WHMCS Community Involved - Additional Security Suggestions

[Brainchild Labs Pty Ltd]

Hello,

 

Due to recent hacks going around with whmcs, i wanted to investigate further and see if there was anything else that could be done to prevent getting hacked.

 

I have easily found some information on the internet on how we were hacked by recent exploits in whmcs versions 5.2.3 and above. With sql injections its all easily done.

 

We are now using two factor auth, and also following setups in this document to further secure the whmcs installation which will help. If you have not done so already i suggest you get it done a.s.a.p

 

http://docs.whmcs.com/Further_Security_Steps

 

I have found something that needs attention immediately, many attackers use google to search for sites to exploit using the inurl command, doing a search like this.

 

whmcs inurl:clientarea.php

 

will give plently of results and potential people to hack.

 

One easy thing to do that i really cant believe has not been done or should at least be an option is to protect all whmcs files for being indexed, i mean if you cant find them in the first place then it is much harder to exploit in the first place ?

 

<meta name="robots" content="noindex">

 

In the header template file will allow this feature to not show up on any Google result at all, no matter if its linked from external sites.

 

Some people like to SEO Whmcs ? why i ask, its your billing system and probably the dumbest thing you can do especially since we all know its not exactly secure. If you want to SEO, use your blog or your main website to do the marketing your portal should be as protected and hidden as possible for your clients ONLY.

 

It would be good to see this new option maybe in the GENERAL OPTIONS, SECURITY TAB in Whmcs.

 

If anyone else has anything that can help with securing whmcs in general please share.

 

EDIT: I also just found this option within WHMCS GENERAL SETTINGS -> OTHER TAB that should be unchecked.

 

Tick this box to allow registration without ordering any products/services

 

The most recent vulnerability in 5.2.10 allows someone that has access to the clientarea.php to use an SQL injection. By unchecking this basically means they will need to purchase something before becoming a client.

 

Cheers

Mitch

Edited November 12, 2013 by menkom
Addition

[Infopro]

Some people like to SEO Whmcs ? why i ask...

 

I agree with you here.

[criat]

I use WHMCS as my main website.

 

The home and frontpage are Custom Pages with sliders and good design and such, but my hosting company is 100% WHMCS... What can I do then? Blocking SEO isn't really a option

[vec]

I use WHMCS as a site as well, but it's not hard at all to SEO a site...

[Brainchild Labs Pty Ltd]

I use WHMCS as my main website.

 

The home and frontpage are Custom Pages with sliders and good design and such, but my hosting company is 100% WHMCS... What can I do then? Blocking SEO isn't really a option

 

Yes not much you can do now, so i guess my fixes do not apply to you, in any case its probably a very bad idea to rely on WHMCS being your main website, if anything was to go wrong then it will take you down completely untill you resolve your issues.

 

Not only this but it is a bad idea because it is very hard to make future modifications to the template file if you want your website to continue evolving. I can think if many reasons why NOT to do what you are doing right now.

 

The best option here is to use WHMCS as your billing system and for your clients portal which is secured with its own hosting account.

 

Then have your website eg, a Wordpress website on a different hosting account.

 

This way you will not be prone to security hacking through wordpress that can ultimately get into your cPanel and ultimately get into WHMCS.

 

The harder you make it the less chance of issues happening.

 

Goodluck with whatever you choose to do

[vec]

Thats like saying I don;t have a website because the server might break... WHMCS has never been down for me as my site...

 

 

Yes not much you can do now, so i guess my fixes do not apply to you, in any case its probably a very bad idea to rely on WHMCS being your main website, if anything was to go wrong then it will take you down completely untill you resolve your issues.

 

Not only this but it is a bad idea because it is very hard to make future modifications to the template file if you want your website to continue evolving. I can think if many reasons why NOT to do what you are doing right now.

 

The best option here is to use WHMCS as your billing system and for your clients portal which is secured with its own hosting account.

 

Then have your website eg, a Wordpress website on a different hosting account.

 

This way you will not be prone to security hacking through wordpress that can ultimately get into your cPanel and ultimately get into WHMCS.

 

The harder you make it the less chance of issues happening.

 

Goodluck with whatever you choose to do

 

- - - Updated - - -

 

I also do not allow wordpress ect on my servers... you are just asking for it

[Brainchild Labs Pty Ltd]

Thats like saying I don;t have a website because the server might break... WHMCS has never been down for me as my site...

 

 

 

 

- - - Updated - - -

 

I also do not allow wordpress ect on my servers... you are just asking for it

 

Wordpress was just an example, If you are proactive and if whmcs is proactive in fixing security issues then you have nothing to worry about the aim of my post is to educate and give further security enhancements.

 

Thanks.

[searley]

I use cloudflare, it blocks a lot a bad traffic, if you have the paid version then you have access to the web application firewall which looks for sql injection attacks, but also has seetings for whmcs

 

It has stopped a dozen visitors in the last 12 hours trying the 5.2.8 vulnerability

 

I have to say im quite impressed with the service so far

[Brainchild Labs Pty Ltd]

I use cloudflare, it blocks a lot a bad traffic, if you have the paid version then you have access to the web application firewall which looks for sql injection attacks, but also has seetings for whmcs

 

It has stopped a dozen visitors in the last 12 hours trying the 5.2.8 vulnerability

 

I have to say im quite impressed with the service so far

 

I agree, the paid version is a good option for cloud based security, i too use cloudflare but just the free version for website speedup and basic security, the paid version allows ssl which means you can effectively protect whmcs as well.

 

I will probably look into this in the future.

[northwest]

 

EDIT: I also just found this option within WHMCS GENERAL SETTINGS -> OTHER TAB that should be unchecked.

 

Tick this box to allow registration without ordering any products/services

 

 

Thanks for finding this setting. I have also had to take the step of just plain removing register.php from the server. It was the only way I could find to stop these people from getting accounts so they could then attempt the injection attacks.

[anilr]

You can prevent SQL injection by adding following code in main configuration file:

 

// to prevent injections
function sql_clean($arr)
{
       $raw_post = array();
       foreach ($arr as $key => $value)// loop out array
       {                
               $raw_post[$key] = mysql_real_escape_string($str_tmp);// escape string
               $str_tmp = htmlentities($value); // if you don't want HTML in input
       }
       return $raw_post;
}

$_GET = sql_clean($_GET);
$_POST = sql_clean($_POST);
$_REQUEST = sql_clean($_REQUEST);

extract($_POST);
extract($_GET);
extract($_REQUEST);
// eof to prevent injections

[stuntnmore]

That code causes admin area to not function right when implementing codes in the url