Jump to content

Where is Whois Link?


Burti

Recommended Posts

18 hours ago, Burti said:

I can't see whois link in six template for v7.6.0 ? I searched domain its not avail but Whois button are not showing ?

I don't think there's been a whois link in the results for years - can't recall seeing it in v7; probably not even in v6.

technically it's just a link to whois.php?domain=xxx where xxx is the domain to lookup, but would be trickier to incorporate into the new templates than the older versions.... also, these lookups would count towards any whois lookup limits, so i'd be wary of doing this if you were using standard_whois as your lookup method in the cart.

Link to comment
Share on other sites

On 8/10/2018 at 12:58 PM, brian! said:

I don't think there's been a whois link in the results for years - can't recall seeing it in v7; probably not even in v6.

technically it's just a link to whois.php?domain=xxx where xxx is the domain to lookup, but would be trickier to incorporate into the new templates than the older versions.... also, these lookups would count towards any whois lookup limits, so i'd be wary of doing this if you were using standard_whois as your lookup method in the cart.

I had the impression this was only for the admin side and for my surprise its not. Why in the hell is this available openly for the everyone (public) without any captcha restrictions or behind a login?

Idiot me. Last week I created a special protected file that uses the API to make a whois look up with rate limiting on domains and now I find this whois.php is completely open up there and live...This is very dangerous and can lead to someone abusing your whois lookups and having your server banned from a registrar.

Is it safe to remove it or does the cart rely on this for domain lookups?

Edited by yggdrasil
Link to comment
Share on other sites

19 hours ago, yggdrasil said:

I had the impression this was only for the admin side and for my surprise its not. Why in the hell is this available openly for the everyone (public) without any captcha restrictions or behind a login?

ours is not to reason why.... I think it's only legitimate (legacy) use would be to give a whois result for a specific domain (which in the old days was done via a popup window displaying this page result)... but it's encoded, so only WHMCS will know...

19 hours ago, yggdrasil said:

Idiot me. Last week I created a special protected file that uses the API to make a whois look up with rate limiting on domains and now I find this whois.php is completely open up there and live...This is very dangerous and can lead to someone abusing your whois lookups and having your server banned from a registrar.

true - but it's not a well-known file... so you'd have to know a) it existed and b) how to use it... granted i've just mentioned how, but seeing as you quoted me, there's no point in me editing that post. 😀

19 hours ago, yggdrasil said:

Is it safe to remove it or does the cart rely on this for domain lookups?

you could remove the file - but I suspect the auto-updater would put it back after the next update. 🙄

as a test, i've just deleted it and client lookups, using standard whois, are working fine... the admin area won't need that file either, as it has it's own whois.php - which uses a token, so I doubt an external user could access it in the same way.

Link to comment
Share on other sites

Exactly. I was aware the file was there before but it did nothing when loaded directly so I assumed (wrongly) it was safe until I tried passing your domain parameter when I read this post and for my surprise it works.

I blocked the code on the file immediately, it does not seem to affect the registrations/transfers lookups and I don't use the auto updater and never will because of things like this. I don't WHMCS overwritten my changes or putting files back I don't want.

If you think about this, now everyone that reads your post here will know how to abuse WHMCS installations for whois queries. I advise everyone to remove or block access to the file unless someone is ok with spambots hitting massively your whois file since this is basically a free whois service with no restrictions on every live WHMCS installation.

While I appreciate the file for those that want to give some Whois results to their customers, those persons should probably edit the file and put some code for at least require users to log in first or another restrictions to limit queries to valid humans and not bots.

Edited by yggdrasil
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated