

Posted
Posted
I think it is essential that such information is pushed to the Admin area.

We don't use Facebook or Twitter and I've only read the blog because it was mentioned here. I never usually visit it assuming (wrongly) it comes through to the admin home screen.

 

Putting it in a place where everyone goes seems much more sensible rather than relying on a client checking the blog daily and providing two other methods that some don't use.

 

Trevor

 

I completely agree. I'm very disappointed that this is the first I've heard of this recommendation. All data in the admin panel is very old, seeing as all of us login to our admin panel daily it makes sense to use this area to notify users first.

0
Link to comment
Share on other sites
gPowerHost Junior Member

gPowerHost

Posted
  • Author
Posted (edited)

While I'm not pleased with the hackers, annoyed with all of the competitive nay sayers I'm also not pleased with the WHMCS meek behavior. You seem unwilling to use the tools you have to push information out quickly. Yes of course I have rss, but WHMCS is very lazy and indecisive when it comes to how to get the info out. Stop being afraid of what people will think. Really! If you have to release an update daily do so. And use your ability to push the notification out. Otherwise, your coy behavior forces us to scour the internet looking for the latest news. Because we think you are too afraid to be upfront often enough. Take control and start informing us! Stop being afraid of what we will think. If your patch breaks things, like the last one did (credit card captures), correct it the next day. I am getting sick of WHMCS forcing me to go read the lengthy WHT forums because you will not be straight forward. If your PR people are telling you to be silent fire them! Repeat fire them!

 

If you pushed good info out twice daily to the cart you could easily take control and prevent us from waisting our time wondering if the RSS is broken, or if you decided to post elsewhere this time. Or if you are too afraid of the backlash. Do you think all of your customers are stupid and can't think for themselves? We know when nay sayers take a valid point and twist it. But you are the ones forcing us to go read that dribble!

 

All the best, and waiting for you to take control of your company and start leading yourselves, and us out of this mess.

Edited by gPowerHost
spelling
0
Link to comment
Share on other sites
PWPH Member

PWPH

Posted
Posted (edited)
OK well we still have Mass Payments disabled. I guess they have no idea if it is safe to turn it back on.

 

I'm amazed how many times that question has been over looked by the WHMCS staff, I have seen it mentioned in 4 threads or more and staff have even posted in those threads but not one single staff member has answered that question.

 

Quite sad in my opinion!

Edited by PWPH
0
Link to comment
Share on other sites
WHMCS Chris Senior Member

WHMCS Chris

Posted
Posted
OK well we still have Mass Payments disabled. I guess they have no idea if it is safe to turn it back on.

 

Hello Kendal,

If you're running 5.2.12, it is safe to re-enable Mass Payments. It is related to the first descriptor in the blog for 5.2.12:

http://blog.whmcs.com/?t=80615

 

Regards, and I apologize for any inconvenience this may have caused.

0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept