Jump to content
Sign in to follow this  
menkom

WHMCS Community Involved - Additional Security Suggestions

Recommended Posts

Hello,

 

Due to recent hacks going around with whmcs, i wanted to investigate further and see if there was anything else that could be done to prevent getting hacked.

 

I have easily found some information on the internet on how we were hacked by recent exploits in whmcs versions 5.2.3 and above. With sql injections its all easily done.

 

We are now using two factor auth, and also following setups in this document to further secure the whmcs installation which will help. If you have not done so already i suggest you get it done a.s.a.p

 

http://docs.whmcs.com/Further_Security_Steps

 

I have found something that needs attention immediately, many attackers use google to search for sites to exploit using the inurl command, doing a search like this.

 

whmcs inurl:clientarea.php

 

will give plently of results and potential people to hack.

 

One easy thing to do that i really cant believe has not been done or should at least be an option is to protect all whmcs files for being indexed, i mean if you cant find them in the first place then it is much harder to exploit in the first place ?

 

<meta name="robots" content="noindex">

 

In the header template file will allow this feature to not show up on any Google result at all, no matter if its linked from external sites.

 

Some people like to SEO Whmcs ? why i ask, its your billing system and probably the dumbest thing you can do especially since we all know its not exactly secure. If you want to SEO, use your blog or your main website to do the marketing your portal should be as protected and hidden as possible for your clients ONLY.

 

It would be good to see this new option maybe in the GENERAL OPTIONS, SECURITY TAB in Whmcs.

 

If anyone else has anything that can help with securing whmcs in general please share.

 

EDIT: I also just found this option within WHMCS GENERAL SETTINGS -> OTHER TAB that should be unchecked.

 

Tick this box to allow registration without ordering any products/services

 

The most recent vulnerability in 5.2.10 allows someone that has access to the clientarea.php to use an SQL injection. By unchecking this basically means they will need to purchase something before becoming a client.

 

Cheers

Mitch

Edited by menkom
Addition

Share this post


Link to post
Share on other sites

I use WHMCS as my main website.

 

The home and frontpage are Custom Pages with sliders and good design and such, but my hosting company is 100% WHMCS... What can I do then? Blocking SEO isn't really a option :/

Share this post


Link to post
Share on other sites
I use WHMCS as my main website.

 

The home and frontpage are Custom Pages with sliders and good design and such, but my hosting company is 100% WHMCS... What can I do then? Blocking SEO isn't really a option :/

 

Yes not much you can do now, so i guess my fixes do not apply to you, in any case its probably a very bad idea to rely on WHMCS being your main website, if anything was to go wrong then it will take you down completely untill you resolve your issues.

 

Not only this but it is a bad idea because it is very hard to make future modifications to the template file if you want your website to continue evolving. I can think if many reasons why NOT to do what you are doing right now.

 

The best option here is to use WHMCS as your billing system and for your clients portal which is secured with its own hosting account.

 

Then have your website eg, a Wordpress website on a different hosting account.

 

This way you will not be prone to security hacking through wordpress that can ultimately get into your cPanel and ultimately get into WHMCS.

 

The harder you make it the less chance of issues happening.

 

Goodluck with whatever you choose to do

Share this post


Link to post
Share on other sites

Thats like saying I don;t have a website because the server might break... WHMCS has never been down for me as my site...

 

 

Yes not much you can do now, so i guess my fixes do not apply to you, in any case its probably a very bad idea to rely on WHMCS being your main website, if anything was to go wrong then it will take you down completely untill you resolve your issues.

 

Not only this but it is a bad idea because it is very hard to make future modifications to the template file if you want your website to continue evolving. I can think if many reasons why NOT to do what you are doing right now.

 

The best option here is to use WHMCS as your billing system and for your clients portal which is secured with its own hosting account.

 

Then have your website eg, a Wordpress website on a different hosting account.

 

This way you will not be prone to security hacking through wordpress that can ultimately get into your cPanel and ultimately get into WHMCS.

 

The harder you make it the less chance of issues happening.

 

Goodluck with whatever you choose to do

 

- - - Updated - - -

 

I also do not allow wordpress ect on my servers... you are just asking for it

Share this post


Link to post
Share on other sites
Thats like saying I don;t have a website because the server might break... WHMCS has never been down for me as my site...

 

 

 

 

- - - Updated - - -

 

I also do not allow wordpress ect on my servers... you are just asking for it

 

Wordpress was just an example, If you are proactive and if whmcs is proactive in fixing security issues then you have nothing to worry about the aim of my post is to educate and give further security enhancements.

 

Thanks.

Share this post


Link to post
Share on other sites

I use cloudflare, it blocks a lot a bad traffic, if you have the paid version then you have access to the web application firewall which looks for sql injection attacks, but also has seetings for whmcs

 

It has stopped a dozen visitors in the last 12 hours trying the 5.2.8 vulnerability

 

I have to say im quite impressed with the service so far

Share this post


Link to post
Share on other sites
I use cloudflare, it blocks a lot a bad traffic, if you have the paid version then you have access to the web application firewall which looks for sql injection attacks, but also has seetings for whmcs

 

It has stopped a dozen visitors in the last 12 hours trying the 5.2.8 vulnerability

 

I have to say im quite impressed with the service so far

 

I agree, the paid version is a good option for cloud based security, i too use cloudflare but just the free version for website speedup and basic security, the paid version allows ssl which means you can effectively protect whmcs as well.

 

I will probably look into this in the future.

Share this post


Link to post
Share on other sites

 

EDIT: I also just found this option within WHMCS GENERAL SETTINGS -> OTHER TAB that should be unchecked.

 

Tick this box to allow registration without ordering any products/services

 

 

Thanks for finding this setting. I have also had to take the step of just plain removing register.php from the server. It was the only way I could find to stop these people from getting accounts so they could then attempt the injection attacks.

Share this post


Link to post
Share on other sites

You can prevent SQL injection by adding following code in main configuration file:

 

// to prevent injections
function sql_clean($arr)
{
       $raw_post = array();
       foreach ($arr as $key => $value)// loop out array
       {                
               $raw_post[$key] = mysql_real_escape_string($str_tmp);// escape string
               $str_tmp = htmlentities($value); // if you don't want HTML in input
       }
       return $raw_post;
}

$_GET = sql_clean($_GET);
$_POST = sql_clean($_POST);
$_REQUEST = sql_clean($_REQUEST);

extract($_POST);
extract($_GET);
extract($_REQUEST);
// eof to prevent injections

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Similar Content

    • By javacodemonkey
      After updating with the most recent stable release (8.30.0), I went through my standard testing process to see if anything is no longer working.   I found that the Login As Owner function no longer works and, instead, updates the url to be (URL + #).  
      Is this something that has already been looked into for correction?  Are there any hot fixes that are suggested?
       
    • By MYGSG - Nicholas S
      Hello fellow WHMCS community members and friends,
       
      i’m trying to add a new table section on my WHMCS templates specifically for Payment Details so that I can specify and outline the payment details / policy. So far I’ve been successful in creating a tabled version on the template that allows me to show three seperate Collins with three different sets of text relevant that I need to show.
      now I’m trying to add the payment summary/and payment terms/refund terms, however I can’t get the table settings correct. I’m hoping someone can provide an example?
      I require this to be seperate at the bottom of the invoice and not displayed as a “note” as I want to be able to style this accordingly as well. I know I can use the “notes” section on the invoice, however as I’ve said and specified this is not what I’m wanting to achieve.
      looking toward to what others have to say and there respective examples.
      Thanks in advance,
      Kind regards,
      Nicholas Sansom
      Global Group CEO & Managing Director
      Executive Services Division | Global Group
       California United States, 1968 S. Coast Hwy, Suite 5949, Laguna Beach, California
      Brisbane Australia, The Garden, 9/204 Alice Street, Brisbane City, QLD 4000
      Sydney Australia, 50 Clarence Street, Sydney, NSW 2000
       E Nicholas.Sansom@MyGlobalSolutionsGroup.com W www.MyGlobalSolutionsGroup.com
      USA/CA +1 800 318 9529 Australia 1300 310 456 Int 07 3130 2240 D 07 3130 2285 M 0456 884 864
    • By SwiftModders
      A powerful and beautiful WHMCS client theme by SwiftModders
      Take your customer’s user experience to another level with the most powerful and customizable WHMCS theme available. The Allure Theme comes with a custom-built WHMCS module that allows full control over the look and feel of your WHMCS client area. With 20+ editable options, easy adjustments for over 20 different colors, built-in favicon support, RTL, and much more!
      Learn More | View Demo | Documentation | Order Now
      Feature Highlights
          
      Additional Features
      Fully Responsive: This theme comes with a fully responsive design framework built around Bootstrap 3 and an easy to use mobile menu. SwiftModders Theme Installer: Easily manage all of your SwiftModders WHMCS Themes from one module. The Theme Installer will offer you insight into available updates, problems with your install, debugging tools, and much more! Fast & Friendly Support: One of my missions is to ensure that every client who purchases this team is well-supported and most importantly, happy! Favicon Support: Take advantage of the excellent service over at RealFaviconGenerator and add favicon support quickly and easily to your WHMCS client area. Menu Manager: As of version 1.1.0, you can now manage your WHMCS menu directly from the Theme Installer! This powerful feature comes FREE with all WHMCS Client Theme’s and makes customizing your WHMCS installation even easier. Unencoded TPL Files: There is nothing more annoying for a developer than not having access to source files. Luckily this theme offers unencoded TPL files. Three Custom Order Forms: This theme provides its own set of custom order forms that are integrated into the look and feel of your customizations. Automatic Updates: As of version 1.3.0, you can automatically update your SwiftModders WHMCS Themes from the Theme Installer. Save your time, save your effort, and leave all the work to the module! License Pricing
      LIMITED TIME OFFER: We’re keeping the summer season hot with 35% OFF all SwiftModders products! No promotional code required.
      Personal (1 Site) - $70 $45.50 per year Pro (5 Sites) - $175 $113.75 per year Agency (Unlimited Sites) - $315 $204.75 per year Personal+ (1 Site) - $140 $91 one-time Pro+ (5 Sites) - $350 $227.50 one-time Agency+ (Unlimited Sites) - $630 $409.50 one-time ORDER NOW
      All licenses will remain active for the lifetime of the product. All non-"+" licenses will require a yearly subscription for continued access to downloads and support. Before purchasing, be sure to read our License Agreement.
      Need Help? Available Services
      Theme Installation ($15): If you're not confident in your ability to install the theme yourself, I can do it for you! Give yourself peace of mind by hiring me to do the process for you. It's quick, easy, and best of all inexpensive. Theme Customization ($100): Want to make sure that your client theme matches your branding? You can hire me to adjust your theme settings to match your brand colors, fonts, logo and more. The "Theme Customization" service is NOT an integration service. I will not integrate anything from your current website design. I will match your brand colors, logo and additional style assets. Nothing additional will be done outside of that.
      Refund Policy
      You will find the refund policy for all SwiftModders products in the License Agreement.
      Browser Support
      Microsoft Edge 12+ Google Chrome 29+ Mozilla Firefox 29+ Apple Safari (iOS) 9+ SwiftModders does not provide technical support for older, outdated browsers. Please update your browser and browse safer.
       
    • By TheHackRepairGuy
      For a while there I thought the bogus account creation was behind us.
      But in the past few months I've seen a major uptick in bogus European new account creation.
      Some bot out there are mass injecting new accounts nearly constantly. 

      Anyone one else seeing this?

      I see no way to stop it.
      Anyone have recommendations on reducing the number of injected accounts into WHMCS?

      Thanks.
    • By Jebsi
      Hey there, I got a question. Does anyone know if there is an uptime monitor feature that works with WHMCS that looks like this:
      https://prnt.sc/1g8dlgd
      and if there is, is there a module for that?
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated