Jump to content

WHMCS Security Advisory 2020-01-28

LukeDouglas
 Share

Recommended Posts

LukeDouglas Member

LukeDouglas

Posted
Posted

I checked the link https://www.example.com/path/to/whmcs/vendor/composer/LICENSE  , but with my billing url link + vendor/composer/LICENSE,  that was recommended by an email I received today to view the 'license' document but it returned a 404 Category Not Found message.  So I assume that means my system is not affected by this issue described in the link below.  If that is correct, I would 'highly' recommend that the security advisory page be updated to include the results if there is no issue.  However, if this response 404 Category Not Found display means my billing has an issue, please let me know.

https://docs.whmcs.com/Security_Advisory_2020-01-28

2
Link to comment
Share on other sites
xlegends Senior Member

xlegends

Posted
Posted

/var/www/html/vendor
Has .htaccess already with deny all, however the tool states that it failed the vulnerability test..


  

If files continue to remain accessible, then you will want to investigate if your Apache configuration has disabled the use of .htaccess files or if there is a parent configuration that is negating the directive in the provided .htaccess file.

 

Bunch of apache2 configs here, 

/etc/apache2

Not sure where to correct this so the .htaccess file works as it is set. 

0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted
1 hour ago, xlegends said:

/var/www/html/vendor

That's the location of your WHMCS installation (reportedly /vendor/composer)?
The error "404  Category Not Found" is mainly found in Joomla forums, as well as potentially being related to SE friendly URLs. If you're using URL rewriting in WHMCS, it's possible it's trying to deliver the page/URI, which likely means it's not in fact being blocked.

Which specific version of Apache are you running? Apache 2.4 has a different format for directives from prior versions.
2.2 configuration:

Order deny,allow
Deny from all

2.4 configuration:

Require all denied

0
Link to comment
Share on other sites
LukeDouglas Member

LukeDouglas

Posted
  • Author
Posted (edited)

So can someone explain if the '404 Category Not Found' message is good or bad! From what I read, if you don't get a directory listing of the 'vendor' folder, then that is good thus a '404 Category Not Found' message is good.  However, if this is incorrect, I would appreciate some clarification.  Honestly, WHMCS should have listed what is a good result and what is a bad result when you went to that URL link.

FYI, the code below blocks me from access the WHMCS application.

<Location "/vendor/">
Require all denied
</Location>

 

Edited by LukeDouglas
0
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted (edited)

Hi Luke.
I'd say the 404 is *not* a good result, and you're possibly vulnerable. A directory listing would simply mean your server is misconfigured to allow publicly viewing a directory. That's even worse. If adding that "require" line prevents the site/WHMCS from loading, you might be on a different version of Apache (or what have you), or possibly put it in the wrong place/file?

Edited by bear
0
Link to comment
Share on other sites
xlegends Senior Member

xlegends

Posted
Posted (edited)
4 hours ago, bear said:

Hi Luke.
I'd say the 404 is *not* a good result, and you're possibly vulnerable. A directory listing would simply mean your server is misconfigured to allow publicly viewing a directory. That's even worse. If adding that "require" line prevents the site/WHMCS from loading, you might be on a different version of Apache (or what have you), or possibly put it in the wrong place/file?

404 just means the file is not present, not good/bad. 

https://www.example.com/path/to/whmcs/vendor/composer/LICENSE

A sure way to check the vulnerability is to upload and point at this tools provided by support via the announcement.

A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded here.

To use the tool, simply upload it to the root directory of your WHMCS installation and then visit in a browser or run from the command line. The tool will confirm if you are affected.

Edited by xlegends
0
Link to comment
Share on other sites
xlegends Senior Member

xlegends

Posted
Posted
4 hours ago, LukeDouglas said:
6 hours ago, xlegends said:

I got it thx.

on apache2 edited both configs 80/443 



<Location "/vendor/">
Require all denied
</Location>

on Nginx I edited both configs 80/443 



 location ^~ /vendor/ {
        deny all;
        return 403;
    }

 

 

4 hours ago, LukeDouglas said:

I put the code in the WHMCS core folder HTACCESS file.  Also, my server is running Apache/2.4.41.

Again, the security article is a bit cryptic, at least to me.

 

 

You dont put the above codes in .htaccess, those are an option to put them in the web servers config. If you're going to use .htaccess, then u edit the .htaccess file in /vendor/ folder then all you put in it is:   

Deny from all

See https://docs.whmcs.com/Security_Advisory_2020-01-28

0
Link to comment
Share on other sites
LukeDouglas Member

LukeDouglas

Posted
  • Author
Posted
3 hours ago, xlegends said:

404 just means the file is not present, not good/bad. 

https://www.example.com/path/to/whmcs/vendor/composer/LICENSE

A sure way to check the vulnerability is to upload and point at this tools provided by support via the announcement.

A verification tool has also been made available to assist in determining if your web server environment is affected. This tool can be downloaded here.

To use the tool, simply upload it to the root directory of your WHMCS installation and then visit in a browser or run from the command line. The tool will confirm if you are affected.

I uploaded the file to the WHMCS root and opened it via a browser.  I get the same message:

"404 Category not found"

I checked the file via a command line from my computer and got this message:

'https:' is not recognized as an internal or external command, operable program or batch file.

I changed the https to http in the command line and go this message:

'http:' is not recognized as an internal or external command, operable program or batch file.

So I went to my WHM server admin Terminal and open the file and got this message:

Permission denied

So I am 'assuming' that the 'Permission denied' is a good result.  Am I correct?

 

1
Link to comment
Share on other sites
bear Senior Member

bear

Posted
Posted (edited)

For the record, http and https are web protocols, and you can't check a remote server using them via command line on your local PC.
The "command line" in that refers to shell *on the server*, ie: log in using SSH and run it from there. The command from there would be more like '/path/to/php /path/to/script.php' (without the 'quotes').

Edited by bear
1
Link to comment
Share on other sites
upalm Member

upalm

Posted
Posted (edited)

Even I am getting '404' page not found result on LiteSpeed 1.6.6 after making changes to the folder permissions as the default

Deny from all does not seem to be working (tells me that my /vendor folder is accessible which it is but the other htaccess's seem to be work fine as the 404 landing page also displays properly) and this is the only sole website on this hosting account.

Is there a way to fix it via editing the Vhosts file?

Edited by upalm
1
Link to comment
Share on other sites
malfunction Senior Member

malfunction

Posted
Posted

Completely useless steps provided to determine if you have a problem on IIS;  https://www.example.com/path/to/whmcs/vendor/composer/LICENSE isn't going to do anything at all without a file extension or a specific rewrite rule and the "verification tool" just returns a blank white screen and nothing in the php_error_log.  None the wiser after that 😐 so just removed authentication from /vendor anyway.  Probably be alright I suppose.

1
Link to comment
Share on other sites
  • 2 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated

  I accept