Jump to content

Security Questions and Tricks

yggdrasil

By yggdrasil
in Using WHMCS

 Share

Recommended Posts

yggdrasil Senior Member

yggdrasil

Posted
Posted

I assume this work but I'm wondering if someone did this in their installation since I'm not sure if WHMCS internally may have some bug looking for directories by name or some modules could not work if they can't find the name.

 

WHMCS security settings suggest you to move some folders out of your public directory, cron, templates_c, downloads, etc. Or just somewhere else.

 

Since you specify a hard path for them I was wondering if besides moving them you can completely rename them to something else and WHMCS would still work without issues, so cron would be something like "myu334-cron", or "templates4094"

 

You get the idea.

 

I think this would be even better in terms of security because a smart attacker would just try an upper directory ../ but if its renamed he would have to guess the name first.

 

I'm also wondering why WHMCS does not let you add your own prefix to MySQL tables, similar to how WordPress and other systems do. This is also a nice security improvement which makes SQL injections harder as you don't know the tables name. The annoying issue that registers on WHMCS and updates his contact details to drop username/admin tables would not even work this way. I know that issue was patched in older versions but my point is that if that issue was true today with something else, it would not even work because the attacker needs to know the tables name. Using defaults he can replicate the attack everywhere but if you add a prefix to tables, the attack would not work since he doesn't know the names.

 

Technically both things should work if the code is correctly made and clean. Even modules and plugins, should not rely on default names but reading the configuration paths.

0
Link to comment
Share on other sites
sentq Senior Member

sentq

Posted
Posted
Since you specify a hard path for them I was wondering if besides moving them you can completely rename them to something else and WHMCS would still work without issues, so cron would be something like "myu334-cron", or "templates4094"

you can do that already, move these folders to any path and/or change their names, as long as you specify the full path including folder name why not :)

 

I'm also wondering why WHMCS does not let you add your own prefix to MySQL tables, similar to how WordPress and other systems do. This is also a nice security improvement which makes SQL injections harder as you don't know the tables name. The annoying issue that registers on WHMCS and updates his contact details to drop username/admin tables would not even work this way. I know that issue was patched in older versions but my point is that if that issue was true today with something else, it would not even work because the attacker needs to know the tables name. Using defaults he can replicate the attack everywhere but if you add a prefix to tables, the attack would not work since he doesn't know the names.

I was asking WHMCS about the same question 5 years ago, but they didn't consider it until today, it's hard at this time to apply it, since all modules use the default names but i think since v6 many things can be done really

0
Link to comment
Share on other sites
PropelMWS Member

PropelMWS

Posted
Posted
I'm also wondering why WHMCS does not let you add your own prefix to MySQL tables, similar to how WordPress and other systems do. This is also a nice security improvement which makes SQL injections harder as you don't know the tables name. The annoying issue that registers on WHMCS and updates his contact details to drop username/admin tables would not even work this way. I know that issue was patched in older versions but my point is that if that issue was true today with something else, it would not even work because the attacker needs to know the tables name. Using defaults he can replicate the attack everywhere but if you add a prefix to tables, the attack would not work since he doesn't know the names.

 

Technically both things should work if the code is correctly made and clean. Even modules and plugins, should not rely on default names but reading the configuration paths.

 

I fully agree with you, regarding adding the ability to customize database table prefixes during WHMCS install (or even on an existing live installation)

 

SQL Injection is not going away anytime soon so I would expect to see WHMCS add that feature sooner rather than later.

0
Link to comment
Share on other sites
yggdrasil Senior Member

yggdrasil

Posted
  • Author
Posted (edited)

OK, so changing the names for the folders which you move can be done and everything will work just fine right?

 

The reason I ask, is that I actually moved them but left the original folder names. Basically I just moved them to an upper non public folder but keep the default name, since in the docs they don't mention you can rename them as well.

 

About the table name, this should not be complicated for WHMCS to implement at all. The way it works in other softwares I use, is that you configure the prefix in the config file. So in the case of WHMCS it could ask this on installation and then save it in the configuration.php

 

So if you set a prefix, lets say 49434, then WHMCS will use all tables as 49434_tablename

 

WHMCS would just need to add the prefix variable in all the SQL queries, and WHMCS would know the name because it would read it from the configuration file just like its doing already for everything else. I don't think there will be any performance hit at all, because its already reading the paths and database connection from there in the first place. So it would be just one more variable to read. This variable is then used in all the queries to the database.

 

This would make WHMCS so much secure, because an attacker trying a public exploit would not happen to know the tables (which know use the default names for every single live installation). It would render SQL injections useless or extremely hard to pull. Every update could be introducing a new attack and while WHMCS is doing a better job in terms of security lately, even if you are exposed for 24 hours until you can patch it its bad already.

 

I would seriously advise WHMCS to re-consider this. Its not hard to implement in their code and the benefits in terms of security are huge. I know in WordPress is also makes a night and day difference between getting hacked and not.

 

I disagree with the modules part. It should not be hard at all. The modules should have to read the configuration.php for the variable instead in their queries. Its a 5 minutes change in any code, so if a module has a query like:

 

Read/Write username-table

 

It would just use $prefix_username-table

 

And that prefix they would read from the configuration.php

 

The change is minor and all modules could work in minutes again. Even if a user changes the prefix for another one in the future, everything should keep working this way.

Edited by yggdrasil
0
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept