Possible security/authentication problems with the eNom new TLDs addon module

[techdruid]

Hello All,

 

I just wanted to bring this to everyone's attention that is using the eNom new TLDs Addon module.

 

I'm not sure how the module authenticates the WHMCS user against the eNom system when users use the TLDs module. But it does not appear to work very well in the situation where you're using a single computer to allow multiple different customers in WHMCS use the system.

 

For example. I've created watch lists, and preformed pre-registrations under one account. Then, upon logging out and logging in to a different WHMCS account, I can see the watchlist and pre-registrations that were entered by the previous customer. Additionally, if I place an order from the second logged in account, it will add the order to the previously logged in customers account. VERY BAD!

 

This has been extremely frustrating for me, as I've put a great deal of effort into marketing these new TLDs, and I have an office where my customers come in and login to their interface on a shared computer.

 

The workaround to this problem seems to be that we must clear our temporary files and cookies ANYTIME a customer clicks into the New TLDs area of our WHMCS system.

 

Unfortunately I've learned this a little too late, and I'm trying to deal with the aftermath and trying to get eNom to move these pre-registrations from an incorrect account over the correct account. Their first line of support seems to have no way of dealing with this type of problem. They don't seem able to *see* the problem at all. Well, at least that's the explanation I just received.

 

Their first advice is always seems to be that they don't provide support for WHMCS. I always need to ask to have my calls escalated to speak with a developer, and even then I get push back until they finally agree to let me speak with someone that knows about the eNom New TLDs addon for WHMCS.

 

So. Hopefully the advice to clear your temporary files and cookies is useful to someone in a similar situation as mine.

 

peace

[REVOLUTIONS inc.]

Also It cant me move from the stupid index page so the header on my site keeps loading everytime, on top of that SECURITY ISSUE: it wont accept oders over hhtps it continuously reverts to http and why cant we install it on another page under the require https?

[techdruid]

Now that my problem was escalated to the development team at eNom, they have responded that they are unable to assist me. Of course I was not able to speak directly with the development team. I had to speak through a middle person who doesn't seem to comprehend the nature of this problem.

 

Meanwhile, my customer can login to their WHMCS billing account and they have access to place pre-registrations using MY credit card information that is stored with the profile.

 

It's a good thing I'm personal friends with this customer of mine. Otherwise I would be a real pickle. As it stands, I am still quite frustrated with eNom's lack of support on this issue.

 

I'm a little surprised they are not taking this potential security risk a little more seriously.

 

Think about it. If someone connects to the new TLD interface on a public computer, that opens their account up to anyone else that subsequently uses that public computer, even if they log out of that public computer.

 

Still frustrated here.

[techdruid]

Update : I have a test environment where I did a few tests to narrow down my options for dealing with this issue on my own as I can't seem to get support elsewhere.

 

It seems that in the absence of cookies, eNom's new TLD addon identifies itself to the tldportal.com website somehow based on the id field in the tblclients table of the WHMCS database.

 

So.... I'm going to...

 

1) create a new account for my customer.

2) move their hosting packages and domain names to the new account.

3) manually modify the invoices to point to the new account in the database.

4) search for any other references (like notes or emails or gateway transaction logs) and manually change them in the database to be associated with the new account.

5) claim the OLD customer account as an orphaned account for myself to manage my new TLD pre-orders.

 

Not pretty, but I seem be left with little other choice.