Jump to content

Possible security/authentication problems with the eNom new TLDs addon module


techdruid

Recommended Posts

Hello All,

 

I just wanted to bring this to everyone's attention that is using the eNom new TLDs Addon module.

 

I'm not sure how the module authenticates the WHMCS user against the eNom system when users use the TLDs module. But it does not appear to work very well in the situation where you're using a single computer to allow multiple different customers in WHMCS use the system.

 

For example. I've created watch lists, and preformed pre-registrations under one account. Then, upon logging out and logging in to a different WHMCS account, I can see the watchlist and pre-registrations that were entered by the previous customer. Additionally, if I place an order from the second logged in account, it will add the order to the previously logged in customers account. VERY BAD!

 

This has been extremely frustrating for me, as I've put a great deal of effort into marketing these new TLDs, and I have an office where my customers come in and login to their interface on a shared computer.

 

The workaround to this problem seems to be that we must clear our temporary files and cookies ANYTIME a customer clicks into the New TLDs area of our WHMCS system.

 

Unfortunately I've learned this a little too late, and I'm trying to deal with the aftermath and trying to get eNom to move these pre-registrations from an incorrect account over the correct account. Their first line of support seems to have no way of dealing with this type of problem. They don't seem able to *see* the problem at all. Well, at least that's the explanation I just received.

 

Their first advice is always seems to be that they don't provide support for WHMCS. I always need to ask to have my calls escalated to speak with a developer, and even then I get push back until they finally agree to let me speak with someone that knows about the eNom New TLDs addon for WHMCS.

 

So. Hopefully the advice to clear your temporary files and cookies is useful to someone in a similar situation as mine.

 

peace

Link to comment
Share on other sites

  • 2 weeks later...

Now that my problem was escalated to the development team at eNom, they have responded that they are unable to assist me. Of course I was not able to speak directly with the development team. I had to speak through a middle person who doesn't seem to comprehend the nature of this problem.

 

Meanwhile, my customer can login to their WHMCS billing account and they have access to place pre-registrations using MY credit card information that is stored with the profile.

 

It's a good thing I'm personal friends with this customer of mine. Otherwise I would be a real pickle. As it stands, I am still quite frustrated with eNom's lack of support on this issue.

 

I'm a little surprised they are not taking this potential security risk a little more seriously.

 

Think about it. If someone connects to the new TLD interface on a public computer, that opens their account up to anyone else that subsequently uses that public computer, even if they log out of that public computer.

 

Still frustrated here.

Link to comment
Share on other sites

Update : I have a test environment where I did a few tests to narrow down my options for dealing with this issue on my own as I can't seem to get support elsewhere.

 

It seems that in the absence of cookies, eNom's new TLD addon identifies itself to the tldportal.com website somehow based on the id field in the tblclients table of the WHMCS database.

 

So.... I'm going to...

 

1) create a new account for my customer.

2) move their hosting packages and domain names to the new account.

3) manually modify the invoices to point to the new account in the database.

4) search for any other references (like notes or emails or gateway transaction logs) and manually change them in the database to be associated with the new account.

5) claim the OLD customer account as an orphaned account for myself to manage my new TLD pre-orders.

 

Not pretty, but I seem be left with little other choice.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated