Jump to content

WHMCS Community Involved - Additional Security Suggestions


Recommended Posts

Hello,

 

Due to recent hacks going around with whmcs, i wanted to investigate further and see if there was anything else that could be done to prevent getting hacked.

 

I have easily found some information on the internet on how we were hacked by recent exploits in whmcs versions 5.2.3 and above. With sql injections its all easily done.

 

We are now using two factor auth, and also following setups in this document to further secure the whmcs installation which will help. If you have not done so already i suggest you get it done a.s.a.p

 

http://docs.whmcs.com/Further_Security_Steps

 

I have found something that needs attention immediately, many attackers use google to search for sites to exploit using the inurl command, doing a search like this.

 

whmcs inurl:clientarea.php

 

will give plently of results and potential people to hack.

 

One easy thing to do that i really cant believe has not been done or should at least be an option is to protect all whmcs files for being indexed, i mean if you cant find them in the first place then it is much harder to exploit in the first place ?

 

<meta name="robots" content="noindex">

 

In the header template file will allow this feature to not show up on any Google result at all, no matter if its linked from external sites.

 

Some people like to SEO Whmcs ? why i ask, its your billing system and probably the dumbest thing you can do especially since we all know its not exactly secure. If you want to SEO, use your blog or your main website to do the marketing your portal should be as protected and hidden as possible for your clients ONLY.

 

It would be good to see this new option maybe in the GENERAL OPTIONS, SECURITY TAB in Whmcs.

 

If anyone else has anything that can help with securing whmcs in general please share.

 

EDIT: I also just found this option within WHMCS GENERAL SETTINGS -> OTHER TAB that should be unchecked.

 

Tick this box to allow registration without ordering any products/services

 

The most recent vulnerability in 5.2.10 allows someone that has access to the clientarea.php to use an SQL injection. By unchecking this basically means they will need to purchase something before becoming a client.

 

Cheers

Mitch

Edited by menkom
Addition
Link to comment
Share on other sites

I use WHMCS as my main website.

 

The home and frontpage are Custom Pages with sliders and good design and such, but my hosting company is 100% WHMCS... What can I do then? Blocking SEO isn't really a option :/

 

Yes not much you can do now, so i guess my fixes do not apply to you, in any case its probably a very bad idea to rely on WHMCS being your main website, if anything was to go wrong then it will take you down completely untill you resolve your issues.

 

Not only this but it is a bad idea because it is very hard to make future modifications to the template file if you want your website to continue evolving. I can think if many reasons why NOT to do what you are doing right now.

 

The best option here is to use WHMCS as your billing system and for your clients portal which is secured with its own hosting account.

 

Then have your website eg, a Wordpress website on a different hosting account.

 

This way you will not be prone to security hacking through wordpress that can ultimately get into your cPanel and ultimately get into WHMCS.

 

The harder you make it the less chance of issues happening.

 

Goodluck with whatever you choose to do

Link to comment
Share on other sites

Thats like saying I don;t have a website because the server might break... WHMCS has never been down for me as my site...

 

 

Yes not much you can do now, so i guess my fixes do not apply to you, in any case its probably a very bad idea to rely on WHMCS being your main website, if anything was to go wrong then it will take you down completely untill you resolve your issues.

 

Not only this but it is a bad idea because it is very hard to make future modifications to the template file if you want your website to continue evolving. I can think if many reasons why NOT to do what you are doing right now.

 

The best option here is to use WHMCS as your billing system and for your clients portal which is secured with its own hosting account.

 

Then have your website eg, a Wordpress website on a different hosting account.

 

This way you will not be prone to security hacking through wordpress that can ultimately get into your cPanel and ultimately get into WHMCS.

 

The harder you make it the less chance of issues happening.

 

Goodluck with whatever you choose to do

 

- - - Updated - - -

 

I also do not allow wordpress ect on my servers... you are just asking for it

Link to comment
Share on other sites

Thats like saying I don;t have a website because the server might break... WHMCS has never been down for me as my site...

 

 

 

 

- - - Updated - - -

 

I also do not allow wordpress ect on my servers... you are just asking for it

 

Wordpress was just an example, If you are proactive and if whmcs is proactive in fixing security issues then you have nothing to worry about the aim of my post is to educate and give further security enhancements.

 

Thanks.

Link to comment
Share on other sites

I use cloudflare, it blocks a lot a bad traffic, if you have the paid version then you have access to the web application firewall which looks for sql injection attacks, but also has seetings for whmcs

 

It has stopped a dozen visitors in the last 12 hours trying the 5.2.8 vulnerability

 

I have to say im quite impressed with the service so far

Link to comment
Share on other sites

I use cloudflare, it blocks a lot a bad traffic, if you have the paid version then you have access to the web application firewall which looks for sql injection attacks, but also has seetings for whmcs

 

It has stopped a dozen visitors in the last 12 hours trying the 5.2.8 vulnerability

 

I have to say im quite impressed with the service so far

 

I agree, the paid version is a good option for cloud based security, i too use cloudflare but just the free version for website speedup and basic security, the paid version allows ssl which means you can effectively protect whmcs as well.

 

I will probably look into this in the future.

Link to comment
Share on other sites

 

EDIT: I also just found this option within WHMCS GENERAL SETTINGS -> OTHER TAB that should be unchecked.

 

Tick this box to allow registration without ordering any products/services

 

 

Thanks for finding this setting. I have also had to take the step of just plain removing register.php from the server. It was the only way I could find to stop these people from getting accounts so they could then attempt the injection attacks.

Link to comment
Share on other sites

  • 4 weeks later...

You can prevent SQL injection by adding following code in main configuration file:

 

// to prevent injections
function sql_clean($arr)
{
       $raw_post = array();
       foreach ($arr as $key => $value)// loop out array
       {                
               $raw_post[$key] = mysql_real_escape_string($str_tmp);// escape string
               $str_tmp = htmlentities($value); // if you don't want HTML in input
       }
       return $raw_post;
}

$_GET = sql_clean($_GET);
$_POST = sql_clean($_POST);
$_REQUEST = sql_clean($_REQUEST);

extract($_POST);
extract($_GET);
extract($_REQUEST);
// eof to prevent injections

Link to comment
Share on other sites

  • 4 weeks later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated