[not a bug] Last Logged In to Admin IP Displayed To Guests

[gshjames]

IP Logged need to be remove from admin login page we are give away are own home or work ip address away for hackers

Edited January 18, 2015 by Infopro
Modifed Title

[Alex - Arvixe]

This won't be removed as it is a great feature. You're not giving them away (unless you have been compromised) as they are kept hidden from public and only accessible in the admin area.

[sentq]

as mentioned by @Alex,no one can see admin log unless they have valid access to admin area.

admin IP is saved in activity Log, and Admin Activity, there is an easy way to clear/modify both of these logs, if you need to

[gshjames]

go to your admin login page do not login

[gshjames]

got to the demo admin page on whmcs web site tell you the last guy who login

[merlinpa1969]

Do you have your admin named /admin ?

If youhave followed security practices john Q Public doesnt know where the heck your admin is

[gshjames]

not the point

[Alex - Arvixe]

as mentioned by @Alex,no one can see admin log unless they have valid access to admin area.

admin IP is saved in activity Log, and Admin Activity, there is an easy way to clear/modify both of these logs, if you need to

 

On another note, it is also a very good idea to change the admin directory.

 

go to your admin login page do not login. got to the demo admin page on whmcs web site tell you the last guy who login

 

I think this is a bug that should be reported and hopefully fixed. It should be logging your IP, not the last person to login. A temp solution would be to change the admin directory.

[Infopro]

Moved to bugs forum for review.

[gshjames]

thank you Infopro

[WHMCS Nate]

Hello Gshjames,

 

I want to make sure I understand the issue you are reporting, I see two possible ways to read your report:

 

A) The admin interface shows my IP address as it will be logged if I log in. This is a security vulnerability because if a hacker had a trojan on your desktop, it would show the hacker your IP address.

 

B) The IP listed in the admin interface shows the last IP to login and that is a security issue as information disclosure vulnerability.

 

The IP shown is your IP which will be logged when you login in. It is not showing the IP of the last login. So (B) is not what I observed and (A) I don't consider a vulnerability. If you have already been compramised, the hacker can get your IP address without any help from WHMCS.

 

Have a great day.

 

Nate C

[WHMCS Nate]

Hello Gshjames,

 

Normally I close threads after making a confirmation one way or the other. This area is not for lobbying for a fix and old threads sometimes get hijacked which confuses everyone. I do want to leave this open in case I am missunderstanding something.

 

Does A or B cover what you are reporting?

 

Nate

[SeanP]

It sounds like the OP may be thinking the "IP Logged", on the admin login page, is displaying the last IP that logged in and not their own. Something that could possibly be triggering this confusion is that the WHMCS demo doesn't display your IP, but displays a Cloudflare IP:

 

http://demo.whmcs.com/admin/

[othellotech]

IP Logged need to be remove from admin login page we are give away are own home or work ip address away for hackers

 

You're misunderstanding it - it shows _you_ *your* ip and says it is being logged, it does not show someone else your ip, it would show them *their* ip ...

[WHMCS Nate]

I am going to close this thread.

 

Have a great day everyone,

 

Nate C